Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a cryptovirus. Win32/TrojanDownloader.Elenoocka.A found.


  • This topic is locked This topic is locked
10 replies to this topic

#1 infectedbivirus

infectedbivirus

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 20 January 2015 - 10:11 AM

Hey there nice people of this forum. I do apologise for getting straight to the point but I'm quite desperate at the moment.

Yesterday I was infected by a strange cryptovirus that locked most txt, jpg and rar files on my pc. I got rid of all the viruses/trojans/other crap by scanning it thorughly for the last 10 hours, but all the infected files still remain encrypted and I would like to get them back.

 

All the information I possess about the infection at the moment:

 

- the infection started by opening an attachment found in an email. File was named "columnises.zip", inside the archive we had "columnises.scr" which opened a txt file with movie offers once the archive was opened (I did not extract it). "columnises.scr" is "Win32/TrojanDownloader.Elenoocka.A trojan" according to ESET NOD32 antivirus 8.0304.0, database version 11042 (20150120).

- the following file types were encrypted -> jpg, xls, doc, js, rar, txt, xlsx, docx, accdb, ppt, mdb, others I might not know about. All 0 byte files of the mentioned types were not affected.

- all affected files have been renamed in the following fashion - filename extension has been capitalised (so rar -> RAR, doc -> DOC etc.) and the following extension has been added after the changed file extension -> ".zwfhivd" which got associated with IrfanView

- removing the ".zwfhivd" extension does not fix anything. File opens, but there is only gibberish inside, rar archives report as corrupted

- "file size" remains exactly the same as before the infection (tested it). "File size on disc" is different from the original file. When compared by content with a vanilla copy using Total Commander the encrypted files are totally different so I guess encrypted. The encrypted file is longer, so not only the header changed.

- at this moment I'm not 100% sure that "Win32/TrojanDownloader.Elenoocka.A" was responsible for the encryption, because I was using the computer for a couple of hours before noticing the encrypted files. When I saw it I immediately cut all internet access to the pc and scanned the operating memory and all boot sectors removing anything suspicious (1 process). Today I removed two more suspicious files found on the PC, but unfortunately I can't provide any logs for this, because I upgraded NOD32 a couple of hours ago, and cleaned all logs while doing so (my first cryptovirus, didn't know better). Besides, according to NOD's malware database "Win32/TrojanDownloader.Elenoocka.A" is just a trojan downloader which means basically harmless if you know how to contain it.

- the bad news is windows system recovery is turned off on this pc, shadow copy as well,

- the good news is I might be able to provide unencrypted file copies and the original email that started it all.

 

Despite my best efforts to identify this malware and decrypt it I found nil. If you need any logs, file examples, more information or you want me to do some tests I will be happy to oblige. Thank you in advance!

 

Edit 1:

 

It seems that my problem is very similar to the one reported in this topic -> http://www.bleepingcomputer.com/forums/t/563800/virus-renamed-and-encrypted-my-files/ although my wallpaper wasn't changed and I got no information about the ransom to pay. It MIGHT be the Critroni Ransomware, as described here http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information . The one thing I will never do is pay money to some scumbag that locks people's files.


Edited by infectedbivirus, 20 January 2015 - 10:44 AM.


BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:30 AM

Posted 20 January 2015 - 11:39 AM

Hey, :)

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 infectedbivirus

infectedbivirus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 20 January 2015 - 01:08 PM

Thank you for the quick response Machiavelli. These are the logs you asked for:

 

I. Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-01-2015
Ran by Ilona at 2015-01-20 18:05:15
Running from C:\Users\Ilona\Desktop\nf
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.189 - Adobe Systems Incorporated)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
AIDA64 Extreme v4.70 (HKLM-x32\...\AIDA64 Extreme_is1) (Version: 4.70 - FinalWire Ltd.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
Classic Shell (HKLM\...\{2368907C-E8F6-4750-A023-254C3E2B5E8D}) (Version: 4.0.4 - IvoSoft)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.2.3302 - CyberLink Corp.)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.49.1.0356 - Disc Soft Ltd)
Dark Souls Prepare to Die Edition (x32 Version: 1.0.0001.130 - NAMCO BANDAI Games Europe S.A.S.) Hidden
Dark Souls Prepare to Die Edition (x32 Version: 1.0.0002.130 - NAMCO BANDAI Games Europe S.A.S.) Hidden
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
DolbyFiles (x32 Version: 2.0 - Nero AG) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
ESET NOD32 Antivirus (HKLM\...\{7F39EB28-B9B7-41B8-8564-DB33284A010D}) (Version: 8.0.304.0 - ESET, spol s r. o.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 6.1.4.217 - Foxit Corporation)
Freemake Video Downloader (HKLM-x32\...\Freemake Video Downloader_is1) (Version: 3.7.1 - Ellora Assets Corporation)
GIMP 2.8.10 (HKLM\...\GIMP-2_is1) (Version: 2.8.10 - The GIMP Team)
HP 3D DriveGuard (HKLM-x32\...\{07F6DC37-0857-4B68-A675-4E35989E85E3}) (Version: 6.0.15.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{394B14EA-B072-4440-9510-87797CB12371}) (Version: 2.20.21 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3304 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.1.1000 - Intel Corporation)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.37 - Irfan Skiljan)
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
K-Lite Mega Codec Pack 10.8.0 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.8.0 - )
LibreOffice 4.2 Help Pack (English (United Kingdom)) (HKLM-x32\...\{2FBE0515-2D4A-4A28-8A3E-F7DF6A555494}) (Version: 4.2.1.1 - The Document Foundation)
LibreOffice 4.2.1.1 (HKLM-x32\...\{C83C3B4C-1AFF-4CEA-8078-74E7A3FE8F03}) (Version: 4.2.1.1 - The Document Foundation)
Magic ISO Maker v5.5 (build 0281) (HKLM-x32\...\Magic ISO Maker v5.5 (build 0281)) (Version:  - )
Menu Templates - Starter Kit (x32 Version: 9.6.0.0 - Nero AG) Hidden
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Language Pack 2007 - Polish/Polski (HKLM-x32\...\OMUI.pl-pl) (Version: 12.0.4518.1020 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61187 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61186 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.7523 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.7523 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.7523 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.7523 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{307a22b8-8353-4c5e-b67b-2404c5734558}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 - Microsoft Corporation)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 - Microsoft Corporation)
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version: 11.0.61030 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (HKLM\...\{929FBD26-9020-399B-9A7A-751D61F0B942}) (Version: 12.0.21005 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (HKLM\...\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}) (Version: 12.0.21005 - Microsoft Corporation)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (HKLM-x32\...\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}) (Version: 12.0.21005 - Microsoft Corporation)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (HKLM-x32\...\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}) (Version: 12.0.21005 - Microsoft Corporation)
Microsoft Visual F# 2.0 Runtime (HKLM-x32\...\{85467CBC-7A39-33C9-8940-D72D9269B84F}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package - SE (x64) (HKLM\...\{B0A5A6EE-F8BA-48B1-BB32-BAC17E96C2B4}) (Version: 2.0.50728 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 pl) (HKLM-x32\...\Mozilla Firefox 27.0.1 (x86 pl)) (Version: 27.0.1 - Mozilla)
Mozilla Thunderbird 24.3.0 (x86 pl) (HKLM-x32\...\Mozilla Thunderbird 24.3.0 (x86 pl)) (Version: 24.3.0 - Mozilla)
Nero Burning ROM 2014 (HKLM-x32\...\{C9F54777-001E-41F6-83F8-B99A19EA5083}) (Version: 15.0.05600 - Nero AG)
Nero Info (HKLM-x32\...\{B791E0AB-87A9-41A4-8D98-D13C2E37D928}) (Version: 15.1.0030 - Nero AG)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.5.4 - Notepad++ Team)
Obsługa programów Apple (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Pale Moon 25.1.0 (x86 en-US) (HKLM-x32\...\Pale Moon 25.1.0 (x86 en-US)) (Version: 25.1.0 - Moonchild Productions)
PIT Format 2013 (HKLM-x32\...\PIT Format 2013_is1) (Version:  - Biuro Informatyki Stosowanej FORMAT)
Prerequisite installer (x32 Version: 15.0.0005 - Nero AG) Hidden
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 1.1.9200.23 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.20.815.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7016 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.00.12.0906 - REALTEK Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.50 - Piriform)
Sharepod 4.0.1.1 (HKLM-x32\...\{085BCFB8-F6FB-4600-AFAB-1F6DBC7F5F99}_is1) (Version:  - Macroplant LLC)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Street Fighter X Tekken (x32 Version: 1.0.0004.130 - CAPCOM U.S.A., INC) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.6.2 - Synaptics Incorporated)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
Winamp (HKLM-x32\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
WinRAR 5.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)
Wolfenstein™ 1.2 Patch (x32 Version:  - ) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

