Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access desktop. Fbi moneypack virus?


  • This topic is locked This topic is locked
42 replies to this topic

#1 alexander.bautista

alexander.bautista

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 19 October 2014 - 05:27 PM

Hi there. About a week ago my antivirus (avira) detected a trojan.agent.ed after install a "codec", but it did not removed it. I run malwarebytes and it detected lots of extra Trojans. Once a restarted my computer I cannot
access the desktop anymore. If I try to start in safe mode or safe mode with networking it automatically restart my computer. I already read this one:

http://www.bleepingcomputer.com/forums/t/488912/cant-access-desktop/

An later this one:

http://www.bleepingcomputer.com/forums/t/485293/fbi-moneypak-virus/

That's is why I think I'm infected with this malware an most probably with a group of them more.

I need help to get around this problem. Please tell me what to do.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:00 AM

Posted 21 October 2014 - 10:00 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi alexander.bautista,
 
You cannot access the desktop, but there is no FBI/police ransomware screen correct?
 
What operating system is the infected computer?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 alexander.bautista

alexander.bautista
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 21 October 2014 - 12:44 PM

Hi Toffee thanks for you quick an gentle response. The instructions are clear.

You're right. There is no fbi/police screen. I can access to my computer but not to the desktop(green screen) . I am able to execute task through the task manager like command line or fire some programs. I can't execute Explorer or related tasks.
The OS is windows 7 ultimate 64x

#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:00 AM

Posted 21 October 2014 - 02:34 PM

Hi alexander.bautista,
 
Thank you for that clarification. Lets have a look using this tool:
 
FRST Scan from RECOVERY Environment on Vista, 7, and 8:
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 
 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 alexander.bautista

alexander.bautista
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 21 October 2014 - 04:56 PM

