Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

persistent svchost.exe virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 gerry13

gerry13

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 11 June 2015 - 03:42 AM

hello.just yesterday i turned on my computer to find cpu usage stuck at 85-95% and everything working really slow.i ran a scan with superantispyware and with malwarebytes-antimalware.both find a Bitcoin trojan svchost.exe at C:Windows/temp/.

 

both of these 2 programms detect and delete the virus from this location but as soon as i reconnect to the internet the virus reappears and cpu usage rise up again...note that i immidiately disconnected my wireless internet connector to prevent the virus from  sending/receiving data to any possible hacker.

 

i know that there are other topics about this virus in the same folder but it seems every user's log has to be examined seperately...if there is a standard solution please post me the link and i will  close/delete the topic.thanks in advance



BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:55 PM

Posted 11 June 2015 - 04:10 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Let's get going now :thumbup2:

==========================
 
Hi gerry13,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 gerry13

gerry13
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 June 2015 - 02:56 AM

hello Toffee,thanks for replying to my topic.please note that i downloaded the programm from another computer and transfered it to the infected one through a usb key.logs are from the infected computer needless to say.if you would like me to reply/download directly to my computer reagrdless of the virus let me know.here's the logs :

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2015
Ran by Gerasimos (administrator) on GERASIMOS-PC on 12-06-2015 10:44:41
Running from E:\
Loaded Profiles: Gerasimos (Available Profiles: Gerasimos)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Ελληνικά (Ελλάδας)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Microsoft Corporation) C:\Windows\System32\schtasks.exe
(Realtek) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(Realtek Semiconductor Corp.) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKU\S-1-5-21-642514363-872633330-2413782007-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7777560 2014-11-13] (SUPERAntiSpyware)
HKU\S-1-5-21-642514363-872633330-2413782007-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-642514363-872633330-2413782007-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-642514363-872633330-2413782007-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-642514363-872633330-2413782007-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 
SearchScopes: HKU\S-1-5-21-642514363-872633330-2413782007-1000 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = 
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2014-12-13] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-13]
CHR Extension: (Angry Birds) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2014-12-13]
CHR Extension: (Google Docs) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-13]
CHR Extension: (Google Drive) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-13]
CHR Extension: (YouTube) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-13]
CHR Extension: (Google Search) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-13]
CHR Extension: (MSN Homepage & Bing Search Engine) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2015-04-11]
CHR Extension: (Google Sheets) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-13]
CHR Extension: (Bookmark Manager) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-16]
CHR Extension: (Google Wallet) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-13]
CHR Extension: (Blue Space Sunset Chrome Theme) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\nndfdjfoclbidmgpmbelcieibgjjfdog [2015-01-04]
CHR Extension: (Gmail) - C:\Users\Gerasimos\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-13]
CHR HKU\S-1-5-21-642514363-872633330-2413782007-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - https://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 Realtek11nCU; C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [36864 2010-04-16] (Realtek) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2014-08-27] (Emsisoft GmbH)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
S3 RTL8192cu; C:\Windows\System32\DRIVERS\rtwlanu.sys [1045608 2011-07-13] (Realtek Semiconductor Corporation                           )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 ALSysIO; \??\C:\Users\GERASI~1\AppData\Local\Temp\ALSysIO64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 VIAHdAudAddService; system32\drivers\viahduaa.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-12 10:43 - 2015-06-12 10:44 - 00000000 ____D C:\FRST
2015-06-11 12:21 - 2015-06-11 12:33 - 00000000 ____D C:\Users\Gerasimos\Desktop\τυπωμα
2015-06-11 12:13 - 2015-06-11 12:17 - 00000000 ____D C:\Users\Gerasimos\Desktop\μοτιβα3
2015-06-11 11:18 - 2015-06-11 11:18 - 00008893 _____ C:\ComboFix.txt
2015-06-11 11:12 - 2015-06-11 11:18 - 00000000 ____D C:\Qoobox
2015-06-11 11:12 - 2015-06-11 11:17 - 00000000 ____D C:\Windows\erdnt
2015-06-11 11:12 - 2011-06-26 09:45 - 00256000 _____ C:\Windows\PEV.exe
2015-06-11 11:12 - 2010-11-07 20:20 - 00208896 _____ C:\Windows\MBR.exe
2015-06-11 11:12 - 2009-04-20 07:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-06-11 11:12 - 2000-08-31 03:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-06-11 11:12 - 2000-08-31 03:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-06-11 11:12 - 2000-08-31 03:00 - 00098816 _____ C:\Windows\sed.exe