02-01-2015 18:49:51 Installed SlimDX Runtime .NET 4.0 x86 (January 2012)
20-01-2015 10:20:49 Installed ESET NOD32 Antivirus

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 13:25 - 2015-01-07 23:56 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {14B4F84F-C08D-43C0-A831-29E0A0A3D429} - System32\Tasks\qburjoj => C:\Users\Ilona\AppData\Local\Temp\pbjxria.exe <==== ATTENTION
Task: {677E9F55-7CF8-419D-BE0A-6692833CAD0E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe
Task: {7966E192-54E6-45EB-8E62-ABC41C8049A3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe
Task: {93EBE99B-6F70-42B7-A61A-776C4D1EA097} - System32\Tasks\Nero\Nero Info => C:\Program Files (x86)\Common Files\Nero\Nero Info\NeroInfo.exe [2013-10-16] (Nero AG)
Task: {C836472B-457B-484D-8CFD-8E8AA16225FF} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2013-09-10] (Hewlett-Packard Development Company, L.P.)

==================== Loaded Modules (whitelisted) =============

2010-07-15 04:44 - 2010-07-15 04:44 - 00020032 _____ () e:\progs\Unlocker\UnlockerCOM.dll
2013-09-03 20:45 - 2013-09-03 20:45 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-12-23 19:47 - 2013-09-04 00:53 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: BDESVC => 3
MSCONFIG\Services: fhsvc => 3
MSCONFIG\Services: Microsoft Office Groove Audit Service => 3
MSCONFIG\Services: MpsSvc => 2
MSCONFIG\Services: PcaSvc => 2
MSCONFIG\Services: SamSs => 2
MSCONFIG\Services: SessionEnv => 3
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: TermService => 3
MSCONFIG\Services: WbioSrvc => 3
MSCONFIG\Services: WerSvc => 3
MSCONFIG\Services: WMPNetworkSvc => 3
MSCONFIG\Services: WPCSvc => 3
MSCONFIG\Services: wscsvc => 2
MSCONFIG\Services: WSearch => 2
MSCONFIG\Services: wuauserv => 3

========================= Accounts: ==========================

Administrator (S-1-5-21-1234217716-3010420026-427230083-500 - Administrator - Disabled)
Guest (S-1-5-21-1234217716-3010420026-427230083-501 - Limited - Disabled)
Ilona (S-1-5-21-1234217716-3010420026-427230083-1001 - Administrator - Enabled) => C:\Users\Ilona

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/20/2015 04:11:37 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Nie można wygenerować kontekstu aktywacji dla „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest1”. Błąd w pliku manifestu lub w pliku zasad „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest2” w wierszu C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest3.
Wersja składnika wymagana przez aplikację powoduje konflikt z inną wersją składnika, która jest już aktywna.
Składniki powodujące konflikt:
Składnik 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest.
Składnik 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_62475f7becb72503.manifest.

Error: (01/20/2015 01:29:07 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Nie można wygenerować kontekstu aktywacji dla „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest1”. Błąd w pliku manifestu lub w pliku zasad „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest2” w wierszu C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest3.
Wersja składnika wymagana przez aplikację powoduje konflikt z inną wersją składnika, która jest już aktywna.
Składniki powodujące konflikt:
Składnik 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest.
Składnik 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_62475f7becb72503.manifest.

Error: (01/20/2015 01:28:43 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Nie można wygenerować kontekstu aktywacji dla „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest1”. Błąd w pliku manifestu lub w pliku zasad „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest2” w wierszu C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest3.
Wersja składnika wymagana przez aplikację powoduje konflikt z inną wersją składnika, która jest już aktywna.
Składniki powodujące konflikt:
Składnik 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest.
Składnik 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_62475f7becb72503.manifest.

Error: (01/20/2015 00:52:37 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Nie można wygenerować kontekstu aktywacji dla „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest1”. Błąd w pliku manifestu lub w pliku zasad „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest2” w wierszu C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest3.
Wersja składnika wymagana przez aplikację powoduje konflikt z inną wersją składnika, która jest już aktywna.
Składniki powodujące konflikt:
Składnik 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest.
Składnik 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_62475f7becb72503.manifest.

Error: (01/20/2015 09:51:48 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Nie można wygenerować kontekstu aktywacji dla „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest1”. Błąd w pliku manifestu lub w pliku zasad „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest2” w wierszu C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest3.
Wersja składnika wymagana przez aplikację powoduje konflikt z inną wersją składnika, która jest już aktywna.
Składniki powodujące konflikt:
Składnik 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest.
Składnik 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_62475f7becb72503.manifest.

Error: (01/20/2015 09:50:56 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Nie można wygenerować kontekstu aktywacji dla „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest1”. Błąd w pliku manifestu lub w pliku zasad „C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest2” w wierszu C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest3.
Wersja składnika wymagana przez aplikację powoduje konflikt z inną wersją składnika, która jest już aktywna.
Składniki powodujące konflikt:
Składnik 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_a9f4965301334e09.manifest.
Składnik 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.16384_none_62475f7becb72503.manifest.


System errors:
=============
Error: (01/20/2015 04:12:32 PM) (Source: DCOM) (EventID: 10010) (User: Ilona_PC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (01/20/2015 04:12:01 PM) (Source: DCOM) (EventID: 10010) (User: Ilona_PC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (01/20/2015 01:07:53 PM) (Source: DCOM) (EventID: 10010) (User: Ilona_PC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (01/20/2015 10:38:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Usługa Przeglądarka komputera zależy od usługi Serwer, której nie można uruchomić z powodu następującego błędu:
%%1068

Error: (01/20/2015 10:38:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Usługa Serwer zależy od usługi Menedżer kont zabezpieczeń, której nie można uruchomić z powodu następującego błędu:
%%1058

Error: (01/20/2015 10:38:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Usługa Przeglądarka komputera zależy od usługi Serwer, której nie można uruchomić z powodu następującego błędu:
%%1068

Error: (01/20/2015 10:38:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Usługa Serwer zależy od usługi Menedżer kont zabezpieczeń, której nie można uruchomić z powodu następującego błędu:
%%1058

Error: (01/20/2015 10:38:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Usługa Przeglądarka komputera zależy od usługi Serwer, której nie można uruchomić z powodu następującego błędu:
%%1068

Error: (01/20/2015 10:38:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Usługa Serwer zależy od usługi Menedżer kont zabezpieczeń, której nie można uruchomić z powodu następującego błędu:
%%1058

Error: (01/20/2015 10:38:09 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Usługa Przeglądarka komputera zależy od usługi Serwer, której nie można uruchomić z powodu następującego błędu:
%%1068


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: Intel® Core™ i3-3217U CPU @ 1.80GHz
Percentage of memory in use: 31%
Total physical RAM: 3988.27 MB
Available physical RAM: 2721.8 MB
Total Pagefile: 5988.27 MB
Available Pagefile: 4744.91 MB
Total Virtual: 131072 MB
Available Virtual: 131071.79 MB

==================== Drives ================================

Drive c: © (Fixed) (Total:113.82 GB) (Free:44.15 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:18.35 GB) (Free:1.86 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (e) (Fixed) (Total:222.21 GB) (Free:48.18 GB) NTFS
Drive f: (f) (Fixed) (Total:110.61 GB) (Free:37.09 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 8DE39570)

Partition: GPT Partition Type.

