Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Files Crypted by Cryptowall 2.0


  • Please log in to reply
13 replies to this topic

#1 Iulick

Iulick

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 31 May 2015 - 04:11 PM

Hello, some months ago i received 1 email with 1 link after i click this link my files was been crypted. ( Movies, Songs, Photos )

After i reinstall the windows, i install antivirus, malware, i use ccleaner and more malware programs. (hitman pro ...)

I do this: 

i do this: 

I dont have previous versions for make back up...

Sorry for my english.

i attach 1 files crypted.

Attached File  Daft Punk - Get Lucky __ George Barnett cover.mp3   3.53MB   0 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:16 PM

Posted 02 June 2015 - 08:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is the infection - CryptoWall and HELP_DECRYPT Ransomware Information Guide
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Other than paying the ransom if it's not too late there is nothing we can do to restore your files.
I know one thing I would not trust them, your call.

If you want us to clean what has been left over the the infections please run these tools and submit the logs for my review.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 Iulick

Iulick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 02 June 2015 - 04:28 PM

Thank you nasdaq for attention.
I did everything you said
Attached File  Addition.txt   33.74KB   1 downloads
Attached File  AdwCleanerS0.txt   3.58KB   1 downloads
Attached File  FRST.txt   28.96KB   1 downloads
 
wait for the next step instructions, thanks.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-05-2015
Ran by Admin (administrator) on WINCTRL-0R8EN65 on 02-06-2015 23:11:00
Running from C:\Users\Admin\Desktop\NEW
Loaded Profiles: Admin (Available Profiles: Admin)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(ESET) C:\Program Files\ESET\ESET Antivirus\x86\ekrn.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesService64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(ESET) C:\Program Files\ESET\ESET Antivirus\egui.exe
(DT Soft Ltd) C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(DT Soft Ltd) C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesApp64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2673296 2015-04-09] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Antivirus\egui.exe [5595848 2015-01-28] (ESET)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKU\S-1-5-21-329997021-197418502-3112251152-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [28917376 2015-05-14] (Skype Technologies S.A.)
HKU\S-1-5-21-329997021-197418502-3112251152-1000\...\Run: [uTorrent] => C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe [1694560 2015-05-06] (BitTorrent Inc.)
HKU\S-1-5-21-329997021-197418502-3112251152-1000\...\Run: [DAEMON Tools Pro Agent] => C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe [842048 2011-03-17] (DT Soft Ltd)
HKU\S-1-5-21-329997021-197418502-3112251152-1000\...\MountPoints2: {86be52a3-d602-11e4-b6eb-40167e290ae7} - G:\Autorun.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKU\S-1-5-21-329997021-197418502-3112251152-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-329997021-197418502-3112251152-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/it-it/?ocid=iehp
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-329997021-197418502-3112251152-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-329997021-197418502-3112251152-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL =
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 213.205.32.70 8.8.8.8
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p8rvw3na.default
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [2015-01-13] (EA Digital Illusions CE AB)
FF Plugin: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelogx64.dll [2015-03-10] (EA Digital Illusions CE AB)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [2015-01-13] (EA Digital Illusions CE AB)