2015-06-11 11:12 - 2000-08-31 03:00 - 00080412 _____ C:\Windows\grep.exe
2015-06-11 11:12 - 2000-08-31 03:00 - 00068096 _____ C:\Windows\zip.exe
2015-06-11 02:16 - 2015-06-11 02:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\REALTEK 11n USB Wireless LAN Utility
2015-06-11 02:16 - 2015-06-11 02:16 - 00000000 ____D C:\Program Files (x86)\Cisco
2015-06-11 02:15 - 2015-06-11 02:15 - 00000000 ____D C:\Program Files (x86)\REALTEK
2015-06-11 02:15 - 2011-07-13 04:29 - 01045608 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\rtwlanu.sys
2015-06-11 02:15 - 2011-07-06 23:31 - 00595968 _____ (Realtek Semiconductor Corp. ) C:\Windows\SysWOW64\Rtlihvs.dll
2015-06-11 02:15 - 2009-04-02 10:27 - 00188416 _____ (Realtek Semiconductor Corp. ) C:\Windows\SysWOW64\RTLExtUI.dll
2015-06-11 02:15 - 2009-03-31 14:31 - 00380928 _____ (Realtek) C:\Windows\RtlUI2.exe
2015-06-11 02:15 - 2009-01-05 20:31 - 00000901 _____ C:\Windows\RtlUI2.exe.manifest
2015-06-11 00:04 - 2015-06-11 00:04 - 00000000 ____D C:\EEK
2015-06-10 15:02 - 2015-06-12 01:32 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-10 15:02 - 2015-06-10 15:02 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-10 15:02 - 2015-06-10 15:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-10 15:02 - 2015-06-10 15:02 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-10 15:02 - 2015-06-10 15:02 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-10 15:02 - 2015-04-14 09:37 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-10 15:02 - 2015-04-14 09:37 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-10 15:02 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-10 14:02 - 2015-06-10 20:43 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-06-10 14:02 - 2015-06-10 14:02 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-06-10 14:02 - 2015-06-10 14:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-06-10 13:56 - 2015-06-10 14:17 - 00007609 _____ C:\Users\Gerasimos\AppData\Local\Resmon.ResmonCfg
2015-06-09 23:26 - 2015-06-09 23:26 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\systemcplx64.dll
2015-06-09 23:26 - 2015-06-09 23:26 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\slwga.dll
2015-06-09 23:26 - 2015-06-09 23:26 - 00013824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\slwga.dll
2015-06-09 23:24 - 2015-06-09 23:24 - 00783424 _____ C:\Windows\pkeyconfig.xrm-ms
2015-06-09 01:47 - 2015-06-11 12:31 - 00000000 ____D C:\Users\Gerasimos\Desktop\Αλόνησσος
2015-06-04 23:33 - 2015-06-04 23:33 - 00000000 ____D C:\Users\Gerasimos\Downloads\Battlefield.Hardline.Reloaded
2015-06-04 23:32 - 2015-06-04 23:32 - 00076203 _____ C:\Users\Gerasimos\Downloads\Battlefield.Hardline.Reloaded.torrent
2015-06-04 23:29 - 2015-06-04 23:29 - 09157512 _____ C:\Users\Gerasimos\Downloads\Battlefield Hardline PC CRACK.rar
2015-05-26 11:39 - 2015-06-12 00:01 - 00000000 ____D C:\Users\Gerasimos\Desktop\εσωτερικοι χωροι 1
2015-05-23 20:50 - 2015-06-11 12:14 - 00000000 ____D C:\Users\Gerasimos\Desktop\ραφηνα
2015-05-20 13:45 - 2015-06-03 23:26 - 00000000 ____D C:\Users\Gerasimos\Desktop\Homeland.S01
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-12 10:43 - 2014-12-13 18:13 - 00001180 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-12 10:43 - 2009-07-14 08:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-12 10:43 - 2009-07-14 07:51 - 00051330 _____ C:\Windows\setupact.log
2015-06-12 01:39 - 2014-12-13 17:48 - 01958640 _____ C:\Windows\WindowsUpdate.log
2015-06-12 01:39 - 2009-07-14 07:45 - 00009904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-12 01:39 - 2009-07-14 07:45 - 00009904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-12 01:10 - 2014-12-13 18:13 - 00001184 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-12 00:27 - 2015-05-06 20:46 - 00000080 _____ C:\Users\Gerasimos\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦
2015-06-12 00:04 - 2009-07-14 12:13 - 00606328 _____ C:\Windows\system32\perfh008.dat
2015-06-12 00:04 - 2009-07-14 12:13 - 00110524 _____ C:\Windows\system32\perfc008.dat
2015-06-12 00:04 - 2009-07-14 08:13 - 01487916 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-11 23:59 - 2014-12-13 18:11 - 00135582 _____ C:\Windows\PFRO.log
2015-06-11 11:18 - 2009-07-14 06:20 - 00000000 __RHD C:\Users\Default
2015-06-11 11:17 - 2009-07-14 05:34 - 00000215 _____ C:\Windows\system.ini
2015-06-11 02:28 - 2009-07-14 08:32 - 00000000 ____D C:\Windows\addins
2015-06-10 20:50 - 2009-07-14 07:45 - 00000000 ____D C:\Windows\Setup
2015-06-10 15:30 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\schemas
2015-06-10 15:11 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\Speech
2015-06-09 23:26 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\rescache
2015-06-09 23:24 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\system32\oobe
2015-06-05 01:02 - 2014-12-13 22:17 - 00000000 ____D C:\Users\Gerasimos\AppData\Roaming\uTorrent
2015-06-05 00:08 - 2014-12-15 00:32 - 00000000 ____D C:\Users\Gerasimos\AppData\Roaming\vlc
2015-05-27 10:56 - 2009-07-14 08:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-05-26 13:51 - 2009-07-14 08:08 - 00032532 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-05-16 18:05 - 2014-12-13 18:13 - 00004180 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-05-16 18:05 - 2014-12-13 18:13 - 00003928 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-13 15:20 - 2014-12-14 02:15 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
 
