Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove CryptoWall 3.0 and Restore the Encrypted Files


  • This topic is locked This topic is locked
4 replies to this topic

#1 Erik_lubov

Erik_lubov

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 13 February 2015 - 09:06 PM

Hello,

Please help me!

Remove CryptoWall 3.0 and Restore the Encrypted Files

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-02-2015
Ran by @ (administrator) on LAM-6D5C6D901A3 on 13-02-2015 18:07:41
Running from E:\
Loaded Profiles: @ (Available profiles: @)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Enigma Software Group USA, LLC.) C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(ABBYY (BIT Software)) C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(charismathics GmbH) C:\WINDOWS\system32\cmEvtSrv.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(www.shadowexplorer.com) C:\Program Files\ShadowExplorer\sesvc.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Cmaudio] => RunDll32 cmicnfg.cpl,CMICtrlWnd
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
HKLM\...\Run: [SpyHunter Security Suite] => C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [6434176 2015-02-12] (Enigma Software Group USA, LLC.)
HKLM\...\Winlogon: [Taskman] C:\WINDOWS\system32\taskmgr.exe [135680 2008-04-14] (Microsoft Corporation) <=== ATTENTION
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5496600 2015-01-20] (Piriform Ltd)
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\...\MountPoints2: {724b0929-7b9b-11e4-b02e-001966663c2a} - F:\torqua\bastaja.exe
Startup: C:\Documents and Settings\@\Start Menu\Programs\Startup\Microinvest Internet Мениджър.lnk
ShortcutTarget: Microinvest Internet Мениджър.lnk -> C:\MICRO\IMANAGER.EXE (No File)
Startup: C:\Documents and Settings\@\Start Menu\Programs\Startup\Microinvest Архиватор.lnk
ShortcutTarget: Microinvest Архиватор.lnk -> C:\MICRO\ARCHI.EXE (No File)
Startup: C:\Documents and Settings\@\Start Menu\Programs\Startup\Microinvest Мениджър.lnk
ShortcutTarget: Microinvest Мениджър.lnk -> C:\MICRO\MST_UTIL.EXE (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dir.bg/
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.abv.bg/
http://www.google.bg/
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
DPF: {97EA2A5E-A821-48A1-B0F9-DEDB5E0E62A2} https://inetdec.nra.bg/cabs/SignCOM.cab
DPF: {F4FD133B-5AB6-441F-BBFE-966AFF032D10} https://inetdec.nra.bg/dds/InetVAT5Frm.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\@\Application Data\Mozilla\Firefox\Profiles\5yjmicn8.default
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1292428093-1532298954-1417001333-1003: anvisoft.com/AdblockPlugin -> C:\Documents and Settings\All Users\Application Data\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll No File
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-02-13]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]