FF Plugin-x32: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelog.dll [2015-03-10] (EA Digital Illusions CE AB)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-02-11] (Foxit Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-04-08] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-04-08] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p8rvw3na.default\extensions\quick_searchff@gmail.com [not found]
FF Extension: No Name - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p8rvw3na.default\extensions\sweetsearch@gmail.com [not found]
FF Extension: No Name - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p8rvw3na.default\extensions\searchengine@gmail.com [not found]
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-25]
CHR Extension: (Google Docs) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-25]
CHR Extension: (Google Drive) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-25]
CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-25]
CHR Extension: (Google Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-25]
CHR Extension: (Google Sheets) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-25]
CHR Extension: (Hola Better Internet) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-02-06]
CHR Extension: (Bookmark Manager) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-15]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-29]
CHR Extension: (Skype Click to Call) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-12-25]
CHR Extension: (Google Wallet) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-25]
CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-25]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-05-01]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1394816 2015-05-01] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1772672 2015-05-01] (Microsoft Corporation)
R2 ekrn; C:\Program Files\ESET\ESET Antivirus\x86\ekrn.exe [1349576 2015-01-28] (ESET)
R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [244392 2015-04-10] (Foxit Software Inc.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1152144 2015-04-09] (NVIDIA Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-03-17] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1878672 2015-04-09] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [22995600 2015-04-09] (NVIDIA Corporation)
S4 Origin Client Service; E:\Games\Origin\OriginClientService.exe [1997168 2015-06-02] (Electronic Arts)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2015-03-29] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2015-05-03] ()
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5491984 2015-05-20] (TeamViewer GmbH)
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesService64.exe [2145080 2014-07-16] (TuneUp Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [272448 2015-03-29] (DT Soft Ltd)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [246000 2015-01-30] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [241880 2015-01-30] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [169792 2015-01-30] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [159480 2015-01-30] (ESET)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2014-12-27] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-03-17] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-03-17] (Malwarebytes Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-04-09] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
R0 oem-drv64; C:\Windows\System32\DRIVERS\oem-drv64.sys [42496 2015-06-02] (secr9tos) [File not signed]
R3 SAlphamHid; C:\Windows\System32\DRIVERS\SAlpham64.sys [39168 2014-10-08] (SteelSeries Corporation)
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesDriver64.sys [14112 2014-06-23] (TuneUp Software)
S3 ESEADriver2; \??\C:\Users\Admin\AppData\Local\Temp\ESEADriver2.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-02 23:10 - 2015-06-02 23:11 - 00000000 ____D () C:\FRST
2015-06-02 22:59 - 2015-06-02 23:06 - 00000000 ____D () C:\Users\Admin\Desktop\PROVA