Hi Toffee,  this is the FRST.TXT

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-10-2014 01
Ran by SYSTEM on MININT-FRP06FK on 18-10-2014 20:31:22
Running from h:\
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [QuickSet] => C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1822504 2009-08-24] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-01-21] (IDT, Inc.)
HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [IntelliType Pro] => C:\Program Files\Microsoft Device Center\itype.exe [1464928 2012-06-26] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft Device Center\ipoint.exe [2004584 2012-06-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [85160 2009-06-17] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Google Desktop Search] => C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2011-05-10] (Google)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641664 2012-04-05] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [10752 2012-02-20] ()
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [703736 2014-10-15] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [NVC] => C:\Program Files (x86)\Nortel\Nortel VPN Client\Nvc.exe [1762640 2009-08-20] (Nortel Networks)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1679360 2012-02-28] (Wondershare)
HKLM-x32\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Player\DelayPluginI.exe [1960008 2013-09-28] ()
HKLM-x32\...\Run: [DellNetExtender] => C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEGui.exe [1293824 2014-06-10] (Dell Inc.)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [165168 2014-09-23] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-10-01] (Malwarebytes Corporation)
HKU\Alexander\...\Run: [Google Update] => C:\Users\Alexander\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-04-17] (Google Inc.)
HKU\Alexander\...\Run: [Akamai NetSession Interface] => C:\Users\Alexander\AppData\Local\Akamai\netsession_win.exe [4672920 2014-04-17] (Akamai Technologies, Inc.)
HKU\Alexander\...\Run: [Easy ShutDown] => C:\Program Files (x86)\Easy ShutDown\EasyShutDown.exe :silent
HKU\Alexander\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22734160 2014-08-08] (Google)
HKU\Alexander\...\Run: [GoogleChromeAutoLaunch_ADE45C68FEF2280A34B6F5DB75C94C09] => C:\Users\Alexander\AppData\Local\Google\Chrome\Application\chrome.exe [854344 2014-10-09] (Google Inc.)
HKU\Alexander\...\Run: [Spotify Web Helper] => C:\Users\Alexander\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-09] (Spotify Ltd)
HKU\Alexander\...\Run: [Spotify] => C:\Users\Alexander\AppData\Roaming\Spotify\Spotify.exe [6553144 2014-10-09] (Spotify Ltd)
HKU\Alexander\...\Run: [OpenDNS Updater] => C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe [839680 2010-06-16] ()
HKU\Alexander\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\Alexander\...\Run: [Adcworks] => C:\Windows\SysWOW64\regsvr32.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\Alexander\...\Run: [Endtion] => regsvr32.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\Alexander\...\Run: [Edkgtion] => C:\Users\Alexander\AppData\Local\Edkgtion\tmp9B1D.exe
HKU\Alexander\...\Run: [cmdkey] => "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe"
HKU\Alexander\...\RunOnce: [cmdkey] => "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe"
HKU\Alexander\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_15_0_0_152_Plugin.exe [854192 2014-09-10] (Adobe Systems Incorporated)
HKU\Alexander\...\RunOnce: [Report] => C:\AdwCleaner\AdwCleaner[S1].txt [1069 2014-10-18] ()
HKU\Alexander\...\RunOnce: [Application Restart #0] => C:\Program Files\Internet Explorer\iexplore.exe [810680 2014-10-06] (Microsoft Corporation)
HKU\Alexander\...\Policies\Explorer: [Run] 
HKU\Alexander\...\Command Processor: "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe" <===== ATTENTION!
AppInit_DLLs: acaptuser64.dll => C:\Windows\system32\acaptuser64.dll [119160 2008-06-11] (Adobe Systems, Inc.)
AppInit_DLLs-x32: acaptuser32.dll => "acaptuser32.dll" File Not Found
Startup: C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmdkey.lnk
ShortcutTarget: cmdkey.lnk ->  (No File)
Startup: C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-10-15] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-10-15] (Avira Operations GmbH & Co. KG)
S2 ANTS Memory Profiler 5 Service; C:\Program Files\Red Gate\ANTS Memory Profiler 5\RedGate.Memory.IISService.exe [8704 1999-12-31] (Red Gate Software Ltd.)
S3 ANTS Performance Profiler 5 Service; C:\Program Files\Red Gate\ANTS Performance Profiler 5\RedGate.Profiler.IISService.exe [9728 1999-12-31] (Red Gate Software Ltd.)
S2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [160560 2014-09-23] (Avira Operations GmbH & Co. KG)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [393080 2012-12-05] (BlueStack Systems, Inc.)
S4 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384888 2012-12-05] (BlueStack Systems, Inc.)
S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [15768 2010-02-02] (Microsoft Corporation)
S2 Crypkey License; C:\Windows\system32\crypserv.exe [126976 2009-05-29] (CrypKey (Canada) Ltd.)
S3 FortiSslvpnDaemon; C:\Windows\SysWOW64\FortiSSLVPNdaemon.exe [830056 2011-10-14] (Fortinet Inc.)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.0\App Certification Kit\fussvc.exe [139776 2012-07-25] (Microsoft Corporation)
S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2011-05-10] (Google)
S3 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company)
S2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
S3 MsDtsServer100; C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [220832 2014-07-12] (Microsoft Corporation)
S2 MSMQ; C:\Windows\system32\mqsvc.exe [9216 2009-07-13] (Microsoft Corporation)
S3 MSSQL$NEWSQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10_50.NEWSQLEXPRESS\MSSQL\Binn\sqlservr.exe [62379184 2014-07-10] (Microsoft Corporation)
S3 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57820696 2008-07-10] (Microsoft Corporation)
S3 MSSQLFDLauncher; C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [34840 2008-07-10] (Microsoft Corporation)
S3 MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [58387104 2014-07-12] (Microsoft Corporation)
S3 MSSQLServerOLAPService; C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\msmdsrv.exe [43801448 2011-09-22] (Microsoft Corporation)
S4 msvsmon90; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe [4737024 2008-07-29] (Microsoft Corporation)
S2 NvcSvcMgr; C:\Program Files (x86)\Nortel\Nortel VPN Client\NvcSvcMgr.exe [615776 2009-08-20] (Nortel Networks)
S3 OpenVPNService; C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe [36352 2010-11-08] ()
S3 ReportServer; C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2084712 2011-09-22] (Microsoft Corporation)
S3 Simplexity.CerrejonHWD.ClientFileWatcher; C:\Program Files (x86)\Microsoft SDKs\Microsoft Sync Framework\2.1\Samples\FileSyncProviderManagedSample\CS\WindowsService1\bin\Release\Simplexity.CerrejonHWD.ClientFileWatcher.exe [15872 2013-10-08] ()
S3 Simplexity.CerrejonHWD.HwdFileWatcher; E:\Soluciones\CerrejonHWD\Source\Services\Win\Simplexity.CerrejonHWD.WinServiceFileWatcher\bin\Debug\Simplexity.CerrejonHWD.HwdFileWatcher.exe [7168 2013-10-08] (Simplexity S.A.)
S2 Simplexity.Scales.Service; C:\Program Files (x86)\Simplexity\Scales Service\Services.Main.exe [30208 2014-06-09] ()
S2 Simplexity.Scales.Updater; C:\Program Files (x86)\Simplexity\Scales Service\Service.Updater.exe [11776 2014-01-09] ()
S3 Simplexity.T9VideoServer.FileWatcher; E:\Soluciones\T9_Current\VideoServer\Services.Win.FileWatcher\bin\Debug\Services.Win.FileWatcher.exe [11776 2011-08-04] (Microsoft)
S3 Simplexity.T9VideoServer.VideoService; E:\Soluciones\T9_Current\VideoServer\Services.Win.VideoServer\bin\Debug\Services.Win.VideoServer.exe [12288 2011-08-04] (Microsoft)
S3 Simplexity.Win.SendMessages; C:\Program Files (x86)\Default Company Name\Setup\Services.Win.SendMessages.exe [9728 2014-02-19] ()
S2 SONICWALL_NetExtender; C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEService64.exe [598528 2014-06-10] (Dell Inc.)
S4 SQLAgent$NEWSQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10_50.NEWSQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [442536 2014-07-10] (Microsoft Corporation)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [430616 2008-07-10] (Microsoft Corporation)
