Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe com surrogate virus after CTB locker hit


  • This topic is locked This topic is locked
12 replies to this topic

#1 benkx

benkx

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 20 June 2015 - 09:59 PM

Hi, I was hit by the CTB locker virus (which encrypted all my files). When trying to remove it I noticed I am also infected by the dllhost.exe com surrogate virus, whereas different executables keep popping up and slowing down the PC. I tried a bunch of different things, such as Malwarebytes and combofix, but to no avail, this PC is severely infected. Please help! I'm posting the FRST.txt file below:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-06-2015
Ran by nofar (administrator) on NOFAR-PC on 20-06-2015 21:51:14
Running from C:\Users\nofar\Desktop
Loaded Profiles: nofar (Available Profiles: nofar)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Aventail Corporation) C:\Windows\System32\ngvpnmgr.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(ArcSoft, Inc.) C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe
(Dropbox, Inc.) C:\Users\nofar\AppData\Roaming\Dropbox\bin\Dropbox.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Lenovo) C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Google Inc.) C:\Users\nofar\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\nofar\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\nofar\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\nofar\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\nofar\AppData\Local\Google\Chrome\Application\chrome.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Google Inc.) C:\Users\nofar\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\wbengine.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Dropbox, Inc.) C:\ben\Dropbox\.dropbox.cache\dropbox-upgrade-3.6.7.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Dropbox, Inc.) C:\Users\nofar\AppData\Local\Temp\GUMDC0C.tmp\DropboxUpdate.exe
(Dropbox, Inc.) C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe
(Dropbox, Inc.) C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Dropbox, Inc.) C:\Users\nofar\AppData\Local\Dropbox\Update\Install\{FB96A841-9432-42A0-81BF-D60F6575A700}\DropboxClientInstaller.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\update.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\updrgui.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Dropbox, Inc.) C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2741544 2011-04-07] (Synaptics Incorporated)
HKLM\...\Run: [Lenovo EE Boot Optimizer] => C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-10-26] (Lenovo)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9753024 2011-10-26] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-10-26] (Lenovo(beijing) Limited)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-02-18] (Intel Corporation)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2011-01-28] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [228448 2011-01-28] (CyberLink Corp.)
HKLM-x32\...\Run: [VeriFaceManager] => C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2011-10-26] (Lenovo)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [522232 2012-08-17] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [730416 2015-06-09] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452272 2012-08-31] (CANON INC.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe [130864 2015-05-21] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3481408 2012-02-13] (DT Soft Ltd)
HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31280256 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\Run: [Dropbox Update] => C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-20] (Dropbox, Inc.)
HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"xfn8\..\mshtml,RunHTMLApplication ";eval("usxzs7<odv!@buhwdYNckdbu)#VRbshqu (the data entry has 28612 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2012-04-05]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TMMonitor.lnk [2013-01-12]
ShortcutTarget: TMMonitor.lnk -> C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe (ArcSoft, Inc.)
Startup: C:\Users\nofar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-06-16]
ShortcutTarget: Dropbox.lnk -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [VeriFace Enc] -> {771C7324-DA80-49D3-8017-753B0AF60951} => C:\windows\system32\IcnOvrly.dll [2011-10-26] ()
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.il/
HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001 -> DefaultScope {A82623E0-FCE7-408C-B798-876530450452} URL = http://www.google.com/search?hl=en&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=1947&systemid=406&v=n13001-377&apn_uid=3919172142524715&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001 -> {A82623E0-FCE7-408C-B798-876530450452} URL = http://www.google.com/search?hl=en&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = 
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.apple.com/qtactivex/qtplugin.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {538793D5-659C-4639-A56C-A179AD87ED44} https://webvpn.huji.ac.il/CACHE/stc/8/binaries/vpnweb.cab
DPF: HKLM-x32 {7F8C8173-AD80-4807-AA75-5672F22B4582} https://tango.huji.ac.il/sre/ICSScanner.cab
DPF: HKLM-x32 {CC679CB8-DC4B-458B-B817-D447B3B6AC31} https://webvpn.huji.ac.il/CACHE/stc/6/binaries/vpnweb.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
FireFox:
========
FF ProfilePath: C:\Users\nofar\AppData\Roaming\Mozilla\Firefox\Profiles\4hxpy3op.default
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll [2014-04-03] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll [2014-04-03] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll [2012-10-04] (Adobe Systems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2600357391-3155684455-3503250330-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\nofar\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-2600357391-3155684455-3503250330-1001: @talk.google.com/O1DPlugin -> C:\Users\nofar\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-2600357391-3155684455-3503250330-1001: @tools.google.com/Google Update;version=3 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-2600357391-3155684455-3503250330-1001: @tools.google.com/Google Update;version=9 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-2600357391-3155684455-3503250330-1001: @zoom.us/ZoomVideoPlugin -> C:\Users\nofar\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2014-03-28] (Zoom Video Communications, Inc.)