==================== Files in the root of some directories =======
 
2015-05-04 00:30 - 2015-05-04 00:30 - 0000132 _____ () C:\Users\Gerasimos\AppData\Roaming\Adobe GIF Format CS6 Prefs
2015-06-10 13:56 - 2015-06-10 14:17 - 0007609 _____ () C:\Users\Gerasimos\AppData\Local\Resmon.ResmonCfg
 
Files to move or delete:
====================
C:\Users\Gerasimos\AppData\Roaming\Origin\update.vbe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-06-10 23:48
 
==================== End of log ============================

Attached Files

  • Attached File  FRST.txt   18.79KB   1 downloads

Edited by xXToffeeXx, 12 June 2015 - 10:57 AM.


#4 gerry13

gerry13
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 June 2015 - 02:57 AM

and the addition log's here

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:08-06-2015
Ran by Gerasimos at 2015-06-12 10:45:15
Running from E:\
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-642514363-872633330-2413782007-500 - Administrator - Disabled)
Gerasimos (S-1-5-21-642514363-872633330-2413782007-1000 - Administrator - Enabled) => C:\Users\Gerasimos
Guest (S-1-5-21-642514363-872633330-2413782007-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
@BIOS (HKLM-x32\...\{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}) (Version: 2.34 - GIGABYTE)
µTorrent (HKU\S-1-5-21-642514363-872633330-2413782007-1000\...\uTorrent) (Version: 3.4.3.40298 - BitTorrent Inc.)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.11) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{F2A7CE36-57BF-5C86-952D-90DBF3746D82}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Assassin Creed Rogue version Assassin Creed Rogue (HKLM-x32\...\Assassin Creed Rogue_is1) (Version: Assassin Creed Rogue - )
Assassin's Creed IV - Black Flag (HKLM-x32\...\Assassin's Creed IV - Black Flag_R.G. Mechanics_is1) (Version:  - R.G. Mechanics, spider91)
Assassin's Creed Revelations (HKLM-x32\...\{33A22B2D-55BA-4508-B767-BF2E9C21A73F}) (Version: 1.00 - Ubisoft)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Call of Duty® - World at War™ 1.2 Patch (x32 Version:  - ) Hidden
Call of Duty® - World at War™ 1.4 Patch (x32 Version:  - ) Hidden
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Core Temp 1.0 RC6 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.0 - Alcpu)
Far Cry 4 Inc. Valley of the Yetis version 1.0.0 (HKLM-x32\...\Far Cry 4 Inc. Valley of the Yetis_is1) (Version: 1.0.0 - Ubisoft)
Far Cry 4 version 1.4.0.0 (HKLM-x32\...\Far Cry 4_is1) (Version: 1.4.0.0 - Mr DJ)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.81 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.27.5 - Google Inc.) Hidden
Grand Theft Auto V (HKLM-x32\...\Grand Theft Auto V_R.G. Mechanics_is1) (Version:  - R.G. Mechanics, ProZorg_tm)
Malwarebytes Anti-Malware έκδοση 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable - x86 8.0.61001 (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x64 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{a2199617-3609-410f-a8e8-e8806c73545b}) (Version: 11.0.61030.0 - Корпорация Майкрософт)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}) (Version: 11.0.61030.0 - Корпорация Майкрософт)
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
REALTEK Wireless LAN Driver and Utility (HKLM-x32\...\{9C049499-055C-4a0c-A916-1D12314F45EB}) (Version: 1.00.0182 - REALTEK Semiconductor Corp.)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 1.1.5.8 - Rockstar Games)
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
StarCraft II (HKLM-x32\...\StarCraft II) (Version:  - Blizzard Entertainment)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1164 - SUPERAntiSpyware.com)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Watch Dogs (HKLM-x32\...\Watch Dogs_is1) (Version: 1.05.324 - Decepticon)
WinRAR 5.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.20.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-642514363-872633330-2413782007-1000_Classes\CLSID\{083f5ae0-2b0a-11dd-bd0b-0800200c9a66}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
 