S3 SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE [441504 2014-07-12] (Microsoft Corporation)
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe [244736 2010-01-21] (IDT, Inc.)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [126976 2012-07-25] (Microsoft Corporation)
S2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S2 T9ViaMainService; "C:\Program Files (x86)\Simplexity\T9Via\Services.Win.Main.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-15] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-15] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-10] (Avira Operations GmbH & Co. KG)
S2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [71032 2012-12-05] (BlueStack Systems)
S3 ctxva51; C:\Windows\System32\DRIVERS\ctxva51.sys [45720 2010-03-12] (Citrix Systems, Inc.)
S3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
S1 EterlogicVirtualSerialDriver; C:\Windows\system32\drivers\VSPE.sys [40928 2013-12-09] ()
S2 IntelHaxm; C:\Windows\System32\DRIVERS\IntelHaxm.sys [85008 2012-05-22] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
S3 MQAC; C:\Windows\System32\drivers\mqac.sys [189440 2009-07-13] (Microsoft Corporation)
S1 NetworkX; C:\Windows\system32\ckldrv.sys [29688 2009-06-12] ()
S2 npdrv; C:\Windows\system32\drivers\npdrv.sys [62232 2012-11-23] (Moxa Inc. )
S2 npdrvfilter; C:\Windows\system32\drivers\npdrvfilter.sys [43288 2012-11-23] (Moxa Inc. )
S3 NT_NvcA; C:\Windows\System32\DRIVERS\ntnvca.sys [44112 2009-08-06] (Nortel Networks)
S2 nvcwfpco; C:\Windows\System32\DRIVERS\nvcwfpco.sys [77904 2009-08-06] (Nortel Networks Corporation)
S3 NxDrv; C:\Windows\System32\DRIVERS\NxDrv.sys [24264 2014-02-13] (SonicWALL Inc.)
S3 pppop; C:\Windows\System32\DRIVERS\pppop64.sys [42528 2009-07-21] (Fortinet Inc.)
S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [322736 2014-07-10] (Microsoft Corporation)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [113704 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [19496 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [152616 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [133160 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [34856 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [128552 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [145960 2008-10-21] (MCCI Corporation)
S1 vmm; C:\Windows\SysWOW64\Drivers\vmm.sys [147192 2003-12-18] (Microsoft Corporation)
S3 vna_ap; C:\Windows\System32\DRIVERS\vnaap.sys [161256 2011-09-14] (Check Point Software Technologies)
S3 VSPerfDrv110; C:\Program Files (x86)\Microsoft Visual Studio 11.0\Team Tools\Performance Tools\x64\VSPerfDrv110.sys [70264 2012-07-13] (Microsoft Corporation)
S5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [59904 2009-07-13] (Microsoft Corporation)
S3 WsAudioDevice_383S(1); C:\Windows\System32\drivers\WsAudioDevice_383S(1).sys [29288 2013-05-30] (Wondershare)
S2 CP_OMDRV; No ImagePath
S3 DFUBTUSB; System32\Drivers\frmupgr.sys [X]
S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S2 VNASC; No ImagePath
S3 xpvcom; System32\Drivers\xpvcom.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-17 19:42 - 2014-10-17 19:42 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-10-17 19:40 - 2014-10-17 19:40 - 00002752 _____ () C:\Users\Alexander\Desktop\JRT.txt
2014-10-17 19:32 - 2014-10-17 19:32 - 00000000 ____D () C:\Windows\ERUNT
2014-10-17 19:31 - 2014-10-17 19:31 - 01705698 _____ (Thisisu) C:\Users\Alexander\Downloads\JRT.exe
2014-10-17 19:19 - 2014-10-18 14:39 - 00000000 ____D () C:\AdwCleaner
2014-10-17 19:18 - 2014-10-17 19:18 - 01976320 _____ () C:\Users\Alexander\Downloads\AdwCleaner.exe
2014-10-17 18:23 - 2014-10-17 18:23 - 00000000 _____ () C:\autoexec.bat
2014-10-17 18:22 - 2014-10-17 18:54 - 00002268 _____ () C:\Users\Alexander\Desktop\SpyHunter.lnk
2014-10-17 18:22 - 2014-10-17 18:22 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-10-17 18:21 - 2014-10-17 18:54 - 00000000 ____D () C:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP
2014-10-17 17:43 - 2014-10-17 17:43 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Alexander\Downloads\SpyHunter-Installer.exe
2014-10-17 17:41 - 2014-10-18 14:49 - 00000468 _____ () C:\Windows\Tasks\RegCure Pro Startup.job
2014-10-17 17:41 - 2014-10-18 06:15 - 00000571 _____ () C:\Windows\Tasks\RegCure Pro_sch_DF0C3A8B-5667-11E4-81E6-FB570FCA6973.job
2014-10-17 17:41 - 2014-10-17 19:25 - 00000450 _____ () C:\Windows\Tasks\ParetoLogic Update Version3_triggeronce.job
2014-10-17 17:41 - 2014-10-17 17:41 - 00004020 _____ () C:\Windows\System32\Tasks\RegCure Pro_sch_DF0C3A8B-5667-11E4-81E6-FB570FCA6973
2014-10-17 17:41 - 2014-10-17 17:41 - 00002936 _____ () C:\Windows\System32\Tasks\ParetoLogic Update Version3_triggeronce
2014-10-17 17:41 - 2014-10-17 17:41 - 00002630 _____ () C:\Windows\System32\Tasks\RegCure Pro Startup
2014-10-17 17:41 - 2014-10-17 17:41 - 00001156 _____ () C:\Users\Alexander\Desktop\RegCure Pro.lnk
2014-10-17 17:40 - 2014-10-17 17:40 - 06808688 _____ (ParetoLogic, Inc.) C:\Users\Alexander\Downloads\RegCureProSetup.exe
2014-10-17 17:39 - 2014-10-17 17:39 - 00001205 _____ () C:\Users\Alexander\Downloads\FixNCR.reg
2014-10-17 16:44 - 2014-10-17 16:46 - 00114282 _____ () C:\Users\Alexander\Desktop\Addition.txt
2014-10-17 16:43 - 2014-10-18 20:31 - 00000000 ____D () C:\FRST
2014-10-17 16:43 - 2014-10-17 16:46 - 00061376 _____ () C:\Users\Alexander\Desktop\FRST.txt
2014-10-17 15:57 - 2014-10-17 20:10 - 00000000 ____D () C:\a7ad6b7bc95de563ef8fb20b432d8f42
2014-10-17 13:09 - 2014-10-09 18:05 - 00507392 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2014-10-17 13:09 - 2014-10-09 18:05 - 00276480 _____ (Microsoft Corporation) C:\Windows\System32\generaltel.dll
2014-10-17 13:09 - 2014-10-09 18:00 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2014-10-17 13:09 - 2014-10-06 18:54 - 00378552 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2014-10-17 13:09 - 2014-10-06 18:04 - 00331448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-10-17 13:09 - 2014-09-28 16:58 - 03198976 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-10-17 13:09 - 2014-09-25 14:50 - 13619200 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-10-17 13:09 - 2014-09-25 14:46 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-10-17 13:09 - 2014-09-25 14:46 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-10-17 13:09 - 2014-09-25 14:46 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-10-17 13:09 - 2014-09-25 14:43 - 11807232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-10-17 13:09 - 2014-09-25 14:32 - 02017280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-10-17 13:09 - 2014-09-25 14:31 - 02108416 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-10-17 13:09 - 2014-09-18 18:25 - 23631360 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-10-17 13:09 - 2014-09-18 17:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-10-17 13:09 - 2014-09-18 17:55 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-10-17 13:09 - 2014-09-18 17:44 - 17484800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-10-17 13:09 - 2014-09-18 17:41 - 02796032 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-10-17 13:09 - 2014-09-18 17:40 - 00547328 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2014-10-17 13:09 - 2014-09-18 17:40 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-10-17 13:09 - 2014-09-18 17:39 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-10-17 13:09 - 2014-09-18 17:38 - 00083968 _____ (Microsoft Corporation) C:\Windows\System32\MshtmlDac.dll