FF Plugin HKU\S-1-5-21-2600357391-3155684455-3503250330-1001: sony.com/MediaGoDetector -> C:\Program Files (x86)\Sony\Media Go\npMediaGoDetector.dll [2013-04-25] (Sony Network Entertainment International LLC)
FF Plugin ProgramFiles/Appdata: C:\Users\nofar\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\nofar\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Extension: Avira Browser Safety - C:\Users\nofar\AppData\Roaming\Mozilla\Firefox\Profiles\4hxpy3op.default\Extensions\abs@avira.com [2015-05-30]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-06-02]
 
Chrome: 
=======
CHR Profile: C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-02-03]
CHR Extension: (Adblock Plus) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2012-08-05]
CHR Extension: (Google Search) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-02-03]
CHR Extension: (Avira Browser Safety) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-10-09]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-04]
CHR Extension: (Skype Click to Call) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-02-06]
CHR Extension: (Google Mail Checker) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff [2012-07-03]
CHR Extension: (Google Wallet) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-06]
CHR Extension: (Gmail) - C:\Users\nofar\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-02-03]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-05-01]
StartMenuInternet: Google Chrome - C:\Users\nofar\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [827184 2015-06-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [450808 2015-06-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [450808 2015-06-09] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1188360 2015-06-09] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [208632 2015-05-21] (Avira Operations GmbH & Co. KG)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1394816 2015-05-01] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1772672 2015-05-01] (Microsoft Corporation)
S2 cpextender; C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe [331870 2007-05-15] (Check Point Software Technologies) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2014-11-17] (Hewlett-Packard) [File not signed]
R2 NgVpnMgr; C:\windows\system32\ngvpnmgr.exe [565544 2014-10-09] (Aventail Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2014-11-17] (Hewlett-Packard) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WatAdminSvc; %SystemRoot%\system32\Wat\WatAdminSvc.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [153256 2015-06-09] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132656 2015-06-09] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-11-26] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [44088 2015-03-10] (Avira Operations GmbH & Co. KG)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-04-05] (DT Soft Ltd)
R3 JmUsbCcgp; C:\Windows\System32\DRIVERS\jmccgp.sys [17880 2010-07-21] (JMicron Technology Corp.)
R3 JmUsbVideo; C:\Windows\System32\Drivers\jmcam.sys [57816 2010-08-27] (JMicron Technology Corp.)
R3 JmUsbVideo2; C:\Windows\System32\Drivers\jmcam_lo.sys [32088 2010-08-27] (JMicron Technology Corp.)