==================== Restore Points =========================
 
10-05-2015 16:53:57 Windows 7 Service Pack 1
14-05-2015 15:18:40 Software Removal Tool
23-05-2015 01:38:06 Windows Update
10-06-2015 23:55:07 Προγραμματισμένο σημείο ελέγχου
11-06-2015 02:07:38 Εγκατεστημένο REALTEK 11n USB Wireless LAN Software
11-06-2015 02:15:39 Εγκατεστημένο REALTEK 11n USB Wireless LAN Software
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 05:34 - 2009-06-11 00:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {7A81D85E-7309-42D2-8F54-C23EAA2195E0} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-13] (Google Inc.)
Task: {8FBCAE55-2B26-44D7-A821-0B69BA84663D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-13] (Google Inc.)
Task: {90DBF56F-4B62-40D4-8259-5F997A682C8E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {C4A929F3-8751-4C12-9341-76D2F95C0AE2} - System32\Tasks\Origin => C:\Users\Gerasimos\AppData\Roaming\Origin\update.vbe [2015-04-16] () <==== ATTENTION
Task: {C8547845-463A-4683-BD08-98869701A667} - System32\Tasks\{302EB837-E5E7-46EA-AC57-9AC77063E860} => pcalua.exe -a "C:\Program Files (x86)\Picexa\uninstall.exe"
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2014-12-13 22:50 - 2014-12-13 22:50 - 00006144 _____ () C:\Users\Gerasimos\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CoreTempGadget2.7.gadget\CoreTempReader.dll
2014-12-13 22:50 - 2014-12-13 22:50 - 00008704 _____ () C:\Users\Gerasimos\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CoreTempGadget2.7.gadget\GetCoreTempInfoNET.dll
2014-12-13 22:50 - 2014-12-13 22:50 - 00007680 _____ () C:\Users\Gerasimos\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CoreTempGadget2.7.gadget\SystemInfo.dll
2015-06-11 02:15 - 2009-12-09 21:20 - 00126976 _____ () C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\EnumDevLib.dll
2015-06-11 02:15 - 2011-07-07 01:46 - 00704000 _____ () C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\P2PLib.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-642514363-872633330-2413782007-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Gerasimos\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{34783189-F46C-4496-8EC4-4712AFF364AF}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
FirewallRules: [{121DB392-8D07-4C0E-BEA3-618809FC5B03}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
FirewallRules: [{9EF0D8DB-0946-46DB-AD72-AB5B6301EA9C}] => (Allow) LPort=1542
FirewallRules: [{B9467ED1-353F-4E09-9AF6-2AD8FE9AB631}] => (Allow) LPort=1542
FirewallRules: [{C01875F4-3B68-4094-972F-6BD8ACF132FC}] => (Allow) LPort=53
FirewallRules: [{45D86E05-5E30-47A8-923E-99387DB7D77E}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{5B9A8E66-EE81-468B-A646-06A8AE39D563}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{A2A33796-0FBC-4892-AF42-6F598A1E742E}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{149AADDA-B172-4B8C-8C4F-0E49F7F5D7A7}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{F958DD1F-28A5-484E-B8FD-DEEA227E7B0F}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{D474002F-039E-4D76-96A1-2241119E75B3}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{D2885FE8-CA9C-4310-B0F1-77E67F973474}] => (Allow) LPort=1886