Chrome:
=======
CHR StartupUrls: Default -> "https://www.google.bg/"
CHR Profile: C:\Documents and Settings\@\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Документи) - C:\Documents and Settings\@\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-18]
CHR Extension: (Allin1Convert) - C:\Documents and Settings\@\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kmabjcmofdemkaaekcmpocognlfonepb [2015-02-10]
CHR Extension: (Google Wallet) - C:\Documents and Settings\@\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-18]
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Professional.9.0; C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [660768 2007-12-06] (ABBYY (BIT Software))
R2 cmevtsrv; C:\WINDOWS\system32\cmEvtSrv.exe [74784 2011-11-09] (charismathics GmbH)
R2 sesvc; C:\Program Files\ShadowExplorer\sesvc.exe [9216 2011-01-02] (www.shadowexplorer.com) [File not signed]
R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [770432 2014-01-09] (Enigma Software Group USA, LLC.)
S2 Cache_c-_cachesys; c:\cachesys\bin\cservice.exe [X]
S3 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe" [X]
S4 TeamViewer7; C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 A38CCID; C:\WINDOWS\System32\DRIVERS\a38ccid.sys [38016 2009-12-15] (Advanced Card Systems Ltd.)
R3 cmuda; C:\WINDOWS\System32\drivers\cmuda.sys [1332544 2005-05-12] (C-Media Inc)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [12288 2014-01-07] ()
S3 EsgScanner; C:\WINDOWS\System32\DRIVERS\EsgScanner.sys [19984 2012-06-22] ()
R3 euccihr; C:\WINDOWS\System32\Drivers\euccihr-x86.sys [43776 2006-06-07] (Eutron)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-14] (Realtek Semiconductor Corporation)
S2 DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys [X]
S0 PxHelp20; System32\Drivers\PxHelp20.sys [X]
S2 SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-13 18:07 - 2015-02-13 18:07 - 00000000 ____D () C:\FRST
2015-02-13 16:19 - 2015-02-13 16:19 - 00000000 ____D () C:\Documents and Settings\@\Application Data\www.shadowexplorer.com
2015-02-13 16:10 - 2015-02-13 16:23 - 00001084 _____ () C:\WINDOWS\spupdsvc.log
2015-02-13 16:10 - 2015-02-13 16:10 - 00000000 ____D () C:\f04f7106c68d4f3767
2015-02-13 16:10 - 2008-07-06 14:06 - 01676288 ____N (Microsoft Corporation) C:\WINDOWS\system32\xpssvcs.dll
2015-02-13 16:10 - 2008-07-06 14:06 - 01676288 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpssvcs.dll
2015-02-13 16:10 - 2008-07-06 14:06 - 00575488 ____N (Microsoft Corporation) C:\WINDOWS\system32\xpsshhdr.dll
2015-02-13 16:10 - 2008-07-06 14:06 - 00575488 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2015-02-13 16:10 - 2008-07-06 14:06 - 00117760 ____N (Microsoft Corporation) C:\WINDOWS\system32\prntvpt.dll
2015-02-13 16:10 - 2008-07-06 14:06 - 00089088 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2015-02-13 16:10 - 2008-07-06 12:50 - 00597504 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2015-02-13 16:04 - 2015-02-13 16:06 - 00000000 ____D () C:\535f3ec2cbb7d4572b5f8421
2015-02-13 15:53 - 2015-02-13 16:15 - 00000000 ____D () C:\c55ca626f127caa8cb66d7b340d2
2015-02-13 14:07 - 2015-02-13 14:07 - 00035064 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-02-13 14:07 - 2015-02-13 14:07 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2015-02-13 13:39 - 2015-02-13 13:39 - 00000000 ____D () C:\a79b304652ae5696b62062d366252e85
2015-02-13 13:37 - 2015-02-13 13:37 - 17549488 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2015-02-13 13:03 - 2015-02-13 16:25 - 00001560 _____ () C:\Documents and Settings\@\Desktop\ShadowExplorer.lnk
2015-02-13 13:03 - 2015-02-13 16:25 - 00000000 ____D () C:\Program Files\ShadowExplorer
2015-02-13 13:03 - 2015-02-13 16:25 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\ShadowExplorer
2015-02-13 12:54 - 2015-02-13 12:54 - 00000000 __RHD () C:\AHCache
2015-02-12 18:56 - 2015-02-12 18:56 - 00001965 _____ () C:\Documents and Settings\@\Desktop\SpyHunter.lnk
2015-02-12 18:56 - 2015-02-12 18:56 - 00000000 ____D () C:\WINDOWS\AF54923662584AC6A0435B5B89C6EB61.TMP
2015-02-12 18:56 - 2015-02-12 18:56 - 00000000 ____D () C:\sh4ldr
2015-02-12 18:56 - 2015-02-12 18:56 - 00000000 ____D () C:\Documents and Settings\@\Start Menu\Programs\SpyHunter
2015-02-12 08:20 - 2015-02-13 16:10 - 00015227 _____ () C:\WINDOWS\setupapi.log
2015-02-11 13:47 - 2015-02-11 13:47 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Application Data\ESET
2015-02-11 13:34 - 2015-02-11 13:34 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
2015-02-11 08:13 - 2015-02-12 08:22 - 00000000 ____D () C:\Program Files\ESET
2015-02-10 13:31 - 2010-05-13 18:34 - 00014232 _____ () C:\WINDOWS\system32\sh4native.exe