S3 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [107736 2015-06-10] (Malwarebytes Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
S3 NgFilter; C:\Windows\System32\DRIVERS\ngfilter.sys [26920 2014-10-04] (Aventail Corporation)
R3 NgLog; C:\Windows\System32\DRIVERS\nglog.sys [31016 2014-10-04] (Aventail Corporation)
R3 NgVpn; C:\Windows\System32\DRIVERS\ngvpn.sys [109864 2014-10-04] (Aventail Corporation)
R3 NgWfp; C:\Windows\System32\DRIVERS\ngwfp.sys [31528 2014-10-04] (Aventail Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
U3 BcmSqlStartupSvc; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U2 CLKMSVC10_3A60B698; No ImagePath
U2 CLKMSVC10_C3B3B687; No ImagePath
U2 DriverService; No ImagePath
U2 iATAgentService; No ImagePath
U2 idealife Update Service; No ImagePath
U3 IGRS; No ImagePath
U2 IviRegMgr; No ImagePath
U2 nvUpdatusService; No ImagePath
U2 Oasis2Service; No ImagePath
U2 PCCarerService; No ImagePath
U2 ReadyComm.DirectRouter; No ImagePath
U2 RichVideo; No ImagePath
U2 RtLedService; No ImagePath
U2 SeaPort; No ImagePath
U2 SoftwareService; No ImagePath
U3 SQLWriter; No ImagePath
U2 Stereo Service; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-20 21:53 - 2015-06-20 21:53 - 00000000 ____D C:\Users\nofar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-06-20 21:51 - 2015-06-20 22:09 - 00025534 _____ C:\Users\nofar\Desktop\FRST.txt
2015-06-20 21:49 - 2015-06-20 21:53 - 00000000 ____D C:\FRST
2015-06-20 21:45 - 2015-06-20 21:52 - 00000918 _____ C:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001UA.job
2015-06-20 21:45 - 2015-06-20 21:45 - 00003888 _____ C:\windows\System32\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001UA
2015-06-20 21:44 - 2015-06-20 21:49 - 00000866 _____ C:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001Core.job
2015-06-20 21:44 - 2015-06-20 21:44 - 00003492 _____ C:\windows\System32\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001Core
2015-06-20 21:44 - 2015-06-20 21:44 - 00000000 ____D C:\Users\nofar\AppData\Local\Dropbox
2015-06-20 21:44 - 2015-06-20 21:44 - 00000000 ____D C:\ProgramData\Dropbox
2015-06-20 21:39 - 2015-06-20 21:39 - 02109952 _____ (Farbar) C:\Users\nofar\Desktop\FRST64.exe
2015-06-16 21:49 - 2015-06-16 21:49 - 00001116 _____ C:\Users\Public\Desktop\Avira.lnk
2015-06-16 21:47 - 2015-06-16 22:08 - 00002444 _____ C:\Users\nofar\Desktop\Rkill.txt
2015-06-16 00:32 - 2015-06-16 00:32 - 00057990 _____ C:\ComboFix.txt
2015-06-15 23:25 - 2011-06-26 02:45 - 00256000 _____ C:\windows\PEV.exe
2015-06-15 23:25 - 2010-11-07 13:20 - 00208896 _____ C:\windows\MBR.exe
2015-06-15 23:25 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\windows\NIRCMD.exe
2015-06-15 23:25 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\windows\SWREG.exe
2015-06-15 23:25 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\windows\SWSC.exe
2015-06-15 23:25 - 2000-08-30 20:00 - 00098816 _____ C:\windows\sed.exe
2015-06-15 23:25 - 2000-08-30 20:00 - 00080412 _____ C:\windows\grep.exe
2015-06-15 23:25 - 2000-08-30 20:00 - 00068096 _____ C:\windows\zip.exe
2015-06-15 23:21 - 2015-06-15 23:21 - 00000000 ____D C:\Users\nofar\AppData\Local\GWX
2015-06-15 21:20 - 2015-06-16 00:34 - 00000000 ____D C:\Qoobox
2015-06-15 21:20 - 2015-06-16 00:27 - 00000000 ____D C:\windows\erdnt
2015-06-14 02:07 - 2015-06-14 02:07 - 00000000 ____D C:\Program Files\Recuva
2015-06-14 01:25 - 2015-06-14 01:25 - 04426120 _____ (Piriform Ltd) C:\Users\nofar\Downloads\rcsetup152.exe
2015-06-11 23:11 - 2015-06-11 23:11 - 00015360 _____ C:\Users\nofar\Documents\New מצגת של Microsoft PowerPoint.ppt
2015-06-11 04:31 - 2015-06-11 04:31 - 12444088 _____ C:\Users\nofar\Downloads\testdisk-7.0.win (1).zip
2015-06-11 00:11 - 2015-06-11 00:11 - 12444088 _____ C:\Users\nofar\Downloads\testdisk-7.0.win.zip
2015-06-11 00:11 - 2015-06-11 00:11 - 00000000 ____D C:\Users\nofar\Downloads\testdisk-7.0.win
2015-06-11 00:05 - 2015-06-11 00:06 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\nofar\Desktop\rkill.exe
2015-06-11 00:03 - 2015-06-11 00:03 - 05628161 _____ (Swearware) C:\Users\nofar\Downloads\ComboFix.exe
2015-06-11 00:02 - 2015-06-11 00:03 - 05628161 ____R (Swearware) C:\Users\nofar\Desktop\ComboFix.exe
2015-06-10 23:52 - 2015-06-11 00:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-06-10 23:47 - 2015-06-10 23:47 - 00000000 ____D C:\Users\nofar\Desktop\mbar
2015-06-10 23:45 - 2015-06-10 23:46 - 16502728 _____ (Malwarebytes Corp.) C:\Users\nofar\Desktop\mbar-1.09.1.1004.exe
2015-06-10 23:37 - 2015-06-10 23:37 - 00000000 ____D C:\Users\nofar\AppData\Roaming\www.shadowexplorer.com
2015-06-10 23:35 - 2015-06-10 23:35 - 00137737 _____ C:\Users\nofar\Downloads\ShadowExplorer-0.9-portable.zip