FirewallRules: [{70FB6331-C1C8-4921-9304-A16DF1778CD8}] => (Allow) LPort=1886
FirewallRules: [{8B64FD1E-FAF5-4485-B70A-9064B51830DA}] => (Allow) D:\Mr DJ\Far Cry 4\bin\FarCry4.exe
FirewallRules: [{FE1EB9A0-F314-40F4-A767-9DB4F438C95E}] => (Allow) D:\Mr DJ\Far Cry 4\bin\FarCry4.exe
FirewallRules: [{CE13A923-A311-402C-BBC2-CB871A026713}] => (Allow) C:\Users\Gerasimos\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{1DECA8BF-6CE5-40A3-882F-659F8BABF5CA}] => (Allow) C:\Users\Gerasimos\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C8FD9DD3-D669-4A48-BEA7-085B0C877171}] => (Allow) C:\Users\Gerasimos\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{ACAFEEE7-E5AA-4524-8221-7C7A36DC3DC7}] => (Allow) C:\Users\Gerasimos\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{A20A8414-498B-4E10-9830-DA3B477558D8}D:\enemy front\bin32\enemyfront.exe] => (Block) D:\enemy front\bin32\enemyfront.exe
FirewallRules: [UDP Query User{99871BCB-2902-498A-B356-416D3AE2458C}D:\enemy front\bin32\enemyfront.exe] => (Block) D:\enemy front\bin32\enemyfront.exe
FirewallRules: [TCP Query User{ED267F1C-BF47-424B-AA4B-C4AA5F061507}D:\black_box\assassins creed - revelations\acrsp.exe] => (Block) D:\black_box\assassins creed - revelations\acrsp.exe
FirewallRules: [UDP Query User{07A11D7B-156E-4FE0-8524-FA91CF029A71}D:\black_box\assassins creed - revelations\acrsp.exe] => (Block) D:\black_box\assassins creed - revelations\acrsp.exe
FirewallRules: [TCP Query User{B3187292-4DAA-4753-A25C-614ACE9E8AAF}C:\program files (x86)\ubisoft\far cry 4 inc. valley of the yetis\bin\farcry4.exe] => (Block) C:\program files (x86)\ubisoft\far cry 4 inc. valley of the yetis\bin\farcry4.exe
FirewallRules: [UDP Query User{3EE12C0B-1F3D-4C90-B305-2C2E061B285B}C:\program files (x86)\ubisoft\far cry 4 inc. valley of the yetis\bin\farcry4.exe] => (Block) C:\program files (x86)\ubisoft\far cry 4 inc. valley of the yetis\bin\farcry4.exe
FirewallRules: [{B0A96F34-6D67-4FF7-AAD4-D9CC535CBA40}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{AFD6763A-6835-4666-9BA0-5BF266C2B658}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{46A44DB3-7F5D-4726-A7FC-7C205F529A99}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{2037053A-C0CC-4038-8AC1-6754CFC39C8D}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe
FirewallRules: [{65B51962-8BE1-4384-ADA3-28F3717F98A2}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe
FirewallRules: [TCP Query User{3C911119-39B2-4BE2-AFA1-A680DC1D61A1}C:\program files (x86)\starcraft ii\versions\base32283\sc2.exe] => (Block) C:\program files (x86)\starcraft ii\versions\base32283\sc2.exe
FirewallRules: [UDP Query User{97419FB1-E732-43A2-968A-76BD8DF828AD}C:\program files (x86)\starcraft ii\versions\base32283\sc2.exe] => (Block) C:\program files (x86)\starcraft ii\versions\base32283\sc2.exe
FirewallRules: [{BEA415E9-DD8E-4810-99B7-D7C6D855510C}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{5F7ED52A-3A1D-4346-8778-18FDB401DFA0}] => (Allow) LPort=67
FirewallRules: [{27340A74-FB27-4B90-89D2-83FC052C4C47}] => (Allow) LPort=68
FirewallRules: [{75617DCF-BD21-4DC5-B2B3-419EE0B67316}] => (Allow) LPort=53
FirewallRules: [{36D1EE67-EFCA-4E9C-BABB-A2260663D03B}] => (Allow) LPort=53
 