2014-10-17 13:09 - 2014-09-18 17:36 - 05829632 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-10-17 13:09 - 2014-09-18 17:31 - 00051200 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-10-17 13:09 - 2014-09-18 17:30 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-10-17 13:09 - 2014-09-18 17:27 - 00595968 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-10-17 13:09 - 2014-09-18 17:26 - 00139264 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-10-17 13:09 - 2014-09-18 17:25 - 04201472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-10-17 13:09 - 2014-09-18 17:25 - 00758272 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-10-17 13:09 - 2014-09-18 17:25 - 00111616 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-10-17 13:09 - 2014-09-18 17:18 - 00940032 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2014-10-17 13:09 - 2014-09-18 17:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-10-17 13:09 - 2014-09-18 17:14 - 00446464 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2014-10-17 13:09 - 2014-09-18 17:06 - 00072704 _____ (Microsoft Corporation) C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-10-17 13:09 - 2014-09-18 17:02 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-10-17 13:09 - 2014-09-18 17:01 - 00195584 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-10-17 13:09 - 2014-09-18 17:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-10-17 13:09 - 2014-09-18 17:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-10-17 13:09 - 2014-09-18 17:00 - 00085504 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-10-17 13:09 - 2014-09-18 16:59 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-10-17 13:09 - 2014-09-18 16:58 - 00289280 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2014-10-17 13:09 - 2014-09-18 16:55 - 02187264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-10-17 13:09 - 2014-09-18 16:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-10-17 13:09 - 2014-09-18 16:53 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-10-17 13:09 - 2014-09-18 16:51 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-10-17 13:09 - 2014-09-18 16:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-10-17 13:09 - 2014-09-18 16:49 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-10-17 13:09 - 2014-09-18 16:42 - 00731136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-10-17 13:09 - 2014-09-18 16:42 - 00710656 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-10-17 13:09 - 2014-09-18 16:40 - 01249280 _____ (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2014-10-17 13:09 - 2014-09-18 16:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-10-17 13:09 - 2014-09-18 16:33 - 02309632 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-10-17 13:09 - 2014-09-18 16:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-10-17 13:09 - 2014-09-18 16:20 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-10-17 13:09 - 2014-09-18 16:18 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-10-17 13:09 - 2014-09-18 16:14 - 01447936 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-10-17 13:09 - 2014-09-18 15:59 - 01810944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-10-17 13:09 - 2014-09-18 15:59 - 00775168 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-10-17 13:09 - 2014-09-18 15:53 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-10-17 13:09 - 2014-09-18 15:52 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-10-17 13:09 - 2014-06-18 14:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\System32\dfshim.dll
2014-10-17 13:09 - 2014-06-18 14:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2014-10-17 13:09 - 2014-06-18 14:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2014-10-17 13:09 - 2014-06-18 14:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\System32\mscorier.dll
2014-10-17 13:09 - 2014-06-18 14:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2014-10-17 13:09 - 2014-06-18 14:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\System32\mscories.dll
2014-10-17 13:07 - 2014-09-17 18:00 - 03241472 _____ (Microsoft Corporation) C:\Windows\System32\msi.dll
2014-10-17 13:07 - 2014-09-17 17:32 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-10-17 13:07 - 2014-09-03 21:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\rastls.dll
2014-10-17 13:07 - 2014-09-03 21:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2014-10-17 13:06 - 2014-09-12 17:58 - 00077312 _____ (Microsoft Corporation) C:\Windows\System32\packager.dll
2014-10-17 13:06 - 2014-09-12 17:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-10-17 13:06 - 2014-07-16 18:07 - 03722240 _____ (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2014-10-17 13:06 - 2014-07-16 18:07 - 01118720 _____ (Microsoft Corporation) C:\Windows\System32\mstsc.exe
2014-10-17 13:06 - 2014-07-16 18:07 - 01113088 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2014-10-17 13:06 - 2014-07-16 18:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\System32\termsrv.dll
2014-10-17 13:06 - 2014-07-16 18:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\System32\winlogon.exe
2014-10-17 13:06 - 2014-07-16 18:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\System32\winsta.dll
2014-10-17 13:06 - 2014-07-16 18:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2014-10-17 13:06 - 2014-07-16 18:07 - 00086528 _____ (Microsoft Corporation) C:\Windows\System32\TSpkg.dll
2014-10-17 13:06 - 2014-07-16 18:07 - 00022016 _____ (Microsoft Corporation) C:\Windows\System32\credssp.dll
2014-10-17 13:06 - 2014-07-16 17:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2014-10-17 13:06 - 2014-07-16 17:39 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-10-17 13:06 - 2014-07-16 17:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2014-10-17 13:06 - 2014-07-16 17:39 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2014-10-17 13:06 - 2014-07-16 17:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-10-17 13:06 - 2014-07-16 17:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-10-17 13:06 - 2014-07-16 17:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2014-10-17 13:06 - 2014-07-16 17:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2014-10-14 03:32 - 2014-10-15 06:09 - 00007465 _____ () C:\Users\Alexander\Documents\MI_MotoristaTreina_OB_SYNC_CID.wsdl
2014-10-12 17:11 - 2014-10-12 17:11 - 00036898 _____ () C:\Users\Alexander\Desktop\dds.txt
2014-10-12 17:11 - 2014-10-12 17:11 - 00031980 _____ () C:\Users\Alexander\Desktop\attach.txt
2014-10-12 10:16 - 2012-11-19 16:43 - 00688992 _____ (Swearware) C:\Users\Alexander\Documents\dds.scr
2014-10-12 10:16 - 2012-11-19 16:43 - 00688992 _____ (Swearware) C:\Users\Alexander\Documents\dds.com
2014-10-11 17:08 - 2014-10-18 14:53 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-10-11 17:06 - 2014-10-15 04:49 - 00001068 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-11 17:06 - 2014-10-15 04:49 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-11 17:06 - 2014-10-01 08:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-10-11 17:06 - 2014-10-01 08:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2014-10-11 17:06 - 2014-10-01 08:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2014-10-11 16:54 - 2014-10-11 16:57 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Alexander\Documents\mbam-setup-2.0.2.1012.exe
2014-10-11 16:31 - 2014-10-12 09:58 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\Ecdyyr
2014-10-10 15:12 - 2014-10-10 15:12 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\TuneUp Software
2014-10-10 15:12 - 2014-10-10 15:12 - 00000000 ____D () C:\Users\Alexander\AppData\Local\TuneUp Software
2014-10-10 14:58 - 2014-10-17 13:10 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Endtion
2014-10-10 14:57 - 2014-10-17 14:35 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Edkgtion
2014-10-10 14:57 - 2014-10-10 15:13 - 00000000 ____D () C:\ProgramData\TuneUp Software
2014-10-10 14:57 - 2014-10-10 14:57 - 00000000 __SHD () C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C}
2014-10-04 19:33 - 2014-10-04 19:45 - 00014455 _____ () C:\Users\Alexander\Documents\Viaticos Cerrejon 201409.xlsx
2014-10-03 05:59 - 2014-10-02 18:52 - 00070419 _____ () C:\Users\Alexander\Documents\EstadoEquiposTags - Copy.xlsx
2014-09-30 17:51 - 2014-09-24 18:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2014-09-30 17:51 - 2014-09-24 17:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-30 11:33 - 2014-09-30 11:33 - 09601584 _____ () C:\Users\Alexander\Documents\Presentation1.rar
2014-09-30 07:16 - 2014-10-03 07:05 - 00024819 _____ () C:\Users\Alexander\Desktop\Bitacora.xlsx
2014-09-29 11:40 - 2014-10-03 09:24 - 00000000 ____D () C:\Users\Alexander\Documents\Cerrejon201409
2014-09-28 12:57 - 2014-09-29 06:18 - 09675932 _____ () C:\Users\Alexander\Documents\Presentation1.pptx
2014-09-28 12:57 - 2014-09-28 12:57 - 00000165 ____H () C:\Users\Alexander\Documents\~$Presentation1.pptx