==================== End Of Log ============================

 

 

 

II. FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by Ilona (administrator) on ILONA_PC on 20-01-2015 18:04:48
Running from C:\Users\Ilona\Desktop\nf
Loaded Profiles: Ilona (Available profiles: Ilona)
Platform: Windows 8.1 (X64) OS Language: Polski (Polska)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) E:\progs\ESET\x86\ekrn.exe
(Ellora Assets Corp.) E:\progs\Freemake\CaptureLib\CaptureLibService.exe
(IvoSoft) E:\progs\Classic Shell\ClassicStartMenu.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(ESET) E:\progs\ESET\egui.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => E:\progs\Classic Shell\ClassicStartMenu.exe [161984 2014-01-18] (IvoSoft)
HKLM\...\Run: [egui] => E:\progs\ESET\egui.exe [5595336 2014-10-01] (ESET)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [77088 2013-07-24] (Hewlett-Packard Company)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\MountPoints2: {4a030068-d02f-11e3-834b-a01d48d2a1b1} - "H:\autorun.exe"
Startup: C:\Users\Ilona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poczta.lnk
ShortcutTarget: poczta.lnk -> E:\progs\Mozilla Thunderbird\thunderbird.exe (Mozilla Corporation)
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => E:\progs\idm\IDMShellExt64.dll (Tonec Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => E:\progs\Classic Shell\ClassicExplorer64.dll (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => E:\progs\Classic Shell\ClassicExplorer32.dll (IvoSoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.uk.msn.com/HPNOT14/2
SearchScopes: HKLM -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-1234217716-3010420026-427230083-1001 -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1234217716-3010420026-427230083-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default
FF Homepage: www.google.com
FF NetworkProxy: "gopher", ""
FF NetworkProxy: "gopher_port", 0
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_189.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\progs\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> E:\progs\Java\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> E:\progs\Java\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @qq.com/TXSSO -> C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\npSSOAxCtrlForPTLogin.dll (Tencent)
FF Extension: Flash Video Downloader - Full HD Download - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\artur.dubovoy@gmail.com [2014-05-04]
FF Extension: Flashblock - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2014-02-25]
FF Extension: Adblock Plus - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-02-25]
FF HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5 [2015-01-08]
FF HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5
FF StartMenuInternet: FIREFOX.EXE - e:\progs\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - E:\progs\idm\IDMGCExt.crx [2014-12-16]
CHR HKLM-x32\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - E:\progs\idm\IDMGCExt.crx [2014-12-16]
CHR HKLM-x32\...\Chrome\Extension: [pkijdmeepjhpenmighhaodgfoogncnlk] - E:\site_ee\mpoe.crx [Not Found]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ekrn; E:\progs\ESET\x86\ekrn.exe [1349576 2014-10-01] (ESET)
R2 FreemakeVideoCapture; e:\progs\Freemake\CaptureLib\CaptureLibService.exe [9216 2014-12-03] (Ellora Assets Corp.) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-22] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-04] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-04] (Intel Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-19] (Realtek Semiconductor)
S2 SkypeUpdate; E:\progs\Skype\Updater\Updater.exe [315496 2014-12-11] (Skype Technologies)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-26] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U3 dtscsidrv; C:\Windows\System32\Drivers\dtscsidrv.sys [309248 2014-05-06] (Disc Soft Ltd)
R3 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2014-05-06] (Disc Soft Ltd)
S3 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [243440 2014-08-18] (ESET)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [241368 2014-08-18] (ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [169280 2014-08-18] (ESET)
S4 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [158968 2014-09-18] (ESET)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-04] (Intel Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290520 2013-08-19] (Realtek Semiconductor Corp.)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [429272 2013-08-21] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [2945240 2013-09-12] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-05-06] (Duplex Secure Ltd.)
U5 UnlockerDriver5; e:\progs\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 WUDFWpdComp; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
S3 jrdusbser; \SystemRoot\system32\DRIVERS\jrdusbser.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 18:04 - 2015-01-20 18:04 - 00000000 ____D () C:\Users\Ilona\Desktop\nf
2015-01-20 18:04 - 2015-01-20 18:04 - 00000000 ____D () C:\FRST
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\UC.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\RAR.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\PKZIP.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\PKUNZIP.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\LHA.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\ARJ.PIF
2015-01-20 13:56 - 2015-01-20 13:56 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\www.shadowexplorer.com
2015-01-20 10:22 - 2015-01-20 10:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2015-01-20 10:22 - 2015-01-20 10:22 - 00000000 ____D () C:\ProgramData\ESET
2015-01-19 19:11 - 2015-01-19 21:36 - 04096794 _____ () C:\ProgramData\owqpfja.html
2015-01-19 19:04 - 2015-01-19 19:04 - 00003014 _____ () C:\Windows\System32\Tasks\qburjoj
2015-01-19 11:49 - 2015-01-19 11:49 - 00553128 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-14 20:59 - 2015-01-14 20:59 - 00000064 _____ () C:\Windows\ Lone Wolf.url
2015-01-11 16:44 - 2015-01-11 16:44 - 00000000 ____D () C:\ProgramData\RealHideIP
2015-01-11 09:39 - 2015-01-11 09:39 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Tencent
2015-01-11 09:39 - 2015-01-11 09:39 - 00000000 ____D () C:\ProgramData\Tencent
2015-01-08 13:36 - 2015-01-19 00:52 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\IDM
2015-01-08 13:36 - 2015-01-08 13:36 - 00000000 ____D () C:\Users\Ilona\Downloads\Video
2015-01-08 13:36 - 2015-01-08 13:36 - 00000000 ____D () C:\Users\Ilona\Downloads\Compressed
2015-01-05 22:54 - 2015-01-05 22:54 - 00000000 ____D () C:\Program Files\WinPcap
2015-01-05 20:24 - 2015-01-05 20:24 - 00000000 ____D () C:\Program Files (x86)\Skype
2015-01-05 18:46 - 2015-01-05 22:58 - 00000000 ____D () C:\Users\Ilona\Documents\Freemake
2015-01-05 18:42 - 2015-01-05 22:58 - 00000000 ____D () C:\ProgramData\Freemake
2015-01-02 23:33 - 2015-01-19 20:21 - 00000000 ____D () C:\Users\Ilona\AppData\Local\VirtualStore
2014-12-28 15:24 - 2014-12-28 15:24 - 00004608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\w95inf32.dll
2014-12-28 15:24 - 2014-12-28 15:24 - 00002272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\w95inf16.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 01088272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\danim.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 00155408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LMRT.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 00063488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\unam4ie.exe
2014-12-28 15:24 - 1998-09-02 08:28 - 00038160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LMRTREND.dll
2014-12-28 15:24 - 1998-09-02 08:02 - 00194320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qcut.dll
2014-12-28 15:24 - 1998-08-27 04:51 - 00182032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft3.dll
2014-12-28 15:24 - 1998-08-20 11:02 - 00140800 _____ (The Duck Corporation) C:\Windows\SysWOW64\tm20dec.ax
2014-12-28 15:24 - 1998-08-20 10:38 - 00217984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\strmdll.dll
2014-12-28 15:24 - 1998-08-17 09:21 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mciqtz.drv
2014-12-28 15:24 - 1998-08-17 09:21 - 00010240 _____ () C:\Windows\SysWOW64\vidx16.dll
2014-12-28 15:24 - 1998-08-17 09:21 - 00005672 _____ () C:\Windows\SysWOW64\quartz.vxd
2014-12-28 15:06 - 2014-12-28 15:06 - 00109080 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 18:00 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\system32\sru
2015-01-20 14:21 - 2014-02-24 09:57 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\ClassicShell
2015-01-20 13:56 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\tracing
2015-01-20 10:37 - 2014-02-23 22:30 - 00000000 ____D () C:\Users\Ilona
2015-01-20 10:37 - 2013-08-22 14:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 10:11 - 2014-02-23 22:30 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{28060937-AEAC-4D7B-A53B-5A74041272FE}
2015-01-19 21:11 - 2014-03-28 08:26 - 00000000 ____D () C:\Users\Ilona\Desktop\Ilona różne
2015-01-19 20:59 - 2014-04-13 21:33 - 00000000 ____D () C:\PIT Format 2013
2015-01-19 20:33 - 2014-05-27 09:10 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Free42
2015-01-19 20:33 - 2014-03-03 21:43 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\TGCMLog
2015-01-19 20:30 - 2013-09-01 02:03 - 00000000 ___HD () C:\SYSTEM.SAV
2015-01-19 13:22 - 2014-09-17 11:22 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\DMCache
2015-01-18 22:45 - 2014-04-30 06:43 - 00001488 _____ () C:\Users\Ilona\Desktop\seriale Ilonki.TXT.zwfhivd
2015-01-17 09:50 - 2013-08-22 13:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-01-15 10:06 - 2014-02-23 22:57 - 00840878 _____ () C:\Windows\system32\perfh015.dat
2015-01-15 10:06 - 2014-02-23 22:57 - 00180518 _____ () C:\Windows\system32\perfc015.dat
2015-01-15 10:06 - 2013-08-26 06:09 - 01971452 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-13 14:33 - 2014-02-24 09:31 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Mozilla
2015-01-12 10:46 - 2014-02-25 23:45 - 00000000 ____D () C:\Users\Ilona\Desktop\programy_michal
2015-01-11 11:31 - 2014-04-22 05:11 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1234217716-3010420026-427230083-1001
2015-01-11 11:04 - 2014-02-25 23:14 - 00000000 ____D () C:\Users\Ilona\Desktop\Microsoft Office
2015-01-09 17:44 - 2014-02-25 14:40 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Skype
2015-01-05 20:24 - 2014-02-25 14:40 - 00000000 ____D () C:\ProgramData\Skype
2015-01-02 21:54 - 2014-02-24 15:06 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\DAEMON Tools Lite
2015-01-01 13:43 - 2013-10-11 20:58 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-12-31 15:05 - 2014-04-27 13:11 - 00000000 ____D () C:\ilonka_stary_laptop
2014-12-31 11:16 - 2014-11-09 17:22 - 00000112 _____ () C:\Users\Ilona\Desktop\do sciagniecia.TXT.zwfhivd
2014-12-28 15:24 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\Help
2014-12-28 15:06 - 2014-03-13 20:25 - 00466456 _____ (Creative Labs) C:\Windows\system32\wrap_oal.dll
2014-12-28 15:06 - 2014-03-13 20:25 - 00444952 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2014-12-28 15:06 - 2014-03-13 20:25 - 00122904 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\system32\OpenAL32.dll