==================== Faulty Device Manager Devices =============
 
Name: Ελεγκτής Ethernet
Description: Ελεγκτής Ethernet
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Ελεγκτής Ενιαίου Σειριακού Διαύλου (Universal Serial Bus - USB)
Description: Ελεγκτής Ενιαίου Σειριακού Διαύλου (Universal Serial Bus - USB)
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/12/2015 10:43:07 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Η ενεργοποίηση της άδειας χρήσης των Windows απέτυχε. Σφάλμα 0x00000000.
 
Error: (06/12/2015 10:43:07 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: Η Ενεργοποίηση αδειών χρήσης (slui.exe) απέτυχε με τον ακόλουθο κωδικό σφάλματος:
0x80070005
 
Error: (06/11/2015 11:59:55 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Η ενεργοποίηση της άδειας χρήσης των Windows απέτυχε. Σφάλμα 0x00000000.
 
Error: (06/11/2015 11:59:55 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: Η Ενεργοποίηση αδειών χρήσης (slui.exe) απέτυχε με τον ακόλουθο κωδικό σφάλματος:
0x80070005
 
Error: (06/11/2015 11:11:28 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Η ενεργοποίηση της άδειας χρήσης των Windows απέτυχε. Σφάλμα 0x00000000.
 
Error: (06/11/2015 11:11:28 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: Η Ενεργοποίηση αδειών χρήσης (slui.exe) απέτυχε με τον ακόλουθο κωδικό σφάλματος:
0x80070005
 
Error: (06/11/2015 02:28:57 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Η ενεργοποίηση της άδειας χρήσης των Windows απέτυχε. Σφάλμα 0x00000000.
 
Error: (06/11/2015 02:28:57 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: Η Ενεργοποίηση αδειών χρήσης (slui.exe) απέτυχε με τον ακόλουθο κωδικό σφάλματος:
0x80070005
 
Error: (06/11/2015 02:17:07 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Η ενεργοποίηση της άδειας χρήσης των Windows απέτυχε. Σφάλμα 0x00000000.
 
Error: (06/11/2015 02:17:07 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: Η Ενεργοποίηση αδειών χρήσης (slui.exe) απέτυχε με τον ακόλουθο κωδικό σφάλματος:
0x80070005
 
 
System errors:
=============
Error: (06/12/2015 10:43:13 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Απέτυχε η φόρτωση των ακόλουθων προγραμμάτων οδήγησης της εκκίνησης του υπολογιστή ή της εκκίνησης του συστήματος: 
cdrom
 
Error: (06/12/2015 00:00:03 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Απέτυχε η φόρτωση των ακόλουθων προγραμμάτων οδήγησης της εκκίνησης του υπολογιστή ή της εκκίνησης του συστήματος: 
cdrom
 
Error: (06/11/2015 00:08:18 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
 
Error: (06/11/2015 11:17:24 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: Η υπηρεσία PEVSystemStart έχει σημανθεί ως υπηρεσία αλληλεπίδρασης.  Όμως οι ρυθμίσεις του συστήματος δεν επιτρέπουν τις αλληλεπιδραστικές υπηρεσίες.  Αυτή η υπηρεσία ίσως να μην λειτουργεί σωστά.
 