2015-02-10 13:29 - 2015-02-10 13:29 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-02-10 13:28 - 2015-02-12 18:56 - 00000000 ____D () C:\Program Files\Common Files\Wise Installation Wizard
2015-02-10 13:28 - 2015-02-12 08:44 - 00000000 ____D () C:\WINDOWS\4941BFEB62C047A2801E998FC469CC2C.TMP
2015-02-10 13:19 - 2015-02-13 18:06 - 00037486 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-10 11:40 - 2015-02-10 11:40 - 00008846 _____ () C:\Documents and Settings\@\Desktop\cc_20150210_114012.reg
2015-02-10 11:37 - 2015-02-10 11:38 - 00067050 _____ () C:\Documents and Settings\@\Desktop\cc_20150210_113701.reg
2015-02-10 11:32 - 2015-02-10 11:33 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-10 11:32 - 2015-02-10 11:33 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
2015-02-10 11:32 - 2015-02-10 11:32 - 00000682 _____ () C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2015-02-10 11:19 - 2015-02-10 11:19 - 00000000 ____D () C:\Program Files\Common Files\Bitdefender
2015-02-09 15:44 - 2015-02-09 15:54 - 00000000 ____D () C:\AdwCleaner
2015-02-09 14:34 - 2015-02-10 16:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Anvisoft
2015-02-09 14:33 - 2015-02-10 08:24 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\boost_interprocess
2015-02-09 14:33 - 2015-02-09 14:33 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Anvisoft
2015-02-09 14:32 - 2015-02-10 16:39 - 00000000 ____D () C:\Program Files\Anvisoft
2015-02-09 14:02 - 2015-02-09 14:02 - 03932214 _____ () C:\Documents and Settings\@\My Documents\Decrypt-All-Files-zgsmcwm.bmp
2015-02-09 13:56 - 2001-08-17 13:48 - 00012160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mouhid.sys
2015-02-09 13:56 - 2001-08-17 13:48 - 00012160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mouhid.sys
2015-01-30 10:24 - 2015-01-30 10:24 - 00001376 _____ () C:\Documents and Settings\@\Desktop\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 10:24 - 2015-01-30 10:24 - 00000272 _____ () C:\Documents and Settings\@\Desktop\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\LocalService\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00001376 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\LocalService\Application Data\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-01-30 09:42 - 2015-01-30 09:42 - 00000272 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Local Settings\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Local Settings\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\@\My Documents\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00001376 _____ () C:\Documents and Settings\@\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Local Settings\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Application Data\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\@\My Documents\HELP_DECRYPT.URL
2015-01-30 09:41 - 2015-01-30 09:41 - 00000272 _____ () C:\Documents and Settings\@\HELP_DECRYPT.URL
2015-01-30 09:04 - 2015-02-09 14:02 - 02318874 _____ () C:\Documents and Settings\All Users\Application Data\cyklvgc.html
2015-01-30 09:01 - 2015-01-30 09:09 - 00000000 ____D () C:\Documents and Settings\@\Application Data\Local Store
2015-01-30 08:56 - 2015-01-30 08:56 - 00001376 _____ () C:\Documents and Settings\@\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 08:56 - 2015-01-30 08:56 - 00000272 _____ () C:\Documents and Settings\@\Application Data\HELP_DECRYPT.URL
2015-01-29 11:36 - 2012-02-23 14:25 - 00021336 _____ (IObit) C:\WINDOWS\system32\RegistryDefragBootTime.exe
2015-01-29 10:08 - 2015-01-29 10:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\IObit
2015-01-29 10:01 - 2015-02-11 17:50 - 00000000 ____D () C:\Documents and Settings\@\Application Data\IObit
2015-01-29 10:01 - 2015-01-29 10:01 - 00000000 ____D () C:\Program Files\IObit
2015-01-29 09:57 - 2015-01-29 09:57 - 00411552 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\fcffipwd.sys
2015-01-29 09:48 - 2015-01-29 09:48 - 00000000 ___RD () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Start Menu\Programs\Accessories
2015-01-29 09:48 - 2015-01-29 09:48 - 00000000 ____D () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Local Settings\Temp
2015-01-29 09:32 - 2015-01-29 09:32 - 00000000 __SHD () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\IETldCache
2015-01-29 09:28 - 2015-02-12 19:06 - 00001599 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Start Menu\Programs\Remote Assistance.lnk
2015-01-29 09:28 - 2015-02-11 17:51 - 00000000 ____D () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3
2015-01-29 09:28 - 2015-02-10 08:22 - 00000178 ___SH () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\ntuser.ini