==================== Files in the root of some directories =======
2014-03-22 18:28 - 2014-09-23 16:13 - 0005632 _____ () C:\Users\Ilona\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-19 19:11 - 2015-01-19 21:36 - 4096794 _____ () C:\ProgramData\owqpfja.html

Some content of TEMP:
====================
C:\Users\Ilona\AppData\Local\Temp\InstHelper.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 19:11

==================== End Of Log ============================



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:30 AM

Posted 20 January 2015 - 02:00 PM

Hey, :)
Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 infectedbivirus

infectedbivirus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 20 January 2015 - 03:28 PM

Okay Machiavelli, I got all the logs for you and I must say that my pc was perfectly clean even before scanning it with everything you posted (apart from some badware I kept there willingly). One more thing about my case. The cryptovirus touched all the rar and zip files but ommited all rar part files (r00, r01, etc.). After posting the previous FRST logs I noticed a strange file set up in the schedular to run from "C:\Users\USERNAME\AppData\LocalLow\Temp". I don't remember the exact name but it was randoms letters with an exe extension. I checked the folder and found nothing so it was probably deleted by NOD and just the schedular entry remained. I deleted the entry a few minutes after posting my previous FRST logs.

Okay, onto the logs. Everything was done STEP BY STEP as you advised.

 

I. Adwarecleaner (foreign language, I didn't bother to find out how to change it to english)

# AdwCleaner v4.108 - Log utworzony 20/01/2015 o 19:27:51
# Aktualizacja 17/01/2015 przez Xplode
# Database : 2015-01-13.2 [Local]
# System operacyjny : Windows 8.1  (64 bits)
# Użytkownik : Ilona - ILONA_PC
# Ścieżka : C:\a\AdwCleaner.exe
# Opcja : Usuń

***** [ Usługi ] *****


***** [ Pliki / Foldery ] *****


***** [ Zadania ] *****


***** [ Skróty ] *****


***** [ Rejestr ] *****

Klucz Usunięto : HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO
Klucz Usunięto : HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Klucz Usunięto : [x64] HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Klucz Usunięto : HKCU\Software\Baidu

***** [ Przeglądarki internetowe ] *****

-\\ Internet Explorer v0.0.0.0


-\\ Mozilla Firefox v27.0.1 (pl)

[nhhi7tti.default\prefs.js] - Wpis usunięty : user_pref("extensions.fvd_single.__surfcanyon_disable_time", "1399223788492");
[nhhi7tti.default\prefs.js] - Wpis usunięty : user_pref("extensions.fvd_single.surfcanyon.ramp.start_time", "1397300315206");
[nhhi7tti.default\prefs.js] - Wpis usunięty : user_pref("extensions.fvd_singleseopack.b_surfcanyon", false);

-\\ Pale Moon v25.1.0 (en-US)


*************************

AdwCleaner[R0].txt - [1410 octets] - [20/01/2015 19:25:31]
AdwCleaner[S0].txt - [1291 octets] - [20/01/2015 19:27:51]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1351 octets] ##########



II. Malwarebytes

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2015-01-20
Scan Time: 19:34:43
Logfile: malware bytes.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.20.08
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Ilona

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 342455
Time Elapsed: 19 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

III. Junkware Removal Tool

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8.1 x64
Ran by Ilona on 2015-01-20 at 20:00:27,14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\tencent"
Successfully deleted: [Folder] "C:\Users\Ilona\AppData\Roaming\getrighttogo"
Successfully deleted: [Folder] "C:\Users\Ilona\AppData\Roaming\tencent"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2015-01-20 at 20:01:41,40
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