2015-06-02 22:51 - 2015-06-02 23:11 - 00000000 ____D () C:\Users\Admin\Desktop\NEW
2015-06-02 22:16 - 2015-06-02 23:04 - 00000000 ____D () C:\AdwCleaner
2015-05-31 22:07 - 2015-05-31 22:07 - 00452424 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\ListCWall (2).exe
2015-05-31 21:27 - 2015-05-31 21:28 - 00452424 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\ListCWall (1).exe
2015-05-30 00:20 - 2015-05-30 00:20 - 00013312 _____ () C:\Users\Admin\Downloads\Comedy.Battle.29.05.2015.S!nkr0mE.avi.torrent
2015-05-30 00:20 - 2015-05-30 00:20 - 00012812 _____ () C:\Users\Admin\Downloads\Comedy Club.(29.05.2015).S!nkr0mE.avi.torrent
2015-05-28 02:43 - 2015-05-28 02:43 - 00000000 ____D () C:\Users\Admin\Documents\Strife
2015-05-25 02:31 - 2015-05-25 02:31 - 00000208 _____ () C:\Users\Admin\Desktop\Strife.url
2015-05-23 15:38 - 2015-05-23 15:38 - 00051443 _____ () C:\Users\Admin\Downloads\KB.Posl.sezon.22.05.2015.[www.riper.am].avi.torrent
2015-05-23 15:38 - 2015-05-23 15:38 - 00013166 _____ () C:\Users\Admin\Downloads\KK.2015.05.22.SATRip.[www.riper.am].avi.torrent
2015-05-22 16:05 - 2015-05-22 16:05 - 00003231 _____ () C:\Users\Admin\Desktop\perepiska.txt
2015-05-22 12:40 - 2015-05-22 12:40 - 00000000 ____D () C:\Users\Admin\Desktop\New folder
2015-05-20 21:36 - 2015-05-20 21:36 - 00002300 _____ () C:\Users\Admin\Downloads\Jelezniy.Kulak.2.2015.HDRip.1400Mb.avi.torrent
2015-05-19 22:14 - 2015-05-19 22:14 - 00014646 _____ () C:\Users\Admin\Downloads\Cimbelin.2014.D.HDRip.1400MB.avi.torrent
2015-05-16 12:35 - 2015-05-16 12:35 - 00011087 _____ () C:\Users\Admin\Downloads\Bitva.za.Sevastopl.2015.O.HDRip.2100MB-TST.mkv.torrent
2015-05-16 03:40 - 2015-05-16 03:40 - 00014583 _____ () C:\Users\Admin\Downloads\Fokus.2015.D.BDRip.x264.Rus-C!v.mkv.torrent
2015-05-16 02:21 - 2015-05-16 02:21 - 00012872 _____ () C:\Users\Admin\Downloads\Comedy Club.(15.05.2015).S!nkr0mE.avi.torrent
2015-05-16 02:21 - 2015-05-16 02:21 - 00001363 _____ () C:\Users\Admin\Downloads\KB.Posl.sezon.15.05.2015.[www.riper.am].avi.torrent
2015-05-15 00:36 - 2015-05-15 00:36 - 00607958 _____ () C:\Users\Admin\Downloads\girlshare.ro_faw.rar
2015-05-14 22:05 - 2015-05-14 22:05 - 00022439 _____ () C:\Users\Admin\Downloads\K1ngsm4n.2014.D.WEB-DL.720p.mkv.torrent
2015-05-14 22:02 - 2015-05-14 22:02 - 00014609 _____ () C:\Users\Admin\Downloads\Doroga.na.Berlin.2015.O.DVDRip.1400MB.avi.torrent
2015-05-14 13:22 - 2015-05-14 13:22 - 00014583 _____ () C:\Users\Admin\Downloads\Chappie.2015.D.HDRip,1400MB-C!v.avi.torrent
2015-05-13 15:23 - 2015-05-13 15:23 - 00014581 _____ () C:\Users\Admin\Downloads\F0kys.2015.D.WEB-DLRip.1400MB.avi.torrent
2015-05-11 12:00 - 2015-05-11 12:00 - 00000000 ____D () C:\Users\Admin\Documents\Survarium-Steam
2015-05-11 11:31 - 2015-05-11 11:31 - 00112589 _____ () C:\Users\Admin\Downloads\Danny.Collins.2015.D.WEBRip1400MB-TST.avi.torrent
2015-05-10 15:17 - 2015-05-10 15:17 - 00015517 _____ () C:\Users\Admin\Downloads\Igra.Na.Vigivanie.2014.D.WEB-DLRip.ELEKTRI4KA.avi.torrent
2015-05-09 00:03 - 2015-05-09 00:03 - 00013962 _____ () C:\Users\Admin\Downloads\KB.Posl.sezon.08.05.2015.avi.torrent
2015-05-09 00:03 - 2015-05-09 00:03 - 00013092 _____ () C:\Users\Admin\Downloads\Comedy Club.(08.05.2015).S!nkr0mE.avi.torrent
2015-05-08 16:21 - 2015-05-08 16:21 - 00000000 ____D () C:\Users\Admin\Desktop\iulick paris
2015-05-07 21:42 - 2015-05-07 21:42 - 01021432 _____ (Microsoft Corporation) C:\Users\Admin\Downloads\NDP451-KB2859818-Web.exe
2015-05-07 21:41 - 2015-05-07 21:41 - 04828619 _____ () C:\Users\Admin\Downloads\patch (2).exe
2015-05-07 21:41 - 2015-05-07 21:41 - 00001188 _____ () C:\Users\Admin\Downloads\Kalima Patch (2).zip
2015-05-05 12:32 - 2015-05-05 12:32 - 00011077 _____ () C:\Users\Admin\Downloads\Jupiter.Ascending.2015.BDRip.Rus.Eng.x264-C!v.mkv.torrent
2015-05-04 13:30 - 2015-05-04 13:30 - 00014590 _____ () C:\Users\Admin\Downloads\Shafer.na.svadbu.2015.D.BDRip.x264.C!v.mkv.torrent
2015-05-03 11:43 - 2015-05-03 11:43 - 00060774 _____ () C:\Users\Admin\Downloads\Imagini Frumoase Pentru Orice Gust [№18].xGhost.torrent