2015-01-29 09:28 - 2014-09-18 09:33 - 00000792 _____ () C:\Documents and Settings\Administrator.LAM-6D5C6D901A3\Start Menu\Programs\Windows Media Player.lnk
2015-01-28 12:41 - 2015-01-28 12:41 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-01-28 12:10 - 2015-02-12 19:06 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2015-01-28 12:10 - 2015-02-11 17:51 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-01-28 12:10 - 2015-01-28 12:10 - 00000020 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-01-28 12:10 - 2014-09-18 12:21 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-01-28 12:10 - 2014-09-18 09:33 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2015-01-28 12:10 - 2014-09-18 09:33 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2015-01-28 09:19 - 2015-02-11 17:59 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{0B5BF68B-36EA-4BBC-9A55-D7DF51DCC35D}
2015-01-28 09:12 - 2015-01-28 09:12 - 00000000 ____D () C:\Documents and Settings\@\Desktop\Data
2015-01-27 09:48 - 2015-01-27 11:09 - 00725456 _____ () C:\Documents and Settings\@\Desktop\PRILOGENIE_1&2 2013.XLS.zgsmcwm
2015-01-26 16:15 - 2015-01-26 16:22 - 00107392 _____ () C:\Documents and Settings\@\Desktop\slujebna_belejka_chlen_45_al1_2_t4_ZDDFL (2)-Гунчев.DOC.zgsmcwm
2015-01-26 16:15 - 2015-01-26 16:15 - 00106368 _____ () C:\Documents and Settings\@\Desktop\slujebna_belejka_chlen_45_al1_2_t4_ZDDFL (2)-Минка.DOC.zgsmcwm
2015-01-26 13:21 - 2015-02-11 17:50 - 00000000 ____D () C:\Documents and Settings\@\Application Data\Mozilla
2015-01-26 13:21 - 2015-01-30 08:52 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Mozilla
2015-01-26 13:21 - 2015-01-26 13:21 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Application Data\Mozilla
2015-01-26 10:51 - 2015-01-26 10:51 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-21 16:26 - 2015-01-26 09:12 - 00955376 _____ () C:\Documents and Settings\@\Desktop\SIS_2015_v1f-ЗЗД.XLS.zgsmcwm
2015-01-21 16:26 - 2015-01-21 16:26 - 00953328 _____ () C:\Documents and Settings\@\Desktop\SIS_2015_v1f-Инсайт.XLS.zgsmcwm
2015-01-20 11:04 - 2015-01-20 11:04 - 00000490 _____ () C:\Documents and Settings\@\Desktop\Microinvest Делта.lnk
2015-01-20 11:01 - 2015-01-20 11:01 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Microinvest
2015-01-20 11:01 - 2014-10-28 17:22 - 00000087 _____ () C:\WINDOWS\M_REMOVE.INI
2015-01-20 11:01 - 2014-10-28 17:20 - 00646240 _____ () C:\WINDOWS\M_REMOVE.EXE
2015-01-20 11:00 - 2015-02-11 17:51 - 00000000 ____D () C:\MICRO
2015-01-19 09:17 - 2015-01-14 15:39 - 00033648 _____ () C:\Documents and Settings\@\Desktop\Копие от ПИСМО 1-Подкрепа-Желева-14.01.2015.DOC.zgsmcwm
2015-01-16 15:48 - 2015-01-16 15:48 - 00166288 _____ () C:\Documents and Settings\@\Desktop\SIS_2015_v1f.ZIP.zgsmcwm
2015-01-14 11:58 - 2015-01-14 11:58 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-01-14 11:58 - 2015-01-14 11:58 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-13 18:07 - 2014-09-18 09:38 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Temp
2015-02-13 18:04 - 2014-09-18 12:24 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-13 18:04 - 2014-09-18 12:24 - 00000052 _____ () C:\WINDOWS\wiaservc.log
2015-02-13 18:04 - 2014-09-18 09:42 - 00000982 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-13 18:04 - 2014-09-18 09:37 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-13 16:27 - 2014-09-18 09:38 - 00000178 ___SH () C:\Documents and Settings\@\ntuser.ini
2015-02-13 16:27 - 2014-09-18 09:37 - 00032610 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-13 16:21 - 2014-09-18 12:20 - 00194568 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-02-13 16:19 - 2014-09-25 13:43 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2015-02-13 16:19 - 2014-09-18 12:59 - 00045520 _____ () C:\Documents and Settings\@\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-02-13 16:11 - 2014-09-25 15:41 - 00000000 ____D () C:\WINDOWS\system32\XPSViewer
2015-02-13 16:11 - 2014-09-18 12:22 - 00866194 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-02-13 16:10 - 2014-09-18 12:14 - 00000000 ____D () C:\WINDOWS\system32\spool
2015-02-13 15:58 - 2014-09-18 09:42 - 00000986 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-13 15:37 - 2014-09-18 14:40 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-13 15:33 - 2014-09-18 12:14 - 00000000 ____D () C:\WINDOWS\Help
2015-02-13 13:37 - 2014-09-18 14:40 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-02-13 13:37 - 2014-09-18 14:40 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-02-12 20:42 - 2014-09-18 12:19 - 00000245 ___SH () C:\boot.ini
2015-02-12 19:06 - 2014-09-18 09:38 - 00001599 _____ () C:\Documents and Settings\@\Start Menu\Programs\Remote Assistance.lnk