IV. FRST

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by Ilona (administrator) on ILONA_PC on 20-01-2015 20:06:24
Running from C:\a
Loaded Profiles: Ilona (Available profiles: Ilona)
Platform: Windows 8.1 (X64) OS Language: Polski (Polska)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) E:\progs\ESET\x86\ekrn.exe
(Ellora Assets Corp.) E:\progs\Freemake\CaptureLib\CaptureLibService.exe
(IvoSoft) E:\progs\Classic Shell\ClassicStartMenu.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(ESET) E:\progs\ESET\egui.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => E:\progs\Classic Shell\ClassicStartMenu.exe [161984 2014-01-18] (IvoSoft)
HKLM\...\Run: [egui] => E:\progs\ESET\egui.exe [5595336 2014-10-01] (ESET)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [77088 2013-07-24] (Hewlett-Packard Company)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\MountPoints2: {4a030068-d02f-11e3-834b-a01d48d2a1b1} - "H:\autorun.exe"
Startup: C:\Users\Ilona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poczta.lnk
ShortcutTarget: poczta.lnk -> E:\progs\Mozilla Thunderbird\thunderbird.exe (Mozilla Corporation)
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => E:\progs\idm\IDMShellExt64.dll (Tonec Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => E:\progs\Classic Shell\ClassicExplorer64.dll (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => E:\progs\Classic Shell\ClassicExplorer32.dll (IvoSoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.uk.msn.com/HPNOT14/2
SearchScopes: HKLM -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1234217716-3010420026-427230083-1001 -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1234217716-3010420026-427230083-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default
FF Homepage: www.google.com
FF NetworkProxy: "gopher", ""
FF NetworkProxy: "gopher_port", 0
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_189.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\progs\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> E:\progs\Java\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> E:\progs\Java\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Extension: Flash Video Downloader - Full HD Download - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\artur.dubovoy@gmail.com [2014-05-04]
FF Extension: Flashblock - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2014-02-25]
FF Extension: Adblock Plus - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-02-25]
FF HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5 [2015-01-08]
FF HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5
FF StartMenuInternet: FIREFOX.EXE - e:\progs\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - E:\progs\idm\IDMGCExt.crx [2014-12-16]
CHR HKLM-x32\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - E:\progs\idm\IDMGCExt.crx [2014-12-16]
CHR HKLM-x32\...\Chrome\Extension: [pkijdmeepjhpenmighhaodgfoogncnlk] - E:\site_ee\mpoe.crx [Not Found]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ekrn; E:\progs\ESET\x86\ekrn.exe [1349576 2014-10-01] (ESET)
R2 FreemakeVideoCapture; e:\progs\Freemake\CaptureLib\CaptureLibService.exe [9216 2014-12-03] (Ellora Assets Corp.) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-22] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-04] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-04] (Intel Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-19] (Realtek Semiconductor)
S2 SkypeUpdate; E:\progs\Skype\Updater\Updater.exe [315496 2014-12-11] (Skype Technologies)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-26] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U3 dtscsidrv; C:\Windows\System32\Drivers\dtscsidrv.sys [309248 2014-05-06] (Disc Soft Ltd)
R3 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2014-05-06] (Disc Soft Ltd)
S3 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [243440 2014-08-18] (ESET)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [241368 2014-08-18] (ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [169280 2014-08-18] (ESET)
S4 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [158968 2014-09-18] (ESET)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-04] (Intel Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290520 2013-08-19] (Realtek Semiconductor Corp.)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [429272 2013-08-21] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [2945240 2013-09-12] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-05-06] (Duplex Secure Ltd.)
U5 UnlockerDriver5; e:\progs\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 WUDFWpdComp; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
S3 jrdusbser; \SystemRoot\system32\DRIVERS\jrdusbser.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 20:06 - 2015-01-20 20:06 - 00000000 ____D () C:\FRST
2015-01-20 20:00 - 2015-01-20 20:00 - 00000000 ____D () C:\Windows\ERUNT
2015-01-20 19:31 - 2015-01-20 19:31 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-20 19:28 - 2015-01-20 19:28 - 00000314 _____ () C:\Windows\PFRO.log
2015-01-20 19:19 - 2015-01-20 20:06 - 00000000 ____D () C:\a
2015-01-20 19:09 - 2015-01-20 19:09 - 00553128 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\UC.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\RAR.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\PKZIP.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\PKUNZIP.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\LHA.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\ARJ.PIF
2015-01-20 13:56 - 2015-01-20 13:56 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\www.shadowexplorer.com
2015-01-20 10:22 - 2015-01-20 10:22 - 00000000 ____D () C:\ProgramData\ESET
2015-01-19 19:11 - 2015-01-19 21:36 - 04096794 _____ () C:\ProgramData\owqpfja.html
2015-01-14 20:59 - 2015-01-14 20:59 - 00000064 _____ () C:\Windows\ Lone Wolf.url
2015-01-11 16:44 - 2015-01-11 16:44 - 00000000 ____D () C:\ProgramData\RealHideIP
2015-01-08 13:36 - 2015-01-19 00:52 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\IDM
2015-01-08 13:36 - 2015-01-08 13:36 - 00000000 ____D () C:\Users\Ilona\Downloads\Video
2015-01-08 13:36 - 2015-01-08 13:36 - 00000000 ____D () C:\Users\Ilona\Downloads\Compressed
2015-01-05 22:54 - 2015-01-05 22:54 - 00000000 ____D () C:\Program Files\WinPcap
2015-01-05 20:24 - 2015-01-05 20:24 - 00000000 ____D () C:\Program Files (x86)\Skype
2015-01-05 18:46 - 2015-01-05 22:58 - 00000000 ____D () C:\Users\Ilona\Documents\Freemake
2015-01-05 18:42 - 2015-01-05 22:58 - 00000000 ____D () C:\ProgramData\Freemake
2015-01-02 23:33 - 2015-01-19 20:21 - 00000000 ____D () C:\Users\Ilona\AppData\Local\VirtualStore
2014-12-28 15:24 - 2014-12-28 15:24 - 00004608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\w95inf32.dll
2014-12-28 15:24 - 2014-12-28 15:24 - 00002272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\w95inf16.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 01088272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\danim.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 00155408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LMRT.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 00063488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\unam4ie.exe
2014-12-28 15:24 - 1998-09-02 08:28 - 00038160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LMRTREND.dll
2014-12-28 15:24 - 1998-09-02 08:02 - 00194320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qcut.dll
2014-12-28 15:24 - 1998-08-27 04:51 - 00182032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft3.dll
2014-12-28 15:24 - 1998-08-20 11:02 - 00140800 _____ (The Duck Corporation) C:\Windows\SysWOW64\tm20dec.ax
2014-12-28 15:24 - 1998-08-20 10:38 - 00217984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\strmdll.dll
2014-12-28 15:24 - 1998-08-17 09:21 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mciqtz.drv
2014-12-28 15:24 - 1998-08-17 09:21 - 00010240 _____ () C:\Windows\SysWOW64\vidx16.dll
2014-12-28 15:24 - 1998-08-17 09:21 - 00005672 _____ () C:\Windows\SysWOW64\quartz.vxd
2014-12-28 15:06 - 2014-12-28 15:06 - 00109080 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 20:00 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\system32\sru
2015-01-20 19:46 - 2014-04-22 05:11 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1234217716-3010420026-427230083-1001
2015-01-20 19:28 - 2013-08-22 14:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 18:18 - 2014-02-24 09:57 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\ClassicShell
2015-01-20 13:56 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\tracing
2015-01-20 10:37 - 2014-02-23 22:30 - 00000000 ____D () C:\Users\Ilona
2015-01-20 10:11 - 2014-02-23 22:30 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{28060937-AEAC-4D7B-A53B-5A74041272FE}
2015-01-19 21:11 - 2014-03-28 08:26 - 00000000 ____D () C:\Users\Ilona\Desktop\Ilona różne
2015-01-19 20:59 - 2014-04-13 21:33 - 00000000 ____D () C:\PIT Format 2013
2015-01-19 20:33 - 2014-05-27 09:10 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Free42
2015-01-19 20:33 - 2014-03-03 21:43 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\TGCMLog
2015-01-19 20:30 - 2013-09-01 02:03 - 00000000 ___HD () C:\SYSTEM.SAV
2015-01-19 13:22 - 2014-09-17 11:22 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\DMCache
2015-01-18 22:45 - 2014-04-30 06:43 - 00001488 _____ () C:\Users\Ilona\Desktop\seriale Ilonki.TXT.zwfhivd
2015-01-17 09:50 - 2013-08-22 13:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-01-15 10:06 - 2014-02-23 22:57 - 00840878 _____ () C:\Windows\system32\perfh015.dat
2015-01-15 10:06 - 2014-02-23 22:57 - 00180518 _____ () C:\Windows\system32\perfc015.dat
2015-01-15 10:06 - 2013-08-26 06:09 - 01971452 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-13 14:33 - 2014-02-24 09:31 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Mozilla
2015-01-12 10:46 - 2014-02-25 23:45 - 00000000 ____D () C:\Users\Ilona\Desktop\programy_michal
2015-01-11 11:04 - 2014-02-25 23:14 - 00000000 ____D () C:\Users\Ilona\Desktop\Microsoft Office
2015-01-09 17:44 - 2014-02-25 14:40 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Skype
2015-01-05 20:24 - 2014-02-25 14:40 - 00000000 ____D () C:\ProgramData\Skype
2015-01-02 21:54 - 2014-02-24 15:06 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\DAEMON Tools Lite
2015-01-01 13:43 - 2013-10-11 20:58 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-12-31 15:05 - 2014-04-27 13:11 - 00000000 ____D () C:\ilonka_stary_laptop
2014-12-31 11:16 - 2014-11-09 17:22 - 00000112 _____ () C:\Users\Ilona\Desktop\do sciagniecia.TXT.zwfhivd
2014-12-28 15:24 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\Help
2014-12-28 15:06 - 2014-03-13 20:25 - 00466456 _____ (Creative Labs) C:\Windows\system32\wrap_oal.dll
2014-12-28 15:06 - 2014-03-13 20:25 - 00444952 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2014-12-28 15:06 - 2014-03-13 20:25 - 00122904 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\system32\OpenAL32.dll

==================== Files in the root of some directories =======
2014-03-22 18:28 - 2014-09-23 16:13 - 0005632 _____ () C:\Users\Ilona\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-19 19:11 - 2015-01-19 21:36 - 4096794 _____ () C:\ProgramData\owqpfja.html

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 19:11

==================== End Of Log ============================

 

 

At the end I would like to thank you for your help. Could you also tell me if there is even a chance to decrypt the files or should I just move on with my life?


Edited by infectedbivirus, 20 January 2015 - 03:32 PM.


#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:30 AM

Posted 20 January 2015 - 03:58 PM

Hey, :)
I found this site: http://www.bleepingcomputer.com/forums/t/543518/decryption-keys-are-now-freely-available-for-victims-of-cryptolocker/ But since the CryptoLocker screen is gone you can't enter a key. :/

Step 1: FRST Fix
  • Please open Notepad.exe. Make sure that you don't use any other software than Notepad.exe!
  • Copy and Paste the content of the codebox below into the empty textfile:

    HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\MountPoints2: {4a030068-d02f-11e3-834b-a01d48d2a1b1} - "H:\autorun.exe"
    Startup: C:\Users\Ilona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poczta.lnk
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    FF NetworkProxy: "gopher", ""
    FF NetworkProxy: "gopher_port", 0
    FF NetworkProxy: "share_proxy_settings", true
    FF NetworkProxy: "type", 0
    CHR HKLM-x32\...\Chrome\Extension: [pkijdmeepjhpenmighhaodgfoogncnlk] - E:\site_ee\mpoe.crx [Not Found]
    2015-01-19 19:11 - 2015-01-19 21:36 - 4096794 _____ () C:\ProgramData\owqpfja.html
    EmptyTemp:
  • Then click on File >> Save as
    • File Name: Fixlist.txt
    • From the Save as type drop down list, choose All Files
  • It is very important that you save this textfile on your Desktop!
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe (Note: If FRST advises there is a new updated version to be downloaded, allow this.)and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Step 2: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
Step 3: ESET

Please run a free online scan with the ESET Online Scanner:

IMPORTANT: You MUST use Internet Explorer for this step!
  • Visit the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button:
    ESET1_zps23a5e840.png
  • Tick the box next to YES, I accept the Terms of Use and click Start
    ESET_EULA2_zps9451f1c3.png
  • When asked, allow the ActiveX control to install.
  • Select Enable detection of potentially unwanted applications and select Advanced Settings:
    ESET2_zpsc701c045.png
  • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked:
    ESET4_zps0afafd0d.png
  • Click Start. (This scan can take several hours, so please be patient):
    ESET3_zpsccd1657d.png
  • Once the scan is completed, select List of found threats:
    ESET5_zpsd27be299.png
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop:
    ESET6_zpsc17d154e.png
  • Click the Back button.
  • Click the Finish button:
    ESET9_zps51587217.png
  • Use Notepad to open the saved log file (on your Desktop- ESET.txt)[/b]
  • Copy and paste that log as a reply to this topic.
Step 4: Question

How is your PC running?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 infectedbivirus

infectedbivirus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 20 January 2015 - 06:38 PM

Thanks for the adress, I found it already before starting this topic. Sent a file using the form and it said "Invalid file. The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file.".
If by "screen" you mean the ransom-wallpaper the problem is the CryptoLocker screen was never there. :( . Just something resembling a... cinema repertoire. Oh yeah, and it wasn't in english. I tried also a couple of other decrypters available on kaspersky's website. To no avail.



I. FRST Fix

- I associated "txt" files with windows notepad,
- I created the file "Fixlist.txt" exactly as you wrote
- FRST did not inform me about an update being available, despite internet connection being turned on
- log below:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by Ilona at 2015-01-20 22:14:34 Run:1
Running from C:\Users\Ilona\Desktop
Loaded Profiles: Ilona (Available profiles: Ilona)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\MountPoints2: {4a030068-d02f-11e3-834b-a01d48d2a1b1} - "H:\autorun.exe"
Startup: C:\Users\Ilona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poczta.lnk
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF NetworkProxy: "gopher", ""
FF NetworkProxy: "gopher_port", 0
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "type", 0
CHR HKLM-x32\...\Chrome\Extension: [pkijdmeepjhpenmighhaodgfoogncnlk] - E:\site_ee\mpoe.crx [Not Found]
2015-01-19 19:11 - 2015-01-19 21:36 - 4096794 _____ () C:\ProgramData\owqpfja.html
EmptyTemp:
*****************

"HKU\S-1-5-21-1234217716-3010420026-427230083-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a030068-d02f-11e3-834b-a01d48d2a1b1}" => Key deleted successfully.
HKCR\CLSID\{4a030068-d02f-11e3-834b-a01d48d2a1b1} => Key not found.
C:\Users\Ilona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\poczta.lnk => Moved successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pkijdmeepjhpenmighhaodgfoogncnlk" => Key deleted successfully.
C:\ProgramData\owqpfja.html => Moved successfully.
EmptyTemp: => Removed 11.6 MB temporary data.


The system needed a reboot.

==== End of Fixlog 22:14:35 ====



II. FRST Scan

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by Ilona (administrator) on ILONA_PC on 20-01-2015 22:19:02
Running from C:\Users\Ilona\Desktop
Loaded Profiles: Ilona (Available profiles: Ilona)
Platform: Windows 8.1 (X64) OS Language: Polski (Polska)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) E:\progs\ESET\x86\ekrn.exe
(Ellora Assets Corp.) E:\progs\Freemake\CaptureLib\CaptureLibService.exe
(IvoSoft) E:\progs\Classic Shell\ClassicStartMenu.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(ESET) E:\progs\ESET\egui.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => E:\progs\Classic Shell\ClassicStartMenu.exe [161984 2014-01-18] (IvoSoft)
HKLM\...\Run: [egui] => E:\progs\ESET\egui.exe [5595336 2014-10-01] (ESET)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [77088 2013-07-24] (Hewlett-Packard Company)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => E:\progs\idm\IDMShellExt64.dll (Tonec Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => E:\progs\Classic Shell\ClassicExplorer64.dll (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => E:\progs\Classic Shell\ClassicExplorer32.dll (IvoSoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT14/2
HKU\S-1-5-21-1234217716-3010420026-427230083-1001\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.uk.msn.com/HPNOT14/2
SearchScopes: HKLM -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-1234217716-3010420026-427230083-1001 -> {884B7EA7-C34B-4DEA-AB88-55282A1D21F9} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1234217716-3010420026-427230083-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_189.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\progs\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> E:\progs\Java\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> E:\progs\Java\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Extension: Flash Video Downloader - Full HD Download - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\artur.dubovoy@gmail.com [2014-05-04]
FF Extension: Flashblock - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2014-02-25]
FF Extension: Adblock Plus - C:\Users\Ilona\AppData\Roaming\Mozilla\Firefox\Profiles\nhhi7tti.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-02-25]
FF HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5 [2015-01-08]
FF HKU\S-1-5-21-1234217716-3010420026-427230083-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Ilona\AppData\Roaming\IDM\idmmzcc5
FF StartMenuInternet: FIREFOX.EXE - e:\progs\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - E:\progs\idm\IDMGCExt.crx [2014-12-16]
CHR HKLM-x32\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - E:\progs\idm\IDMGCExt.crx [2014-12-16]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ekrn; E:\progs\ESET\x86\ekrn.exe [1349576 2014-10-01] (ESET)
R2 FreemakeVideoCapture; e:\progs\Freemake\CaptureLib\CaptureLibService.exe [9216 2014-12-03] (Ellora Assets Corp.) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-22] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-04] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-04] (Intel Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-19] (Realtek Semiconductor)
S2 SkypeUpdate; E:\progs\Skype\Updater\Updater.exe [315496 2014-12-11] (Skype Technologies)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-26] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U3 dtscsidrv; C:\Windows\System32\Drivers\dtscsidrv.sys [309248 2014-05-06] (Disc Soft Ltd)
R3 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2014-05-06] (Disc Soft Ltd)
S3 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [243440 2014-08-18] (ESET)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [241368 2014-08-18] (ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [169280 2014-08-18] (ESET)
S4 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [158968 2014-09-18] (ESET)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-04] (Intel Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290520 2013-08-19] (Realtek Semiconductor Corp.)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [429272 2013-08-21] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [2945240 2013-09-12] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-05-06] (Duplex Secure Ltd.)
U5 UnlockerDriver5; e:\progs\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 WUDFWpdComp; C:\Windows\system32\DRIVERS\WUDFRd.sys [230912 2013-08-22] (Microsoft Corporation)
S3 jrdusbser; \SystemRoot\system32\DRIVERS\jrdusbser.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 22:19 - 2015-01-20 22:19 - 00012734 _____ () C:\Users\Ilona\Desktop\FRST.txt
2015-01-20 22:14 - 2015-01-20 22:19 - 00000000 ____D () C:\FRST
2015-01-20 22:13 - 2015-01-20 22:13 - 02126848 _____ (Farbar) C:\Users\Ilona\Desktop\FRST64.exe
2015-01-20 22:03 - 2015-01-20 22:08 - 00000000 ____D () C:\b
2015-01-20 21:43 - 2015-01-20 21:44 - 00553128 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-20 20:00 - 2015-01-20 20:00 - 00000000 ____D () C:\Windows\ERUNT
2015-01-20 19:31 - 2015-01-20 19:31 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\UC.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\RAR.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\PKZIP.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\PKUNZIP.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\LHA.PIF
2015-01-20 14:59 - 2014-04-30 08:51 - 00000545 _____ () C:\Windows\ARJ.PIF
2015-01-20 10:22 - 2015-01-20 10:22 - 00000000 ____D () C:\ProgramData\ESET
2015-01-14 20:59 - 2015-01-14 20:59 - 00000064 _____ () C:\Windows\ Lone Wolf.url
2015-01-11 16:44 - 2015-01-11 16:44 - 00000000 ____D () C:\ProgramData\RealHideIP
2015-01-08 13:36 - 2015-01-19 00:52 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\IDM
2015-01-08 13:36 - 2015-01-08 13:36 - 00000000 ____D () C:\Users\Ilona\Downloads\Video
2015-01-08 13:36 - 2015-01-08 13:36 - 00000000 ____D () C:\Users\Ilona\Downloads\Compressed
2015-01-05 22:54 - 2015-01-05 22:54 - 00000000 ____D () C:\Program Files\WinPcap
2015-01-05 20:24 - 2015-01-05 20:24 - 00000000 ____D () C:\Program Files (x86)\Skype
2015-01-05 18:46 - 2015-01-05 22:58 - 00000000 ____D () C:\Users\Ilona\Documents\Freemake
2015-01-05 18:42 - 2015-01-05 22:58 - 00000000 ____D () C:\ProgramData\Freemake
2015-01-02 23:33 - 2015-01-19 20:21 - 00000000 ____D () C:\Users\Ilona\AppData\Local\VirtualStore
2014-12-28 15:24 - 2014-12-28 15:24 - 00004608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\w95inf32.dll
2014-12-28 15:24 - 2014-12-28 15:24 - 00002272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\w95inf16.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 01088272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\danim.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 00155408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LMRT.dll
2014-12-28 15:24 - 1998-09-02 08:28 - 00063488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\unam4ie.exe
2014-12-28 15:24 - 1998-09-02 08:28 - 00038160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LMRTREND.dll
2014-12-28 15:24 - 1998-09-02 08:02 - 00194320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qcut.dll
2014-12-28 15:24 - 1998-08-27 04:51 - 00182032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft3.dll
2014-12-28 15:24 - 1998-08-20 11:02 - 00140800 _____ (The Duck Corporation) C:\Windows\SysWOW64\tm20dec.ax
2014-12-28 15:24 - 1998-08-20 10:38 - 00217984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\strmdll.dll
2014-12-28 15:24 - 1998-08-17 09:21 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mciqtz.drv
2014-12-28 15:24 - 1998-08-17 09:21 - 00010240 _____ () C:\Windows\SysWOW64\vidx16.dll
2014-12-28 15:24 - 1998-08-17 09:21 - 00005672 _____ () C:\Windows\SysWOW64\quartz.vxd
2014-12-28 15:06 - 2014-12-28 15:06 - 00109080 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 22:15 - 2013-08-22 14:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 22:07 - 2014-02-24 09:57 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\ClassicShell
2015-01-20 22:00 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\system32\sru
2015-01-20 19:46 - 2014-04-22 05:11 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1234217716-3010420026-427230083-1001
2015-01-20 13:56 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\tracing
2015-01-20 10:37 - 2014-02-23 22:30 - 00000000 ____D () C:\Users\Ilona
2015-01-20 10:11 - 2014-02-23 22:30 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{28060937-AEAC-4D7B-A53B-5A74041272FE}
2015-01-19 21:11 - 2014-03-28 08:26 - 00000000 ____D () C:\Users\Ilona\Desktop\Ilona różne
2015-01-19 20:59 - 2014-04-13 21:33 - 00000000 ____D () C:\PIT Format 2013
2015-01-19 20:33 - 2014-05-27 09:10 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Free42
2015-01-19 20:33 - 2014-03-03 21:43 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\TGCMLog
2015-01-19 20:30 - 2013-09-01 02:03 - 00000000 ___HD () C:\SYSTEM.SAV
2015-01-19 13:22 - 2014-09-17 11:22 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\DMCache
2015-01-18 22:45 - 2014-04-30 06:43 - 00001488 _____ () C:\Users\Ilona\Desktop\seriale Ilonki.TXT.zwfhivd
2015-01-17 09:50 - 2013-08-22 13:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-01-15 10:06 - 2014-02-23 22:57 - 00840878 _____ () C:\Windows\system32\perfh015.dat
2015-01-15 10:06 - 2014-02-23 22:57 - 00180518 _____ () C:\Windows\system32\perfc015.dat
2015-01-15 10:06 - 2013-08-26 06:09 - 01971452 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-13 14:33 - 2014-02-24 09:31 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Mozilla
2015-01-12 10:46 - 2014-02-25 23:45 - 00000000 ____D () C:\Users\Ilona\Desktop\programy_michal
2015-01-11 11:04 - 2014-02-25 23:14 - 00000000 ____D () C:\Users\Ilona\Desktop\Microsoft Office
2015-01-09 17:44 - 2014-02-25 14:40 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\Skype
2015-01-05 20:24 - 2014-02-25 14:40 - 00000000 ____D () C:\ProgramData\Skype
2015-01-02 21:54 - 2014-02-24 15:06 - 00000000 ____D () C:\Users\Ilona\AppData\Roaming\DAEMON Tools Lite
2015-01-01 13:43 - 2013-10-11 20:58 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-12-31 15:05 - 2014-04-27 13:11 - 00000000 ____D () C:\ilonka_stary_laptop
2014-12-31 11:16 - 2014-11-09 17:22 - 00000112 _____ () C:\Users\Ilona\Desktop\do sciagniecia.TXT.zwfhivd
2014-12-28 15:24 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\Help
2014-12-28 15:06 - 2014-03-13 20:25 - 00466456 _____ (Creative Labs) C:\Windows\system32\wrap_oal.dll
2014-12-28 15:06 - 2014-03-13 20:25 - 00444952 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2014-12-28 15:06 - 2014-03-13 20:25 - 00122904 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\system32\OpenAL32.dll