Error: (06/11/2015 11:15:57 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: Η υπηρεσία PEVSystemStart έχει σημανθεί ως υπηρεσία αλληλεπίδρασης.  Όμως οι ρυθμίσεις του συστήματος δεν επιτρέπουν τις αλληλεπιδραστικές υπηρεσίες.  Αυτή η υπηρεσία ίσως να μην λειτουργεί σωστά.
 
Error: (06/11/2015 11:11:32 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Απέτυχε η φόρτωση των ακόλουθων προγραμμάτων οδήγησης της εκκίνησης του υπολογιστή ή της εκκίνησης του συστήματος: 
cdrom
 
Error: (06/11/2015 02:29:01 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Απέτυχε η φόρτωση των ακόλουθων προγραμμάτων οδήγησης της εκκίνησης του υπολογιστή ή της εκκίνησης του συστήματος: 
cdrom
 
Error: (06/11/2015 02:17:13 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Απέτυχε η φόρτωση των ακόλουθων προγραμμάτων οδήγησης της εκκίνησης του υπολογιστή ή της εκκίνησης του συστήματος: 
cdrom
 
Error: (06/11/2015 02:16:16 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: Η υπηρεσία Realtek11nCU έχει σημανθεί ως υπηρεσία αλληλεπίδρασης.  Όμως οι ρυθμίσεις του συστήματος δεν επιτρέπουν τις αλληλεπιδραστικές υπηρεσίες.  Αυτή η υπηρεσία ίσως να μην λειτουργεί σωστά.
 
Error: (06/11/2015 02:11:14 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Απέτυχε η φόρτωση των ακόλουθων προγραμμάτων οδήγησης της εκκίνησης του υπολογιστή ή της εκκίνησης του συστήματος: 
cdrom
 
 
Microsoft Office:
=========================
Error: (06/12/2015 10:43:07 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x000000000x00000001
 
Error: (06/12/2015 10:43:07 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: 0x80070005
 
Error: (06/11/2015 11:59:55 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x000000000x00000001
 
Error: (06/11/2015 11:59:55 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: 0x80070005
 
Error: (06/11/2015 11:11:28 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x000000000x00000001
 
Error: (06/11/2015 11:11:28 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: 0x80070005
 
Error: (06/11/2015 02:28:57 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x000000000x00000001
 
Error: (06/11/2015 02:28:57 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: 0x80070005
 
Error: (06/11/2015 02:17:07 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x000000000x00000001
 
Error: (06/11/2015 02:17:07 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: 0x80070005
 
 
==================== Memory info =========================== 
 
Processor: AMD FX™-6300 Six-Core Processor 
Percentage of memory in use: 16%
Total physical RAM: 8156.64 MB
Available physical RAM: 6839.45 MB
Total Pagefile: 16311.48 MB
Available Pagefile: 14798.06 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:468.26 GB) (Free:187.02 GB) NTFS
Drive d: () (Fixed) (Total:463.16 GB) (Free:331.99 GB) NTFS
Drive e: () (Removable) (Total:7.5 GB) (Free:6.37 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: D7F395A1)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=468.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=463.2 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 7.5 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
==================== End of log ============================

Attached Files


Edited by xXToffeeXx, 12 June 2015 - 10:59 AM.


#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:55 PM

Posted 12 June 2015 - 11:17 AM

Hi gerry13,
 

please note that i downloaded the programm from another computer and transfered it to the infected one through a usb key.logs are from the infected computer needless to say.if you would like me to reply/download directly to my computer reagrdless of the virus let me know.here's the logs :

That is fine, you can keep doing that if it is easier for you :) 
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-642514363-872633330-2413782007-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-642514363-872633330-2413782007-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 
SearchScopes: HKU\S-1-5-21-642514363-872633330-2413782007-1000 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = 
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File
C:\Users\Gerasimos\AppData\Roaming\Origin\update.vbe
Task: {C4A929F3-8751-4C12-9341-76D2F95C0AE2} - System32\Tasks\Origin => C:\Users\Gerasimos\AppData\Roaming\Origin\update.vbe [2015-04-16] () <==== ATTENTION
C:\Windows\temp\svchost.exe
C:\Windows\temp\lsass.exe
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Is the bitcoin miner still detected?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 gerry13

gerry13
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 June 2015 - 01:34 PM

i do this transfer from the one computer to the other since i have stopped network access from the infected one to prevent further infection.