2015-02-12 19:06 - 2014-09-18 09:33 - 00001607 _____ () C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
2015-02-12 19:06 - 2014-09-18 09:33 - 00001599 _____ () C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk
2015-02-12 19:06 - 2014-09-18 09:33 - 00001507 _____ () C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2015-02-12 08:50 - 2008-04-14 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-12 08:46 - 2015-01-10 13:40 - 18612224 _____ () C:\WINDOWS\system32\config\software.regresbak2
2015-02-12 08:46 - 2015-01-10 13:40 - 04194304 _____ () C:\WINDOWS\system32\config\system.regresbak2
2015-02-12 08:46 - 2015-01-10 13:40 - 00262144 _____ () C:\WINDOWS\system32\config\default.regresbak2
2015-02-12 08:46 - 2015-01-10 13:40 - 00040960 _____ () C:\WINDOWS\system32\config\security.regresbak2
2015-02-12 08:46 - 2015-01-10 13:40 - 00024576 _____ () C:\WINDOWS\system32\config\sam.regresbak2
2015-02-12 08:44 - 2014-10-09 08:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVAST Software
2015-02-12 08:43 - 2014-09-18 13:03 - 00000000 ____D () C:\Documents and Settings\@\Application Data\uTorrent
2015-02-12 08:43 - 2014-09-18 09:38 - 00000000 ____D () C:\Documents and Settings\@
2015-02-11 18:35 - 2014-09-18 13:33 - 00000000 ____D () C:\WINDOWS\pss
2015-02-11 18:35 - 2008-04-14 14:00 - 00001003 _____ () C:\WINDOWS\win.ini
2015-02-11 18:35 - 2008-04-14 14:00 - 00000227 _____ () C:\WINDOWS\system.ini
2015-02-11 17:51 - 2014-11-10 09:26 - 00000000 ____D () C:\Documents and Settings\LocalService\Application Data\McAfee
2015-02-11 17:51 - 2014-10-14 15:33 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Application Data\Innovative Solutions
2015-02-11 17:51 - 2014-09-26 08:04 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\NewSoft
2015-02-11 17:51 - 2014-09-25 15:43 - 00000000 ____D () C:\Documents and Settings\@\My Documents\My PageManager
2015-02-11 17:51 - 2014-09-25 15:43 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Application Data\NewSoft
2015-02-11 17:51 - 2014-09-25 10:23 - 00000000 ____D () C:\Documents and Settings\@\My Documents\Canon
2015-02-11 17:51 - 2014-09-18 13:27 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Application Data\ABBYY
2015-02-11 17:51 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\СИМО ВАСИЛЕВ
2015-02-11 17:51 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\ПРОЕКТ-СИМО
2015-02-11 17:51 - 2014-09-18 13:21 - 00000000 ____D () C:\FR90PE_VOL
2015-02-11 17:51 - 2014-09-18 13:21 - 00000000 ____D () C:\Documents and Settings\@\My Documents\КРАСИ
2015-02-11 17:51 - 2014-09-18 13:19 - 00000000 ____D () C:\Documents and Settings\@\My Documents\ЕЛАВЕ
2015-02-11 17:51 - 2014-09-18 13:18 - 00000000 ___RD () C:\Documents and Settings\@\My Documents\SURZK
2015-02-11 17:51 - 2014-09-18 13:18 - 00000000 ____D () C:\Documents and Settings\@\My Documents\БИСТРА
2015-02-11 17:51 - 2014-09-18 13:18 - 00000000 ____D () C:\Documents and Settings\@\My Documents\А-Я ПО ВПИСВАНИЯ
2015-02-11 17:51 - 2014-09-18 13:17 - 00000000 ____D () C:\Documents and Settings\@\My Documents\minka
2015-02-11 17:51 - 2014-09-18 13:17 - 00000000 ____D () C:\Documents and Settings\@\My Documents\Formuliari za kandidatstbane
2015-02-11 17:51 - 2014-09-18 13:14 - 00000000 ____D () C:\Documents and Settings\@\My Documents\DZSR RUDOZEM
2015-02-11 17:51 - 2014-09-18 13:11 - 00000000 ____D () C:\Documents and Settings\@\My Documents\DNEV10
2015-02-11 17:51 - 2014-09-18 13:11 - 00000000 ____D () C:\Documents and Settings\@\My Documents\DNEV07
2015-02-11 17:51 - 2014-09-18 13:11 - 00000000 ____D () C:\Documents and Settings\@\My Documents\Blanki
2015-02-11 17:51 - 2014-09-18 12:52 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Application Data\Skype
2015-02-11 17:51 - 2014-09-18 10:22 - 00000000 ____D () C:\Documents and Settings\@\Desktop\Подкрепа за заетост29
2015-02-11 17:51 - 2014-09-18 09:42 - 00000000 ____D () C:\Documents and Settings\@\Local Settings\Application Data\Google
2015-02-11 17:51 - 2014-09-18 09:37 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-02-11 17:50 - 2015-01-13 15:01 - 00000000 ____D () C:\Documents and Settings\@\Desktop\ДД-Желева
2015-02-11 17:50 - 2014-12-09 13:32 - 00000000 ____D () C:\Documents and Settings\@\Desktop\ЗЗД-Желева
2015-02-11 17:50 - 2014-11-19 13:30 - 00000000 ____D () C:\Documents and Settings\@\Desktop\ДЗСР
2015-02-11 17:50 - 2014-11-11 11:00 - 00000000 ____D () C:\Documents and Settings\@\Desktop\Желева-Подкрепа14
2015-02-11 17:50 - 2014-10-14 08:26 - 00000000 ____D () C:\Documents and Settings\@\Application Data\DriverFinder
2015-02-11 17:50 - 2014-09-18 12:52 - 00000000 ____D () C:\Documents and Settings\@\Application Data\Skype
2015-02-11 17:50 - 2014-09-18 10:36 - 00000000 ____D () C:\Documents and Settings\@\Application Data\Adobe