==================== Files in the root of some directories =======
2014-03-22 18:28 - 2014-09-23 16:13 - 0005632 _____ () C:\Users\Ilona\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 19:11

==================== End Of Log ============================



III. Eset

Following the link you gave me ended with this result -> "Sorry, this page is only available to residents of North America.". So I used this link instead -> http://www.eset.com/us/online-scanner/ .
I don't use Internet Explorer so it was turned off in windows features. It didn't start after getting turned back on, probably because the windows system I'm using is customized to my liking (some processes completely turned off, some windows functions as well). Didn't bother trying to get it working, because it would probably require a format and clean system install. Downloaded this file "esetsmartinstaller_enu.exe" from http://www.eset.com/us/online-scanner/ and it launches the online scanner in a small window on the desktop. Set up the scan options exactly as you wrote.

Log below:

C:\ilonka_stary_laptop\ilona_pendrajw_2\Ilona Asia\Microsoft\media.player.codec.pack.v3.9.6.setup.exe    Win32/Toolbar.Widgi potentially unwanted application    deleted - quarantined



IV. Question

My pc is running exactly the same as before the infection occured. Only difference is that thunderbird was dropped from autostart by FRST fix. You did not answer my question - is there a realistic chance to unblock the encrypted files?



#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:30 AM

Posted 21 January 2015 - 12:45 AM

Hey, :)

is there a realistic chance to unblock the encrypted files?

Sadly not.

 

Hello,
in my opinion your PC is clean. :) My help is of course completely free of charge but if you would like to donate some money to me that I can buy some beer, then click on the button paypal.gif. I'd really appreciate it, my friend. :)


We need to remove the tools we've used during cleaning your machine.
  • Download Delfix from here and run it (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the Delfix icon and select Run as Administrator).
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

 

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

Keep Safe! :thumbsup:

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 infectedbivirus

infectedbivirus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 21 January 2015 - 09:23 AM

Hey again Machiavelli. Thanks again for all your time and dedication. Your diagnose is exactly the same as the one I found myself yesterday morning after doing all my scanning. My pc was completely clean before we started scanning it with all these apps you advised so I'll just skip this "delfix" step, because in my opinion it's totally pointless. I removed the apps you advised after completing every step so there's none of them left, all traces wiped clean as well. So unless you injected some kind of sophisticated malware into my pc I'm good to go. :)
Sadly I can not donate any money to you, because my files are still encrypted. Which was the only thing I wanted fixed. I can offer feedback on your help however. Don't know if you accept those on this board or not, but I'll give it a shot.
Please don't take it hard, please don't take it personal. I'll try to be as objective as possible.

First of all let me uncover a bit of info about myself. I have 7 years of "ground level" tech support experience. It means I'm dealing with people that have misbehaving pcs and macs. All kinds of people, all kinds of computers. Mostly "common world problems" like drivers, component installation, malware removal an such, but I do not step back from more complicated things like virtualization or setting up networks. It's kind of a side project for me as it sadly does not generate plenty of money. But it's a hobby I really love, although people can sometimes be bleepes. This here is the only malware problem I had during the last 7 years on my working pc. I wrote that "I caused it", but the truth being my girlfriend did (didn't want to blame her, you shouldn't blame your girlfriends), because some unholy creature sent a message to her brain urging her to open "this email message from an unknown sender", "to open the attached archive" and to "open the file inside the archive". This is all one of the most stupid bleep I've seen people do. But hey, all well that ends well. She learned her lesson, because the virus erased all her life's work and half of my files, before I stopped it.