2015-06-10 23:35 - 2015-06-10 23:35 - 00000000 ____D C:\Users\nofar\Downloads\ShadowExplorer-0.9-portable
2015-06-10 22:55 - 2015-06-01 15:16 - 00389840 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-06-10 22:55 - 2015-06-01 14:07 - 00342736 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-06-10 22:55 - 2015-05-27 10:35 - 24917504 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-06-10 22:55 - 2015-05-27 10:08 - 19607040 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-06-10 22:55 - 2015-05-22 23:28 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2015-06-10 22:55 - 2015-05-22 23:15 - 00503808 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-06-10 22:55 - 2015-05-22 23:15 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2015-06-10 22:55 - 2015-05-22 23:15 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2015-06-10 22:55 - 2015-05-22 23:14 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2015-06-10 22:55 - 2015-05-22 23:13 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2015-06-10 22:55 - 2015-05-22 23:10 - 02278912 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-06-10 22:55 - 2015-05-22 23:09 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2015-06-10 22:55 - 2015-05-22 23:08 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2015-06-10 22:55 - 2015-05-22 23:06 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2015-06-10 22:55 - 2015-05-22 23:05 - 00664064 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2015-06-10 22:55 - 2015-05-22 23:05 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2015-06-10 22:55 - 2015-05-22 23:04 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2015-06-10 22:55 - 2015-05-22 22:57 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2015-06-10 22:55 - 2015-05-22 22:52 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-06-10 22:55 - 2015-05-22 22:49 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2015-06-10 22:55 - 2015-05-22 22:48 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2015-06-10 22:55 - 2015-05-22 22:47 - 04305920 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-06-10 22:55 - 2015-05-22 22:47 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2015-06-10 22:55 - 2015-05-22 22:38 - 00689152 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-06-10 22:55 - 2015-05-22 22:37 - 02052608 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-06-10 22:55 - 2015-05-22 22:37 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2015-06-10 22:55 - 2015-05-22 22:28 - 12829696 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-06-10 22:55 - 2015-05-22 22:20 - 01950720 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-06-10 22:55 - 2015-05-22 22:16 - 01309696 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-06-10 22:55 - 2015-05-22 22:14 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-06-10 22:55 - 2015-05-22 15:16 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2015-06-10 22:55 - 2015-05-22 15:16 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2015-06-10 22:55 - 2015-05-22 15:01 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2015-06-10 22:55 - 2015-05-22 15:00 - 02885632 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-06-10 22:55 - 2015-05-22 15:00 - 00584192 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-06-10 22:55 - 2015-05-22 15:00 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2015-06-10 22:55 - 2015-05-22 15:00 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2015-06-10 22:55 - 2015-05-22 14:59 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2015-06-10 22:55 - 2015-05-22 14:53 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2015-06-10 22:55 - 2015-05-22 14:52 - 06026240 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-06-10 22:55 - 2015-05-22 14:52 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2015-06-10 22:55 - 2015-05-22 14:48 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2015-06-10 22:55 - 2015-05-22 14:47 - 00816640 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2015-06-10 22:55 - 2015-05-22 14:47 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2015-06-10 22:55 - 2015-05-22 14:47 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2015-06-10 22:55 - 2015-05-22 14:47 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2015-06-10 22:55 - 2015-05-22 14:40 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2015-06-10 22:55 - 2015-05-22 14:36 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2015-06-10 22:55 - 2015-05-22 14:29 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2015-06-10 22:55 - 2015-05-22 14:25 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2015-06-10 22:55 - 2015-05-22 