2015-02-11 17:50 - 2014-09-18 10:23 - 00000000 ____D () C:\Documents and Settings\@\Desktop\Минка-1.1-2013
2015-02-11 17:50 - 2014-09-18 10:22 - 00000000 ____D () C:\Documents and Settings\@\Desktop\МИНКА
2015-02-11 17:50 - 2014-09-18 10:22 - 00000000 ____D () C:\Documents and Settings\@\Desktop\Ал. Гунчев
2015-02-11 17:50 - 2014-09-18 10:22 - 00000000 ____D () C:\Documents and Settings\@\Desktop\LCHome
2015-02-11 17:50 - 2014-09-18 10:12 - 00000000 ____D () C:\Documents and Settings\@\Application Data\TeamViewer
2015-02-11 17:50 - 2014-09-18 09:49 - 00000000 ____D () C:\Documents and Settings\@\Application Data\XnView
2015-02-11 11:58 - 2014-09-18 10:07 - 00000000 ___HD () C:\CanonMF
2015-02-11 11:53 - 2014-09-18 10:41 - 00000000 ____D () C:\CacheSys
2015-02-10 16:31 - 2014-09-18 10:28 - 00000000 ____D () C:\Program Files\Winamp
2015-02-10 16:28 - 2014-09-18 09:43 - 00000000 ____D () C:\Program Files\The KMPlayer
2015-02-10 14:13 - 2014-09-26 12:31 - 00001811 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-02-10 11:39 - 2014-09-19 10:15 - 00000000 ____D () C:\Program Files\SetWeb
2015-02-10 09:25 - 2014-09-25 15:40 - 00000000 ___DC () C:\WINDOWS\$NtUninstallXpsEPSC$
2015-02-10 08:29 - 2014-09-18 12:20 - 00040960 _____ () C:\WINDOWS\system32\config\security.regresbak1
2015-02-10 08:29 - 2014-09-18 12:20 - 00024576 _____ () C:\WINDOWS\system32\config\sam.regresbak1
2015-02-10 08:29 - 2014-09-18 12:19 - 19660800 _____ () C:\WINDOWS\system32\config\software.regresbak1
2015-02-10 08:29 - 2014-09-18 12:19 - 04456448 _____ () C:\WINDOWS\system32\config\system.regresbak1
2015-02-10 08:29 - 2014-09-18 12:19 - 00262144 _____ () C:\WINDOWS\system32\config\default.regresbak1
2015-02-09 15:40 - 2014-10-02 09:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Presto! PageManager 7.15
2015-02-09 15:40 - 2014-09-18 09:42 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
2015-02-09 15:40 - 2014-09-18 09:42 - 00000000 ____D () C:\Documents and Settings\@\Start Menu\Programs\WinRAR
2015-02-09 14:03 - 2014-09-18 09:37 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-01-30 09:42 - 2014-11-11 16:19 - 00000000 ____D () C:\Export
2015-01-30 09:37 - 2014-09-18 13:20 - 00000000 ____D () C:\Documents and Settings\@\My Documents\КГ ИНОКС
2015-01-30 09:33 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\НОВИ ДЕКЛАРАЦИИ ЗА БОЛН.09
2015-01-30 09:30 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\УНИВЕРСАЛ
2015-01-30 09:28 - 2014-09-18 13:18 - 00000000 ____D () C:\Documents and Settings\@\My Documents\Дневници ДЗСР-ДДС
2015-01-30 09:26 - 2014-09-18 13:25 - 00000000 ___RD () C:\Documents and Settings\@\My Documents\Отчетни форми
2015-01-30 09:24 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\ОСПОЗ2009- INOKS
2015-01-30 09:23 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\ОСПОЗ-ЧИ
2015-01-30 09:23 - 2014-09-18 13:18 - 00000000 ___RD () C:\Documents and Settings\@\My Documents\RO2005-3
2015-01-30 09:22 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\ОСПОЗ 2009
2015-01-30 09:19 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\НП ОСПОЗ06-07-08
2015-01-30 09:18 - 2014-09-18 13:25 - 00000000 ____D () C:\Documents and Settings\@\My Documents\ТЕСТ БЪЛГ
2015-01-30 09:18 - 2014-09-18 13:17 - 00000000 ___RD () C:\Documents and Settings\@\My Documents\Proekt Obl
2015-01-30 09:06 - 2014-09-18 10:16 - 00000041 _____ () C:\WINDOWS\crw.ini
2015-01-30 09:01 - 2014-09-18 13:18 - 00000000 ____D () C:\Documents and Settings\@\My Documents\SliQInvoicing
2015-01-30 08:59 - 2014-09-18 09:49 - 00000000 ____D () C:\Program Files\XnView
2015-01-30 08:59 - 2014-09-18 09:42 - 00000000 ____D () C:\Program Files\WinRAR
2015-01-30 08:58 - 2014-09-18 13:27 - 00000000 ____D () C:\Program Files\ABBYY FineReader 9.0
2015-01-30 08:58 - 2014-09-18 12:52 - 00000000 ___RD () C:\Program Files\Skype
2015-01-30 08:58 - 2014-09-18 09:30 - 00000000 ____D () C:\Program Files\Outlook Express
2015-01-29 11:36 - 2014-09-18 13:17 - 00000000 ____D () C:\Documents and Settings\@\My Documents\NOI
2015-01-28 15:58 - 2014-09-18 10:09 - 00002425 _____ () C:\Documents and Settings\All Users\Desktop\Декларации Обр.1 и 6.lnk
2015-01-28 14:37 - 2014-09-18 10:10 - 00002439 _____ () C:\Documents and Settings\All Users\Desktop\Дневници ЗДДС.lnk
2015-01-26 10:50 - 2014-10-30 13:14 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-01-26 10:50 - 2014-10-30 13:14 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-01-26 10:50 - 2014-10-30 13:13 - 00000000 ____D () C:\Program Files\Java
2015-01-26 09:26 - 2014-10-02 09:39 - 00000000 ____D () C:\Documents and Settings\@\Application Data\.oit
2015-01-14 10:55 - 2014-09-18 12:52 - 00002265 _____ () C:\Documents and Settings\All Users\Desktop\Skype.lnk