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-02 23:11 - 2015-04-29 12:01 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-02 23:08 - 2014-12-25 21:37 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\uTorrent
2015-06-02 23:08 - 2014-12-25 21:31 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype
2015-06-02 23:07 - 2015-04-29 12:01 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-02 23:07 - 2014-12-25 21:37 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-06-02 23:07 - 2014-12-25 21:11 - 00042496 _____ (secr9tos) C:\Windows\system32\Drivers\oem-drv64.sys
2015-06-02 23:07 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-06-02 23:07 - 2009-07-14 05:51 - 00030378 _____ () C:\Windows\setupact.log
2015-06-02 23:06 - 2014-12-26 06:07 - 01803561 _____ () C:\Windows\WindowsUpdate.log
2015-06-02 23:04 - 2015-02-06 17:12 - 00001061 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-06-02 23:04 - 2015-02-06 17:12 - 00001049 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-06-02 23:04 - 2015-01-12 21:46 - 00000744 _____ () C:\Users\Admin\Desktop\Launcher - Shortcut.lnk
2015-06-02 23:04 - 2014-12-25 21:12 - 00001172 _____ () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-06-02 23:04 - 2014-12-25 21:12 - 00000989 _____ () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-06-02 22:59 - 2014-12-25 21:29 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\AIMP3
2015-06-02 22:28 - 2015-01-17 20:38 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-02 22:16 - 2014-12-25 22:11 - 00000000 ____D () C:\ProgramData\Origin
2015-06-02 20:57 - 2014-12-26 16:32 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\TS3Client
2015-06-02 18:38 - 2014-12-25 22:10 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\vlc
2015-06-02 15:26 - 2015-03-29 14:53 - 00226680 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2015-06-02 15:24 - 2014-12-25 22:15 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Origin
2015-06-02 12:39 - 2009-07-14 05:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-02 12:39 - 2009-07-14 05:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-01 17:27 - 2015-03-29 14:53 - 00214392 _____ () C:\Windows\SysWOW64\PnkBstrB.ex0
2015-05-31 13:00 - 2014-12-25 21:31 - 00000000 ____D () C:\ProgramData\Skype
2015-05-28 13:36 - 2014-12-26 14:07 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2015-05-28 13:35 - 2014-12-26 14:07 - 00000971 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-05-28 13:35 - 2014-12-26 14:07 - 00000959 _____ () C:\Users\Public\Desktop\TeamViewer 10.lnk
2015-05-28 02:42 - 2015-01-30 22:37 - 00000000 ____D () C:\ProgramData\Package Cache
2015-05-28 01:08 - 2015-01-30 22:38 - 00000870 _____ () C:\Users\Public\Desktop\Battlefield 4.lnk
2015-05-28 01:08 - 2015-01-30 22:38 - 00000854 _____ () C:\Users\Public\Desktop\Battlefield 4(64 bit).lnk
2015-05-27 23:19 - 2014-12-25 21:31 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-05-25 22:13 - 2015-04-29 12:02 - 00002181 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-05-22 14:16 - 2015-03-18 01:43 - 00000627 _____ () C:\Users\Admin\Desktop\New Text Document (2).txt
2015-05-20 11:56 - 2015-03-18 11:07 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe
2015-05-20 11:56 - 2015-01-17 20:38 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-05-20 11:56 - 2015-01-08 11:40 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-05-20 11:56 - 2015-01-08 11:40 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-05-18 11:02 - 2015-04-06 10:42 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-05-17 16:22 - 2011-01-25 18:59 - 00723920 _____ () C:\Windows\system32\perfh019.dat
2015-05-17 16:22 - 2011-01-25 18:59 - 00150222 _____ () C:\Windows\system32\perfc019.dat
2015-05-17 16:22 - 2011-01-25 18:52 - 00739366 _____ () C:\Windows\system32\perfh010.dat
2015-05-17 16:22 - 2011-01-25 18:52 - 00146226 _____ () C:\Windows\system32\perfc010.dat
2015-05-17 16:22 - 2009-07-14 06:13 - 02525028 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-05-15 22:29 - 2014-12-25 21:56 - 00014731 _____ () C:\Windows\system32\lvcoinst.log
2015-05-15 03:06 - 2015-04-29 12:01 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-05-15 03:06 - 2015-04-29 12:01 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-13 22:32 - 2015-02-28 20:21 - 00000175 _____ () C:\Users\Admin\Desktop\demid rezin - dancedancedance.txt
2015-05-13 03:08 - 2014-12-26 11:46 - 00000205 _____ () C:\Users\Admin\Desktop\Counter-Strike Global Offensive.url
2015-05-11 21:18 - 2010-11-21 04:47 - 00485128 _____ () C:\Windows\PFRO.log
2015-05-07 21:46 - 2014-12-25 21:36 - 02495878 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-05-07 14:00 - 2015-04-15 12:26 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Foxit Software
2015-05-03 17:43 - 2015-03-29 14:53 - 00076152 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2015-05-03 17:43 - 2015-03-29 14:32 - 00347464 _____ () C:\Windows\SysWOW64\PnkBstrB.xtr
2015-05-03 17:21 - 2015-01-31 14:14 - 00000000 ____D () C:\Users\Admin\AppData\Local\PunkBuster
2015-05-03 17:19 - 2014-12-25 22:14 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\NVIDIA
2015-05-03 17:16 - 2014-12-26 16:19 - 00108474 _____ () C:\Windows\DirectX.log