14:24 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2015-06-10 22:55 - 2015-05-22 14:21 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2015-06-10 22:55 - 2015-05-22 14:07 - 00720384 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-06-10 22:55 - 2015-05-22 14:06 - 00801280 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-06-10 22:55 - 2015-05-22 14:05 - 02125824 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-06-10 22:55 - 2015-05-22 14:05 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2015-06-10 22:55 - 2015-05-22 13:57 - 14404096 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-06-10 22:55 - 2015-05-22 13:50 - 02426880 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-06-10 22:55 - 2015-05-22 13:38 - 01545728 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-06-10 22:55 - 2015-05-22 13:26 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-06-10 22:54 - 2015-05-25 14:19 - 01255424 _____ (Microsoft Corporation) C:\windows\system32\diagtrack.dll
2015-06-10 22:54 - 2015-05-25 14:19 - 00728576 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2015-06-10 22:54 - 2015-05-25 14:19 - 00424960 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2015-06-10 22:54 - 2015-05-25 14:01 - 00551424 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2015-06-10 22:53 - 2015-05-25 14:24 - 05569984 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-06-10 22:53 - 2015-05-25 14:23 - 00155584 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2015-06-10 22:53 - 2015-05-25 14:23 - 00095680 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2015-06-10 22:53 - 2015-05-25 14:21 - 01728960 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 01461760 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 01162752 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00879104 _____ (Microsoft Corporation) C:\windows\system32\tdh.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00342016 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00314880 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00309760 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00215040 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00136192 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00113664 _____ (Microsoft Corporation) C:\windows\system32\sechost.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00029184 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll
2015-06-10 22:53 - 2015-05-25 14:19 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll
2015-06-10 22:53 - 2015-05-25 14:18 - 00879104 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2015-06-10 22:53 - 2015-05-25 14:18 - 00404992 _____ (Microsoft Corporation) C:\windows\system32\tracerpt.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00104448 _____ (Microsoft Corporation) C:\windows\system32\logman.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00047104 _____ (Microsoft Corporation) C:\windows\system32\typeperf.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2015-06-10 22:53 - 2015-05-25 14:18 - 00043008 _____ (Microsoft Corporation) C:\windows\system32\relog.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00031232 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2015-06-10 22:53 - 2015-05-25 14:18 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2015-06-10 22:53 - 2015-05-25 14:18 - 00019456 _____ (Microsoft Corporation) C:\windows\system32\diskperf.exe
2015-06-10 22:53 - 2015-05-25 14:14 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2015-06-10 22:53 - 2015-05-25 14:14 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00686080 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:11 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 14:07 - 03989440 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-06-10 22:53 - 2015-05-25 14:07 - 03934144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-06-10 22:53 - 2015-05-25 14:04 - 01310744 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00641536 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00635392 _____ (Microsoft Corporation) C:\windows\SysWOW64\tdh.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00259584 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00221184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00092160 _____ (Microsoft Corporation) C:\windows\SysWOW64\sechost.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2015-06-10 22:53 - 2015-05-25 14:01 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2015-06-10 22:53 - 2015-05-25 14:00 - 00364544 _____ (Microsoft Corporation) C:\windows\SysWOW64\tracerpt.exe
2015-06-10 22:53 - 2015-05-25 14:00 - 00082944 _____ (Microsoft Corporation) C:\windows\SysWOW64\logman.exe