==================== Files in the root of some directories =======

2014-10-14 14:01 - 2013-03-12 10:27 - 0000051 _____ () C:\Program Files\ATRList.ini
2014-10-14 14:01 - 2003-03-24 22:03 - 0057856 _____ (Microsoft Corporation) C:\Program Files\certmgr.Exe
2014-10-14 14:01 - 2012-06-01 13:50 - 17010176 _____ () C:\Program Files\Charismathics SSI 5.0.1 User Edition_32.msi
2014-10-14 14:01 - 2012-06-01 13:53 - 25616896 _____ () C:\Program Files\Charismathics SSI 5.0.1 User Edition_64.msi
2014-09-26 12:30 - 2014-09-26 12:30 - 0895120 _____ (Google Inc.) C:\Program Files\ChromeSetup.exe
2014-10-14 14:01 - 2013-09-30 14:47 - 0001248 _____ () C:\Program Files\OperCA3cert_DER.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 14:47 - 0001216 _____ () C:\Program Files\OperCA4cert.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 14:46 - 0001744 _____ () C:\Program Files\OperCA5AES_DER.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 14:47 - 0001776 _____ () C:\Program Files\OperCA5QESLTT_DER.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 14:46 - 0001776 _____ () C:\Program Files\OperCA5QES_DER.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 14:48 - 0001056 _____ () C:\Program Files\RootCA3cert_DER.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 14:48 - 0001056 _____ () C:\Program Files\RootCA4cert.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 14:45 - 0001568 _____ () C:\Program Files\RootCA5_DER.CER.zgsmcwm
2014-10-14 14:01 - 2013-09-30 16:17 - 0001231 _____ () C:\Program Files\StampIT_Install.bat
2014-10-14 14:01 - 2014-09-19 10:24 - 37745379 _____ () C:\Program Files\StampIT_Install_v3.1.0.exe
2014-10-14 14:01 - 2010-11-17 14:00 - 0001776 _____ () C:\Program Files\StampIT_Primary_Root_CA_base64.CER.zgsmcwm
2014-10-14 14:01 - 2010-11-17 14:01 - 0001632 _____ () C:\Program Files\StampIT_Qualified_CA_base64.CER.zgsmcwm
2014-10-14 14:01 - 2008-06-19 14:35 - 0332800 _____ () C:\Program Files\wget.exe
2015-01-30 08:56 - 2015-01-30 08:56 - 0045479 _____ () C:\Documents and Settings\@\Application Data\HELP_DECRYPT.PNG
2015-01-30 08:56 - 2015-01-30 08:56 - 0001376 _____ () C:\Documents and Settings\@\Application Data\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 08:56 - 2015-01-30 08:56 - 0000272 _____ () C:\Documents and Settings\@\Application Data\HELP_DECRYPT.URL
2014-10-10 14:51 - 2014-10-10 14:51 - 0004608 _____ () C:\Documents and Settings\@\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-30 09:42 - 2015-01-30 09:42 - 0045479 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-01-30 09:42 - 2015-01-30 09:42 - 0001376 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT.zgsmcwm
2015-01-30 09:42 - 2015-01-30 09:42 - 0000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Documents and Settings\@\Local Settings\Temp\dllnt_dump.dll
C:\Documents and Settings\@\Local Settings\Temp\DotNetFx20Client_Package_x86.exe
C:\Documents and Settings\@\Local Settings\Temp\DotNetFx30Client_Package_x86.exe
C:\Documents and Settings\@\Local Settings\Temp\DotNetFx35Client_Package_x86.exe
C:\Documents and Settings\@\Local Settings\Temp\tmp69.tmp.exe
C:\Documents and Settings\@\Local Settings\Temp\tmp70.tmp.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Thanks :)