==================== Files in the root of some directories =======

2015-04-29 02:30 - 2015-04-29 02:30 - 0000020 _____ () C:\Users\Admin\AppData\Roaming\appdataFr3.bin
2014-12-27 18:02 - 2014-12-27 18:03 - 0000096 _____ () C:\Users\Admin\AppData\Roaming\Camdata.ini
2014-12-27 18:02 - 2014-12-27 18:03 - 0000408 _____ () C:\Users\Admin\AppData\Roaming\CamLayout.ini
2014-12-27 18:02 - 2014-12-27 18:03 - 0000408 _____ () C:\Users\Admin\AppData\Roaming\CamShapes.ini
2014-12-27 18:02 - 2014-12-27 18:03 - 0004509 _____ () C:\Users\Admin\AppData\Roaming\CamStudio.cfg
2015-04-19 02:52 - 2015-04-19 02:53 - 0011724 _____ () C:\Users\Admin\AppData\Local\Temp-log.txt
2014-12-27 02:34 - 2014-12-27 02:34 - 0001358 _____ () C:\ProgramData\SMRResults430.dat

Files to move or delete:
====================
C:\ProgramData\SMRResults430.dat


Some files in TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\Quarantine.exe
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION!


LastRegBack: 2015-05-31 19:43

==================== End of log ============================

Edited by nasdaq, 03 June 2015 - 07:48 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:16 PM

Posted 03 June 2015 - 08:03 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start


CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-329997021-197418502-3112251152-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
FF Extension: No Name - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p8rvw3na.default\extensions\quick_searchff@gmail.com [not found]
FF Extension: No Name - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p8rvw3na.default\extensions\sweetsearch@gmail.com [not found]
FF Extension: No Name - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p8rvw3na.default\extensions\searchengine@gmail.com [not found]
S3 ESEADriver2; \??\C:\Users\Admin\AppData\Local\Temp\ESEADriver2.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION!

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#5 Iulick

Iulick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 June 2015 - 05:38 PM

Hi, i did what you said.

Attached File  Fixlog.txt   2.59KB   0 downloads

 

the computer is working in normally mode.

i don't see any change



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:16 PM

Posted 04 June 2015 - 08:15 AM

What is the problem?

#7 Iulick

Iulick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 04 June 2015 - 09:18 AM

in what sense "What is the problem?" 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:16 PM

Posted 04 June 2015 - 12:23 PM

You do not see any change...

#9 Iulick

Iulick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 04 June 2015 - 04:10 PM

aaah you also asked "How is the computer running now?"

and i say " the computer is working in normally mode. i don't see any change " 

sorry for DOT and my english :)

i wait for your next instruction, thank you



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:16 PM

Posted 05 June 2015 - 07:32 AM

Sorry but I will not open your .mp3 file.

When you say no change what do you mean?

#11 Iulick

Iulick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 05 June 2015 - 07:52 AM

You saw my response above ?

I do not want to say anything. I just knew answer to your question " How is the computer running now? "

you have to give me another step instructions or not ?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:16 PM

Posted 05 June 2015 - 01:27 PM

No more to do unless you have problems.

#13 Iulick

Iulick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 05 June 2015 - 03:40 PM

so, you don't help me more?



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:16 PM

Posted 06 June 2015 - 06:52 AM

That not correct.

What is still wrong with you computer?

I cannot suggest something when I do not know what is wrong.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users