 

malwarebytes-antimalware has deleted the viruses but there must have been left overs from them which recreate the viruses when i connect to the internet.i ran another scan after the fix and it came up clean!do you want me to reconnect to the internet?

 

Fix result of Farbar Recovery Scan Tool (x64) Version:08-06-2015
Ran by Gerasimos at 2015-06-12 21:27:13 Run:1
Running from E:\
Loaded Profiles: Gerasimos (Available Profiles: Gerasimos)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-642514363-872633330-2413782007-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-642514363-872633330-2413782007-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 
SearchScopes: HKU\S-1-5-21-642514363-872633330-2413782007-1000 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = 
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File
C:\Users\Gerasimos\AppData\Roaming\Origin\update.vbe
Task: {C4A929F3-8751-4C12-9341-76D2F95C0AE2} - System32\Tasks\Origin => C:\Users\Gerasimos\AppData\Roaming\Origin\update.vbe [2015-04-16] () <==== ATTENTION
C:\Windows\temp\svchost.exe
C:\Windows\temp\lsass.exe
*****************
 
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-642514363-872633330-2413782007-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\S-1-5-21-642514363-872633330-2413782007-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-642514363-872633330-2413782007-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
C:\Users\Gerasimos\AppData\Roaming\Origin\update.vbe => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C4A929F3-8751-4C12-9341-76D2F95C0AE2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C4A929F3-8751-4C12-9341-76D2F95C0AE2}" => key removed successfully
C:\Windows\System32\Tasks\Origin => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Origin" => key removed successfully
"C:\Windows\temp\svchost.exe" => File/Folder not found.
"C:\Windows\temp\lsass.exe" => File/Folder not found.
 
==== End of Fixlog 21:27:14 ====

Attached Files


Edited by xXToffeeXx, 13 June 2015 - 01:44 PM.


#7 gerry13

gerry13
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 June 2015 - 01:46 PM

i'm sending another fixlog.there's  a slight chance the fix didn't work because both the frst.exe and the fixlist were at the usb key,at this one both are saved at the infected computer's desktop!i apologize for that

Attached Files



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:55 PM

Posted 13 June 2015 - 01:46 PM

Hi gerry13,

 

Yes, please reconnect so I can see if the malware comes back :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 gerry13

gerry13
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 June 2015 - 02:25 PM

it worked!! :D

 

i just connected and ran a scan while connected,it came up clean!i also checked the temp folder-it's also clean no svchost or lsass.cpu and memory usage is normal as well :)

 

thanks a lot for your help Toffee,you are amazing!



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:55 PM

Posted 13 June 2015 - 02:50 PM

Hi gerry13,
 
I am really happy to hear that :)
 
I don't see an Antivirus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Three good antivirus programs free for non-commercial home use are Avast! (offers Google Chrome or Google Docs), Antivir (automatically installs the Ask Toolbar) and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 gerry13

gerry13
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 14 June 2015 - 07:22 AM

i don't have an antivirus programm on my computer for a couple of months now...i kept malwarebytes installed and i will be running a scan every now and then just to be sure!is there any other antivirus programme you 'd suggest me to have? 



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:55 PM

Posted 15 June 2015 - 06:38 AM

Hi gerry13,

 

Personally I would recommend Avast as a good free antivirus. Just make sure to uncheck any offers and to turn the voice off.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 gerry13

gerry13
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 June 2015 - 07:04 AM

alright,thanks for the advice Toffee and most of all thank you for helping me with that malware problem! :)


Edited by gerry13, 15 June 2015 - 07:08 AM.


#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:55 PM

Posted 15 June 2015 - 07:13 AM

Hi gerry13,

 

You are most welcome :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:55 PM

Posted 15 June 2015 - 07:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users