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 PM

Posted 17 February 2015 - 10:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is the infection - CryptoWall and HELP_DECRYPT Ransomware Information Guide
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Other than paying the ransom if it's not too late there is nothing we can do to restore your files.
I know one thing I would not trust them, your call.

If you want us to clean what has been left over the the infections please execute the follow.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

ShortcutTarget: Microinvest Internet ????????.lnk -> C:\MICRO\IMANAGER.EXE (No File)
ShortcutTarget: Microinvest ?????????.lnk -> C:\MICRO\ARCHI.EXE (No File)
ShortcutTarget: Microinvest ????????.lnk -> C:\MICRO\MST_UTIL.EXE (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll No File
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin HKU\S-1-5-21-1292428093-1532298954-1417001333-1003: anvisoft.com/AdblockPlugin -> C:\Documents and Settings\All Users\Application Data\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll No File
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR Extension: (Allin1Convert) - C:\Documents and Settings\@\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kmabjcmofdemkaaekcmpocognlfonepb [2015-02-10]
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
S2 Cache_c-_cachesys; c:\cachesys\bin\cservice.exe [X]
S3 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe" [X]
S4 TeamViewer7; C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe [X]
S2 DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys [X]
S0 PxHelp20; System32\Drivers\PxHelp20.sys [X]
S2 SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys [X]
U1 WS2IFSL; No ImagePath
C:\Documents and Settings\@\Local Settings\Temp\dllnt_dump.dll
C:\Documents and Settings\@\Local Settings\Temp\DotNetFx20Client_Package_x86.exe
C:\Documents and Settings\@\Local Settings\Temp\DotNetFx30Client_Package_x86.exe
C:\Documents and Settings\@\Local Settings\Temp\DotNetFx35Client_Package_x86.exe
C:\Documents and Settings\@\Local Settings\Temp\tmp69.tmp.exe
C:\Documents and Settings\@\Local Settings\Temp\tmp70.tmp.exe
C:\Documents and Settings\@\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kmabjcmofdemkaaekcmpocognlfonepb
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\Software\Classes\.exe: exefile =>  <===== ATTENTION!
HKU\S-1-5-21-1292428093-1532298954-1417001333-1003\Software\Classes\exefile:  <===== ATTENTION!

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#3 Erik_lubov

Erik_lubov
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 21 February 2015 - 07:28 AM

Thank you very much!
I had the computer and therefore delayed slightly.
I would like to express my thanks for your help.

 

 Results of screen317's Security Check version 0.99.96 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
Please wait while WMIC is being installed.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
E
S
E
T
ECHO is off.
N
O
D
3
2
ECHO is off.
A
n
t
i
v
i
r
u
s
ECHO is off.
8
.
0
ECHO is off.
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 SpyHunter    
 Java 8 Update 25 
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31 
 Adobe Reader XI 
 Google Chrome (40.0.2214.111)
````````Process Check: objlist.exe by Laurent```````` 
 ESET NOD32 Antivirus egui.exe 
 ESET NOD32 Antivirus ekrn.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 
````````````````````End of Log``````````````````````
 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 PM

Posted 21 February 2015 - 09:40 AM

Using the Add/Remove programs applet delete this old version of Java 8 Update 25

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 PM

Posted 27 February 2015 - 08:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users