2014-09-28 12:08 - 2014-09-28 12:08 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-09-27 18:17 - 2014-09-27 18:17 - 00045400 _____ () C:\Windows\SysWOW64\DiscHandler.exe
2014-09-24 05:41 - 2014-09-09 14:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2014-09-24 05:41 - 2014-09-09 13:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-09-23 07:12 - 2014-09-23 07:12 - 00000374 _____ () C:\Users\Alexander\Desktop\NuGet Package Explorer.appref-ms
2014-09-23 06:41 - 2014-09-23 06:41 - 00002752 _____ () C:\Users\Alexander\Documents\Simplexity.AsTrans.Portal.Models.1.0.0.nupkg
2014-09-23 06:28 - 2014-09-23 06:28 - 00006117 _____ () C:\Users\Alexander\Documents\NuGetPackageExplorer.application
2014-09-22 11:37 - 2014-09-22 11:37 - 00038751 _____ () C:\Users\Alexander\Documents\corona.SSP
2014-09-19 04:16 - 2014-09-19 04:16 - 00002076 _____ () C:\Users\Public\Desktop\SOAPSonar Personal.lnk
2014-09-19 04:14 - 2014-09-19 04:14 - 00000000 ____D () C:\Program Files (x86)\Crosscheck Networks
2014-09-18 18:07 - 2014-09-18 18:10 - 86671344 _____ (Crosscheck Networks) C:\Users\Alexander\Documents\SSHE-7.0.1.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-18 15:23 - 2010-04-17 14:11 - 01784466 _____ () C:\Windows\WindowsUpdate.log
2014-10-18 15:23 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\tracing
2014-10-18 15:14 - 2010-04-17 15:45 - 00001062 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809288525-2060546453-1245240984-1000UA.job
2014-10-18 15:11 - 2012-05-16 14:13 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-18 15:02 - 2011-01-25 18:13 - 00001042 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-18 14:55 - 2009-07-13 20:45 - 00017296 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-18 14:55 - 2009-07-13 20:45 - 00017296 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-18 14:49 - 2011-01-25 18:13 - 00001038 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-18 14:48 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\inetsrv
2014-10-18 14:45 - 2013-11-09 16:21 - 00010424 _____ () C:\Windows\error.log
2014-10-18 14:45 - 2010-05-24 07:04 - 00065536 _____ () C:\Windows\System32\Ikeext.etl
2014-10-18 14:45 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-18 14:44 - 2013-11-09 16:23 - 00021296 _____ () C:\Windows\setupact.log
2014-10-18 14:43 - 2013-11-09 16:22 - 00013122 _____ () C:\Windows\errord.log
2014-10-18 14:40 - 2013-11-09 16:22 - 00044854 _____ () C:\Windows\PFRO.log
2014-10-18 08:10 - 2010-05-20 06:16 - 00000000 ____D () C:\Users\Alexander\AppData\Local\TSVNCache
2014-10-18 08:07 - 2009-07-13 20:45 - 04953296 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-10-18 08:01 - 2014-04-30 07:36 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-10-18 07:37 - 2010-04-17 18:57 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-18 07:30 - 2010-04-17 15:45 - 00001010 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809288525-2060546453-1245240984-1000Core.job
2014-10-18 07:23 - 2013-07-17 06:54 - 00000000 ____D () C:\Windows\System32\MRT
2014-10-18 06:19 - 2010-04-17 15:31 - 103265616 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-10-17 20:10 - 2014-06-09 11:53 - 00000000 ____D () C:\users\TestCoronaSAP
2014-10-17 20:10 - 2012-08-17 15:16 - 00000000 ____D () C:\users\testcr
2014-10-17 20:10 - 2012-06-05 18:36 - 00000000 ____D () C:\users\GmServices
2014-10-17 20:10 - 2012-03-04 20:52 - 00000000 ____D () C:\users\STSWebSite
2014-10-17 20:10 - 2012-03-04 19:57 - 00000000 ____D () C:\users\ASP.NET v4.0
2014-10-17 20:10 - 2012-02-21 08:58 - 00000000 ____D () C:\users\MyService
2014-10-17 20:10 - 2011-10-21 08:29 - 00000000 ____D () C:\users\Apolo
2014-10-17 20:10 - 2011-06-29 06:59 - 00000000 ____D () C:\users\SPX_CER_RFT
2014-10-17 20:10 - 2011-03-01 04:48 - 00000000 ____D () C:\users\DefaultAppPool
2014-10-17 20:10 - 2010-07-15 15:12 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\Orbit
2014-10-17 20:10 - 2010-05-22 17:55 - 00000000 ____D () C:\users\Classic .NET AppPool
2014-10-17 20:10 - 2010-04-17 14:52 - 00000000 ____D () C:\users\Alexander
2014-10-17 20:10 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-10-17 15:15 - 2014-09-12 05:10 - 00001095 _____ () C:\Users\Public\Desktop\Avira.lnk
2014-10-17 15:15 - 2013-02-20 16:37 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-10-17 15:15 - 2012-06-20 22:06 - 00000000 ____D () C:\ProgramData\Package Cache
2014-10-17 14:52 - 2011-12-01 10:27 - 00003958 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{78B4A8F1-056C-4885-8E34-835E9BE7AB28}
2014-10-17 14:46 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\Globalization
2014-10-17 14:34 - 2014-05-16 15:26 - 00000000 ____D () C:\Program Files (x86)\EMS
2014-10-17 14:30 - 2010-04-17 19:22 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\uTorrent
2014-10-17 12:46 - 2010-04-17 20:09 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\Skype
2014-10-16 05:16 - 2010-06-25 11:25 - 00022386 _____ () C:\Users\Alexander\soapui-settings.xml
2014-10-15 09:44 - 2012-12-16 20:09 - 00000000 ____D () C:\Users\Alexander\Documents\Visual Studio 2012
2014-10-15 05:12 - 2010-05-20 09:30 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\TortoiseSVN
2014-10-15 05:00 - 2010-05-19 09:22 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\Subversion
2014-10-15 04:21 - 2013-05-13 14:52 - 00131608 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2014-10-15 04:21 - 2013-05-13 14:52 - 00119272 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
2014-10-15 04:21 - 2013-05-13 14:52 - 00043064 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
2014-10-13 09:57 - 2014-05-29 04:49 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\Spotify
2014-10-12 10:33 - 2014-03-11 16:29 - 00000000 ___RD () C:\Users\Alexander\Google Drive
2014-10-12 10:18 - 2010-04-18 08:09 - 00000000 ____D () C:\Windows\symbols
2014-10-12 08:46 - 2014-05-29 05:11 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Spotify
2014-10-12 07:22 - 2009-07-13 20:45 - 00000000 ____D () C:\Windows\Setup
2014-10-11 19:27 - 2014-05-28 04:20 - 00000000 ____D () C:\Users\Alexander\Documents\CC corona
2014-10-11 17:06 - 2012-05-23 19:08 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-10 16:12 - 2010-05-22 17:52 - 00000000 ____D () C:\Users\Alexander\Documents\SQL Server Management Studio
2014-10-10 14:36 - 2014-05-07 11:20 - 00000000 ____D () C:\ProgramData\Wondershare Player
2014-10-04 15:29 - 2012-12-21 10:11 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-03 07:21 - 2010-04-18 09:14 - 01068210 _____ () C:\Windows\System32\perfh00A.dat
2014-10-03 07:21 - 2010-04-18 09:14 - 00288240 _____ () C:\Windows\System32\perfc00A.dat
2014-10-03 07:21 - 2009-07-13 21:13 - 02570196 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-03 06:30 - 2014-01-10 05:26 - 00070429 _____ () C:\Users\Alexander\Documents\EstadoEquiposTags.xlsx
2014-09-30 09:44 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-09-29 17:32 - 2010-04-27 17:52 - 00000000 ____D () C:\Windows\Minidump
2014-09-29 17:31 - 2012-10-12 03:26 - 00353784 ____N () C:\Windows\Minidump\092914-101759-01.dmp
2014-09-28 17:38 - 2013-08-27 11:37 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Paint.NET
2014-09-26 04:39 - 2011-01-08 21:48 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\vlc
2014-09-25 11:43 - 2010-04-17 20:09 - 00000000 ____D () C:\ProgramData\Skype
2014-09-25 11:42 - 2010-04-17 20:09 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-09-24 05:24 - 2012-05-16 14:13 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-09-24 05:23 - 2012-05-16 14:11 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-24 05:23 - 2012-03-03 21:53 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-23 07:12 - 2010-04-17 15:44 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Deployment
2014-09-23 06:29 - 2012-01-27 09:45 - 00000000 ____D () C:\Users\Alexander\AppData\Local\NuGet
2014-09-22 11:37 - 2014-09-03 10:56 - 00000870 _____ () C:\Users\Alexander\Documents\tareas septiembre.txt
2014-09-19 04:42 - 2010-04-18 08:27 - 00000000 ____D () C:\Program Files\Microsoft SQL Server
2014-09-19 04:42 - 2010-04-18 08:27 - 00000000 ____D () C:\Program Files (x86)\Microsoft SQL Server
2014-09-19 04:14 - 2010-08-05 20:58 - 00000000 ____D () C:\Program Files (x86)\Business Objects
2014-09-18 18:08 - 2014-09-14 17:29 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\tor
 