That being said I understand there are different rules of "customer service" for each company. Which differ even more depending if you're representing just "you" or company "xyz" and if you are getting paid for doing this or if you're just playing pro bono. So if my judgement is too harsh bear with me, because I do not know the exact rules of this forum nor I am interested in getting to know them.

Let's make a list of things I liked and didn't like about your help. The fact that I list more "not likes" than "likes" does not mean in any way I found your assistance bad or unprofessional.

+ liked
1. Presence and quick response - this means that either I was lucky and you just didn't have a busy day or you are truly dedicated and cared about helping me. The speed with which you answered my posts was truly excellent. One of the bad things of tech support is waiting. When they tell you to wait... wait... wait... for no apparent reason and then fix your problem in 2 minutes. Waiting makes people furious, because they think you don't give a flying fungus about them. Which is not always true, but people don't care if they want they stuff fixed. Even if you've got nothing new to report write/say "I'm on it, right now I'm doing this/this/that/waiting for parts/having sex with my wife/whatever".

- not liked
1. Lack of presence in posts - the only thing I got from you was "Hey" and todo-lists.
The only thing I know about you is your nick and the paypal icon in your signature (let's pretend I'm just a regular guy and don't read fine print). I checked some posts by other guys from the Malware Response Team and some of them put plenty of "hi there" info into their first post. "Hey, my name is aaa, you can call me bbb and I'm here to help you. Please do this/that and don't do this/that. I'm on your case, so keep cool. We gonna sort it out." All your posts look like "hey" + copy-paste. For all I see you can as well be just a bot.

2. Not listening to what I'm writing and not answering my questions - really bad bleep, but all depends on the fact if you're getting money for this. If you do it's sometimes good to just milk someone with talking and doing bullbleep, especialy if it's an bleep. Most of the time it's jut annoying.
I wrote down pretty much everything apart from my pc hardware/software specs in my first post. About the infection, about my countermeasures and about my expectations from anyone who'll try to help me. You just kept pumping me with todo lists without even explaining what you need the for and without asking me more questions.
Heck! You answered my question about file decryption only after asking it to you again and all the time I was pretty sure that all the logs I post go towards finding a method to decrypt my files which was obiously wrong. We just scanned my pc plenty of times with different progs just to delete a few files/folders that were totally harmless and that I KNEW about. We also kicked out thunderbird from autostart and turned on a non working internet explorer.

3. Understand the customer and act based on his level, NOT yours - you have to adapt on the fly to your customer's level of expertise in the field. I know that plenty of people are just technological morons and using the junk bin as another folder is really not that uncommon but what if you're talking/writing to someone who wrote malware scripts for porn sites or someone who creates cracks or reverse engineers copy protection with vm methods? They know plenty of bleep and maybe even more than you, but this one thing they're asking about is new to them. Will you be advising the same things and asking the same questions to John Doe who doesn't know how to change file extensions and to a someone who's mac adress is IFU.CKE.DYO.UR.MOM? I followed all the scanning you proposed, because I thought you need the logs for finding a decryption method. About cryptography I know only it exists, so I followed the advice of someone who knows. It turns out, we could have ended the conversation with just your last post.
I thought that after reading my first post anyone can guess I'm not a technological moron. Obviously I was wrong, because I got the "default car check" despite asking you to take a look at the gearbox.

4. Never state "it's the only way", when it's not - first of all people HATE when you tell them they "HAVE TO" do something without proper explanation. Don't know why but they just HATE it. You advised using windows notepad and internet explorer and posted links that don't work for everyone. Saying "you can only do this with this" is rubbish, because in the virtual world there are plenty of alternatives. What if I'm a regular John Doe and I don't know how to turn on my internet explorer or my windows notepad does not work, because the last Mr. Fixit disabled/deleted it? But I've got notepad++ or something else and use a different browser. I'm a regular John Doe, so I've got absolutely no bleepin' clue what to do, because I don't use notepad, just word and I just watch porn movies on xhamster. Internet explorer? Heard about it some years ago from someone that it was bad so told my nephew to delete it. See? This brings us back to point 3. If your customer knows the drill just point him the right way "ok, I now want you to scan your pc once again with eset online scanner". Unless you're a bot of course.

5. Copypaste - looks really bad for anyone other than Average Joe. Copypasted answers are good for big company faceless online help chats, not people who do it out of passion. Copypaste is good, but add a few words yourself. It makes people think you care.

Let me also comment about the advice you copypasted at the end of your last post. It looks like one of those silly security posts from microsoft representatives, not something I would expect on an unofficial help forum.

1. Exercise common sense
First part is good. The rest starting with "Using peer-to-peer" is pure big company bullbleep.

2. Keep up on Windows updates
Starting with "it is also important" pure bullbleep that I never recommend. Updating your windows using windows update usually creates just problems, bloats the hard drive with unnecessary crap which in result slows down your pc. Security benefits of updating? Nil to none, unless your pc or it's data is worth millions of dollars. Everything else is point 1. The only proper way of getting windows updates is merging the with a windows install image. No warez meant, you can do it with official microsoft tools.

3. Slow computer?
Good, common sense.


That's all. Don't know how you do it, but when I do something I love I try to do it to the best of my abilities. Full power, maximum efficiency. I'm not angry at anyone, just me for feeling "too safe" and not creating backups for some time.
Hope the feedback I provided helps you. I'll write it again - DO NOT take it as a personal attack. This is just feedback. And good feedback is worth it's weight in gold. ;) Wish you all the best, thanks again!

To any mod reading this, you can close the topic.



#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:30 AM

Posted 21 January 2015 - 11:08 AM

Hey,

1. Presence and quick response - this means that either I was lucky and you just didn't have a busy day or you are truly dedicated and cared about helping me. The speed with which you answered my posts was truly excellent. One of the bad things of tech support is waiting. When they tell you to wait... wait... wait... for no apparent reason and then fix your problem in 2 minutes. Waiting makes people furious, because they think you don't give a flying fungus about them. Which is not always true, but people don't care if they want they stuff fixed. Even if you've got nothing new to report write/say "I'm on it, right now I'm doing this/this/that/waiting for parts/having sex with my wife/whatever".

Thanks. Normally I'm online every day so everyday there should be an answer in the thread.

1. Lack of presence in posts - the only thing I got from you was "Hey" and todo-lists.
The only thing I know about you is your nick and the paypal icon in your signature (let's pretend I'm just a regular guy and don't read fine print). I checked some posts by other guys from the Malware Response Team and some of them put plenty of "hi there" info into their first post. "Hey, my name is aaa, you can call me bbb and I'm here to help you. Please do this/that and don't do this/that. I'm on your case, so keep cool. We gonna sort it out." All your posts look like "hey" + copy-paste. For all I see you can as well be just a bot.

You are right. I used this Welcome Speech some time ago:

Hello and Welcome to BleepingComputer <USER> ,

my Name is Machiavelli and I will assist you with your problem.   :exclame: The fixes are specific to your problem and should only be used for the issue on your machine!  :exclame:
 
I'm in the 'Malware Staff Team' and will provide you with advice:
To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.
 
You must reply to posts within days. If you haven't replied within 4 days your topic will be closed. If you go away for some time please let me know. Communication is a important part here! If you are unsure about something - STOP - and ask me. No need to be afraid of asking - better ask than doing a mistake. Mistakes can lead to an unbootable PC! I would recommend to follow the topic by clicking on the Follow this topic button - you will get notified when I have replied to your topic.
 

:exclame: Below are a few tips :exclame:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!
  • My Help is completely free of charge!
    Just if you like to donate me some money you can do it and I'd appreciate it. :)
  • My experience shows that Users just want to get their PC fixed. But it is interesting to know that you want to see this. I will do so. For the bot you are "right" :P. The problem is that I have so many users to help in a short time that I can't write personal things with every user. So every procedure is the same and it is effective.

    but all depends on the fact if you're getting money for this.

    I do not get money from this. My service is free of charge. Donating is a voluntarily thing, no one has to donate me.

    If I have enough time for my users I can spend more time for them. That's the problem. I always try to answer all questions but sometimes I just overlook them or something like that. I'm sorry.

    ====

    Copypaste - looks really bad for anyone other than Average Joe. Copypasted answers are good for big company faceless online help chats, not people who do it out of passion. Copypaste is good, but add a few words yourself. It makes people think you care.

    You are right on this. But many other helpers are copying pasting ... FRST Fix is then of course not Copy & Paste.

    ===

    Thanks for the feedback. Being honest I'm happy about it.

    Do you need help on the issues you currently have? :)

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#11 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:30 AM

Posted 25 January 2015 - 06:22 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users