Files to move or delete:
====================
C:\Users\Alexander\SyncToy_32ef1437-913a-4a3c-941e-3908c06fdf19.dat
 
 
Some content of TEMP:
====================
C:\Users\Alexander\AppData\Local\Temp\1b4wfkv3.dll
C:\Users\Alexander\AppData\Local\Temp\1y3mgrhb.dll
C:\Users\Alexander\AppData\Local\Temp\2dbmq4gx.dll
C:\Users\Alexander\AppData\Local\Temp\2vjyrlez.dll
C:\Users\Alexander\AppData\Local\Temp\3g3ce5zh.dll
C:\Users\Alexander\AppData\Local\Temp\3owgoeut.dll
C:\Users\Alexander\AppData\Local\Temp\4mtjksxf.dll
C:\Users\Alexander\AppData\Local\Temp\4ot3jo21.dll
C:\Users\Alexander\AppData\Local\Temp\avgnt.exe
C:\Users\Alexander\AppData\Local\Temp\b2mj3irt.dll
C:\Users\Alexander\AppData\Local\Temp\bpruvzhp.dll
C:\Users\Alexander\AppData\Local\Temp\bvmwqhcm.dll
C:\Users\Alexander\AppData\Local\Temp\c5sm6k7m.dll
C:\Users\Alexander\AppData\Local\Temp\DAPREMOVE.EXE
C:\Users\Alexander\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Alexander\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Alexander\AppData\Local\Temp\enpxmxae.dll
C:\Users\Alexander\AppData\Local\Temp\ffnhyjtm.dll
C:\Users\Alexander\AppData\Local\Temp\FreemakeAudioConverter_1.1.0.54.exe
C:\Users\Alexander\AppData\Local\Temp\hexdek3l.dll
C:\Users\Alexander\AppData\Local\Temp\icjm5j1b.dll
C:\Users\Alexander\AppData\Local\Temp\j1t20m0d.dll
C:\Users\Alexander\AppData\Local\Temp\jakyux8s.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.exe
C:\Users\Alexander\AppData\Local\Temp\juvabfa4.dll
C:\Users\Alexander\AppData\Local\Temp\kogmxji4.dll
C:\Users\Alexander\AppData\Local\Temp\li5dbz2z.dll
C:\Users\Alexander\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Alexander\AppData\Local\Temp\qckeureh.dll
C:\Users\Alexander\AppData\Local\Temp\Quarantine.exe
C:\Users\Alexander\AppData\Local\Temp\rz0ypcli.dll
C:\Users\Alexander\AppData\Local\Temp\s1e54bwa.dll
C:\Users\Alexander\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Alexander\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Alexander\AppData\Local\Temp\SHSetup.exe
C:\Users\Alexander\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Alexander\AppData\Local\Temp\snoi0wca.dll
C:\Users\Alexander\AppData\Local\Temp\sqlite3.dll
C:\Users\Alexander\AppData\Local\Temp\tg0dchdg.dll
C:\Users\Alexander\AppData\Local\Temp\toae2ipj.dll
C:\Users\Alexander\AppData\Local\Temp\TUUUninstallHelper.exe
C:\Users\Alexander\AppData\Local\Temp\uaa5yggg.dll
C:\Users\Alexander\AppData\Local\Temp\utt190F.tmp.exe
C:\Users\Alexander\AppData\Local\Temp\v342cru3.dll
C:\Users\Alexander\AppData\Local\Temp\v5dt5tym.dll
C:\Users\Alexander\AppData\Local\Temp\vhbpkijo.dll
C:\Users\Alexander\AppData\Local\Temp\waufrmwu.dll
C:\Users\Alexander\AppData\Local\Temp\wxfcavxb.dll
C:\Users\Alexander\AppData\Local\Temp\xuauivc4.dll
C:\Users\Alexander\AppData\Local\Temp\yf0timkv.dll
C:\Users\Alexander\AppData\Local\Temp\yole5xly.dll
C:\Users\Alexander\AppData\Local\Temp\z0iyyblt.dll
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe
[2014-10-17 13:06] - [2014-07-16 18:07] - 0455168 ____A (Microsoft Corporation) 8CEBD9D0A0A879CDE9F36F4383B7CAEA
 
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2014-10-17 14:32:38
Restore point made on: 2014-10-17 14:35:27
Restore point made on: 2014-10-17 15:57:33
Restore point made on: 2014-10-17 18:22:09
Restore point made on: 2014-10-18 06:19:03
 
==================== Memory info =========================== 
 
Percentage of memory in use: 12%
Total physical RAM: 8156.86 MB
Available physical RAM: 7173.35 MB
Total Pagefile: 8155 MB
Available Pagefile: 7180.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:231.23 GB) (Free:67.93 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Nuevo vol) (Fixed) (Total:107.42 GB) (Free:19.83 GB) NTFS
Drive e: (Nuevo vol) (Fixed) (Total:111.96 GB) (Free:61.93 GB) NTFS
Drive f: (RECOVERY) (Fixed) (Total:15 GB) (Free:8.01 GB) NTFS
Drive h: (KINGSTON) (Removable) (Total:7.2 GB) (Free:7.19 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 78000000)
Partition 1: (Not Active) - (Size=157 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=231.2 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=219.4 GB) - (Type=OF Extended)
 
========================================================
Disk: 1 (Size: 7.2 GB) (Disk ID: 4A5279AC)
Partition 1: (Active) - (Size=7.2 GB) - (Type=0B)
 
 
LastRegBack: 2014-09-30 09:21
 
==================== End Of Log ============================


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:00 AM

Posted 23 October 2014 - 02:03 PM

Hi alexander.bautista,
 
Running a fix Using Farbar's Recovery Scan Tool in the Recovery Environment:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKLM-x32\...\Run: [] => [X]
HKU\Alexander\...\Run: [Adcworks] => C:\Windows\SysWOW64\regsvr32.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\Alexander\...\Run: [Endtion] => regsvr32.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\Alexander\...\Run: [Edkgtion] => C:\Users\Alexander\AppData\Local\Edkgtion\tmp9B1D.exe
HKU\Alexander\...\Run: [cmdkey] => "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe"
HKU\Alexander\...\RunOnce: [cmdkey] => "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe"
HKU\Alexander\...\Policies\Explorer: [Run] 
HKU\Alexander\...\Command Processor: "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe" <===== ATTENTION!
Startup: C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmdkey.lnk
ShortcutTarget: cmdkey.lnk ->  (No File)
S2 CP_OMDRV; No ImagePath
S2 VNASC; No ImagePath
2014-10-11 16:31 - 2014-10-12 09:58 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\Ecdyyr
2014-10-10 14:58 - 2014-10-17 13:10 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Endtion
2014-10-10 14:57 - 2014-10-17 14:35 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Edkgtion
C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate
C:\Users\Alexander\AppData\Local\Temp\1b4wfkv3.dll
C:\Users\Alexander\AppData\Local\Temp\1y3mgrhb.dll
C:\Users\Alexander\AppData\Local\Temp\2dbmq4gx.dll
C:\Users\Alexander\AppData\Local\Temp\2vjyrlez.dll
C:\Users\Alexander\AppData\Local\Temp\3g3ce5zh.dll
C:\Users\Alexander\AppData\Local\Temp\3owgoeut.dll
C:\Users\Alexander\AppData\Local\Temp\4mtjksxf.dll
C:\Users\Alexander\AppData\Local\Temp\4ot3jo21.dll
C:\Users\Alexander\AppData\Local\Temp\b2mj3irt.dll
C:\Users\Alexander\AppData\Local\Temp\bpruvzhp.dll
C:\Users\Alexander\AppData\Local\Temp\bvmwqhcm.dll
C:\Users\Alexander\AppData\Local\Temp\c5sm6k7m.dll
C:\Users\Alexander\AppData\Local\Temp\enpxmxae.dll
C:\Users\Alexander\AppData\Local\Temp\ffnhyjtm.dll
C:\Users\Alexander\AppData\Local\Temp\FreemakeAudioConverter_1.1.0.54.exe
C:\Users\Alexander\AppData\Local\Temp\hexdek3l.dll
C:\Users\Alexander\AppData\Local\Temp\icjm5j1b.dll
C:\Users\Alexander\AppData\Local\Temp\j1t20m0d.dll
C:\Users\Alexander\AppData\Local\Temp\jakyux8s.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.exe
C:\Users\Alexander\AppData\Local\Temp\juvabfa4.dll
C:\Users\Alexander\AppData\Local\Temp\kogmxji4.dll
C:\Users\Alexander\AppData\Local\Temp\li5dbz2z.dll
C:\Users\Alexander\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Alexander\AppData\Local\Temp\qckeureh.dll
C:\Users\Alexander\AppData\Local\Temp\Quarantine.exe
C:\Users\Alexander\AppData\Local\Temp\rz0ypcli.dll
C:\Users\Alexander\AppData\Local\Temp\s1e54bwa.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.exe
C:\Users\Alexander\AppData\Local\Temp\juvabfa4.dll
C:\Users\Alexander\AppData\Local\Temp\kogmxji4.dll
C:\Users\Alexander\AppData\Local\Temp\li5dbz2z.dll
C:\Users\Alexander\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Alexander\AppData\Local\Temp\qckeureh.dll
C:\Users\Alexander\AppData\Local\Temp\rz0ypcli.dll
C:\Users\Alexander\AppData\Local\Temp\s1e54bwa.dll
C:\Users\Alexander\AppData\Local\Temp\snoi0wca.dll
C:\Users\Alexander\AppData\Local\Temp\sqlite3.dll
C:\Users\Alexander\AppData\Local\Temp\tg0dchdg.dll
C:\Users\Alexander\AppData\Local\Temp\toae2ipj.dll
C:\Users\Alexander\AppData\Local\Temp\TUUUninstallHelper.exe
C:\Users\Alexander\AppData\Local\Temp\uaa5yggg.dll
C:\Users\Alexander\AppData\Local\Temp\utt190F.tmp.exe
C:\Users\Alexander\AppData\Local\Temp\v342cru3.dll
C:\Users\Alexander\AppData\Local\Temp\v5dt5tym.dll
C:\Users\Alexander\AppData\Local\Temp\vhbpkijo.dll
C:\Users\Alexander\AppData\Local\Temp\waufrmwu.dll
C:\Users\Alexander\AppData\Local\Temp\wxfcavxb.dll
C:\Users\Alexander\AppData\Local\Temp\xuauivc4.dll
C:\Users\Alexander\AppData\Local\Temp\yf0timkv.dll
C:\Users\Alexander\AppData\Local\Temp\yole5xly.dll
C:\Users\Alexander\AppData\Local\Temp\z0iyyblt.dll
  • Insert the USB device into your infected computer
  • Follow the process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool.

On a clean machine, please download Farbar Recovery Scan Tool and save it to the USB (feel free to use the frst download from my last instructions, if you still have it on the USB).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 alexander.bautista

alexander.bautista
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 23 October 2014 - 09:46 PM

Hi Toffee,  this is the Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-10-2014 01
Ran by SYSTEM at 2014-10-23 21:40:47 Run:1
Running from H:\
Boot Mode: Recovery
==============================================


Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
HKU\Alexander\...\Run: [Adcworks] => C:\Windows\SysWOW64\regsvr32.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\Alexander\...\Run: [Endtion] => regsvr32.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\Alexander\...\Run: [Edkgtion] => C:\Users\Alexander\AppData\Local\Edkgtion\tmp9B1D.exe
HKU\Alexander\...\Run: [cmdkey] => "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe"
HKU\Alexander\...\RunOnce: [cmdkey] => "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe"
HKU\Alexander\...\Policies\Explorer: [Run] 
HKU\Alexander\...\Command Processor: "C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate\cmdkey.exe" <===== ATTENTION!
Startup: C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmdkey.lnk
ShortcutTarget: cmdkey.lnk ->  (No File)
S2 CP_OMDRV; No ImagePath
S2 VNASC; No ImagePath
2014-10-11 16:31 - 2014-10-12 09:58 - 00000000 ____D () C:\Users\Alexander\AppData\Roaming\Ecdyyr
2014-10-10 14:58 - 2014-10-17 13:10 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Endtion
2014-10-10 14:57 - 2014-10-17 14:35 - 00000000 ____D () C:\Users\Alexander\AppData\Local\Edkgtion
C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate
C:\Users\Alexander\AppData\Local\Temp\1b4wfkv3.dll
C:\Users\Alexander\AppData\Local\Temp\1y3mgrhb.dll
C:\Users\Alexander\AppData\Local\Temp\2dbmq4gx.dll
C:\Users\Alexander\AppData\Local\Temp\2vjyrlez.dll
C:\Users\Alexander\AppData\Local\Temp\3g3ce5zh.dll
C:\Users\Alexander\AppData\Local\Temp\3owgoeut.dll
C:\Users\Alexander\AppData\Local\Temp\4mtjksxf.dll
C:\Users\Alexander\AppData\Local\Temp\4ot3jo21.dll
C:\Users\Alexander\AppData\Local\Temp\b2mj3irt.dll
C:\Users\Alexander\AppData\Local\Temp\bpruvzhp.dll
C:\Users\Alexander\AppData\Local\Temp\bvmwqhcm.dll
C:\Users\Alexander\AppData\Local\Temp\c5sm6k7m.dll
C:\Users\Alexander\AppData\Local\Temp\enpxmxae.dll
C:\Users\Alexander\AppData\Local\Temp\ffnhyjtm.dll
C:\Users\Alexander\AppData\Local\Temp\FreemakeAudioConverter_1.1.0.54.exe
C:\Users\Alexander\AppData\Local\Temp\hexdek3l.dll
C:\Users\Alexander\AppData\Local\Temp\icjm5j1b.dll
C:\Users\Alexander\AppData\Local\Temp\j1t20m0d.dll
C:\Users\Alexander\AppData\Local\Temp\jakyux8s.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.exe
C:\Users\Alexander\AppData\Local\Temp\juvabfa4.dll
C:\Users\Alexander\AppData\Local\Temp\kogmxji4.dll
C:\Users\Alexander\AppData\Local\Temp\li5dbz2z.dll
C:\Users\Alexander\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Alexander\AppData\Local\Temp\qckeureh.dll
C:\Users\Alexander\AppData\Local\Temp\Quarantine.exe
C:\Users\Alexander\AppData\Local\Temp\rz0ypcli.dll
C:\Users\Alexander\AppData\Local\Temp\s1e54bwa.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.dll
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.exe
C:\Users\Alexander\AppData\Local\Temp\juvabfa4.dll
C:\Users\Alexander\AppData\Local\Temp\kogmxji4.dll
C:\Users\Alexander\AppData\Local\Temp\li5dbz2z.dll
C:\Users\Alexander\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Alexander\AppData\Local\Temp\qckeureh.dll
C:\Users\Alexander\AppData\Local\Temp\rz0ypcli.dll
C:\Users\Alexander\AppData\Local\Temp\s1e54bwa.dll
C:\Users\Alexander\AppData\Local\Temp\snoi0wca.dll
C:\Users\Alexander\AppData\Local\Temp\sqlite3.dll
C:\Users\Alexander\AppData\Local\Temp\tg0dchdg.dll
C:\Users\Alexander\AppData\Local\Temp\toae2ipj.dll
C:\Users\Alexander\AppData\Local\Temp\TUUUninstallHelper.exe
C:\Users\Alexander\AppData\Local\Temp\uaa5yggg.dll
C:\Users\Alexander\AppData\Local\Temp\utt190F.tmp.exe
C:\Users\Alexander\AppData\Local\Temp\v342cru3.dll
C:\Users\Alexander\AppData\Local\Temp\v5dt5tym.dll
C:\Users\Alexander\AppData\Local\Temp\vhbpkijo.dll
C:\Users\Alexander\AppData\Local\Temp\waufrmwu.dll
C:\Users\Alexander\AppData\Local\Temp\wxfcavxb.dll
C:\Users\Alexander\AppData\Local\Temp\xuauivc4.dll
C:\Users\Alexander\AppData\Local\Temp\yf0timkv.dll
C:\Users\Alexander\AppData\Local\Temp\yole5xly.dll
C:\Users\Alexander\AppData\Local\Temp\z0iyyblt.dll
*****************


HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\Alexander\Software\Microsoft\Windows\CurrentVersion\Run\\Adcworks => value deleted successfully.
HKU\Alexander\Software\Microsoft\Windows\CurrentVersion\Run\\Endtion => value deleted successfully.
HKU\Alexander\Software\Microsoft\Windows\CurrentVersion\Run\\Edkgtion => value deleted successfully.
HKU\Alexander\Software\Microsoft\Windows\CurrentVersion\Run\\cmdkey => value deleted successfully.
HKU\Alexander\Software\Microsoft\Windows\CurrentVersion\RunOnce\\cmdkey => value deleted successfully.
HKU\Alexander\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\Run => value deleted successfully.
HKU\Alexander\Software\Microsoft\Command Processor\\AutoRun => value deleted successfully.
C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmdkey.lnk => Moved successfully.
ShortcutTarget: cmdkey.lnk ->  (No File) not found.
CP_OMDRV => Service deleted successfully.
VNASC => Service deleted successfully.
C:\Users\Alexander\AppData\Roaming\Ecdyyr => Moved successfully.
C:\Users\Alexander\AppData\Local\Endtion => Moved successfully.
C:\Users\Alexander\AppData\Local\Edkgtion => Moved successfully.
C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\IEUpdate => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\1b4wfkv3.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\1y3mgrhb.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\2dbmq4gx.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\2vjyrlez.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\3g3ce5zh.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\3owgoeut.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\4mtjksxf.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\4ot3jo21.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\b2mj3irt.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\bpruvzhp.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\bvmwqhcm.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\c5sm6k7m.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\enpxmxae.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\ffnhyjtm.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\FreemakeAudioConverter_1.1.0.54.exe => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\hexdek3l.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\icjm5j1b.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\j1t20m0d.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\jakyux8s.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.exe => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\juvabfa4.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\kogmxji4.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\li5dbz2z.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\neoNCSetup64.exe => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\qckeureh.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\rz0ypcli.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\s1e54bwa.dll => Moved successfully.
"C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.dll" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\JExplorer32.2.5.4.exe" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\juvabfa4.dll" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\kogmxji4.dll" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\li5dbz2z.dll" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\neoNCSetup64.exe" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\qckeureh.dll" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\rz0ypcli.dll" => File/Directory not found.
"C:\Users\Alexander\AppData\Local\Temp\s1e54bwa.dll" => File/Directory not found.
C:\Users\Alexander\AppData\Local\Temp\snoi0wca.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\tg0dchdg.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\toae2ipj.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\TUUUninstallHelper.exe => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\uaa5yggg.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\utt190F.tmp.exe => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\v342cru3.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\v5dt5tym.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\vhbpkijo.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\waufrmwu.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\wxfcavxb.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\xuauivc4.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\yf0timkv.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\yole5xly.dll => Moved successfully.
C:\Users\Alexander\AppData\Local\Temp\z0iyyblt.dll => Moved successfully.


==== End of Fixlog ====


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:00 AM

Posted 24 October 2014 - 01:10 PM

Hi alexander.bautista,

 

Please try booting into normal mode, any luck there?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 alexander.bautista

alexander.bautista
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 24 October 2014 - 05:30 PM

Hi Toffee. No luck. I started into normal mode. Although i can login, I cannot access the desktop yet. Any try to access the explorer I got and exception from de OS. :(



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:00 AM

Posted 25 October 2014 - 07:15 AM

Hi alexander.bautista,

 

When trying to access explorer what error message do you get?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 alexander.bautista

alexander.bautista
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 27 October 2014 - 09:00 AM

Hi Toffee. My mistake. Actually I don´t get any error when try to run explorer from task manager->new task, nothing happends. When i click on the browse button at task manager->new task I got an error "Windows task manager has stop working".



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:00 AM

Posted 27 October 2014 - 12:49 PM

Hi alexander.bautista,

 

Please boot into safe mode and tell me whether the desktop loads fully there.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 alexander.bautista

alexander.bautista
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 27 October 2014 - 01:45 PM

Hi Toffee. 

 

No luck. If I try to start in safe mode or safe mode with networking, the computer automatically restarts.



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:00 AM

Posted 27 October 2014 - 04:06 PM

Hi alexander.bautista,
 
MBR Dump Using Farbar's Recvovery Scan Tool in the Recovery Environment:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
SaveMbr: Drive=0
  • Insert the USB device into your infected computer
  • Follow the process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool

On a clean machine, please download Farbar Recovery Scan Tool and save it to the USB (feel free to use the frst download from my last instructions, if you still have it on the USB).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the USB called (MBRDUMP.txt)
  • Attach the file to your reply.

--------------

To recap, in your next reply I would like to see the following:

  • MBRDUMP.txt (attached)

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 alexander.bautista

alexander.bautista
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 27 October 2014 - 09:31 PM

Hi Toffee..

 

Here is the MBRDUMP.txt attached.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users