2015-06-10 22:53 - 2015-05-25 14:00 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2015-06-10 22:53 - 2015-05-25 14:00 - 00040448 _____ (Microsoft Corporation) C:\windows\SysWOW64\typeperf.exe
2015-06-10 22:53 - 2015-05-25 14:00 - 00037888 _____ (Microsoft Corporation) C:\windows\SysWOW64\relog.exe
2015-06-10 22:53 - 2015-05-25 14:00 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2015-06-10 22:53 - 2015-05-25 14:00 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\diskperf.exe
2015-06-10 22:53 - 2015-05-25 13:59 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll
2015-06-10 22:53 - 2015-05-25 13:59 - 00274944 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2015-06-10 22:53 - 2015-05-25 13:59 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2015-06-10 22:53 - 2015-05-25 13:59 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2015-06-10 22:53 - 2015-05-25 13:57 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2015-06-10 22:53 - 2015-05-25 13:57 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00686080 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:55 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 13:00 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\UtcResources.dll
2015-06-10 22:53 - 2015-05-25 12:50 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2015-06-10 22:53 - 2015-05-25 12:50 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2015-06-10 22:53 - 2015-05-25 12:48 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 12:48 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 12:48 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-06-10 22:53 - 2015-05-25 12:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-06-10 22:52 - 2015-05-25 13:08 - 03206144 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2015-06-10 22:52 - 2015-04-29 14:22 - 14635008 _____ (Microsoft Corporation) C:\windows\system32\wmp.dll
2015-06-10 22:52 - 2015-04-29 14:07 - 11411456 _____ (Microsoft Corporation) C:\windows\SysWOW64\wmp.dll
2015-06-10 22:51 - 2015-05-22 14:18 - 01021440 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2015-06-10 22:51 - 2015-05-22 14:18 - 00757248 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2015-06-10 22:51 - 2015-05-22 14:18 - 00700416 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2015-06-10 22:51 - 2015-05-22 14:18 - 00423424 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2015-06-10 22:51 - 2015-05-22 14:18 - 00227328 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2015-06-10 22:51 - 2015-05-22 14:18 - 00045568 _____ (Microsoft Corporation) C:\windows\system32\acmigration.dll
2015-06-10 22:51 - 2015-05-22 14:13 - 01119232 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2015-06-10 22:51 - 2015-05-21 09:19 - 00193536 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2015-06-10 22:51 - 2015-04-29 14:21 - 00009728 _____ (Microsoft Corporation) C:\windows\system32\spwmp.dll
2015-06-10 22:51 - 2015-04-29 14:21 - 00005120 _____ (Microsoft Corporation) C:\windows\system32\msdxm.ocx
2015-06-10 22:51 - 2015-04-29 14:21 - 00005120 _____ (Microsoft Corporation) C:\windows\system32\dxmasf.dll
2015-06-10 22:51 - 2015-04-29 14:19 - 12625920 _____ (Microsoft Corporation) C:\windows\system32\wmploc.DLL
2015-06-10 22:51 - 2015-04-29 14:07 - 00008192 _____ (Microsoft Corporation) C:\windows\SysWOW64\spwmp.dll
2015-06-10 22:51 - 2015-04-29 14:07 - 00004096 _____ (Microsoft Corporation) C:\windows\SysWOW64\msdxm.ocx
2015-06-10 22:51 - 2015-04-29 14:07 - 00004096 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxmasf.dll
2015-06-10 22:51 - 2015-04-29 14:05 - 12625408 _____ (Microsoft Corporation) C:\windows\SysWOW64\wmploc.DLL
2015-06-10 22:41 - 2015-04-24 14:17 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\comctl32.dll
2015-06-10 22:41 - 2015-04-24 13:56 - 00530432 _____ (Microsoft Corporation) C:\windows\SysWOW64\comctl32.dll
2015-06-10 22:40 - 2015-04-10 23:19 - 00069888 _____ (Microsoft Corporation) C:\windows\system32\Drivers\stream.sys
2015-06-10 21:18 - 2015-06-16 22:21 - 00136408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-10 21:16 - 2015-06-10 23:47 - 00107736 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-06-10 21:16 - 2015-06-10 21:16 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-10 21:16 - 2015-06-10 21:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-10 21:16 - 2015-06-10 21:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-10 21:16 - 2015-06-10 21:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-10 21:16 - 2015-04-14 09:37 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-06-10 21:16 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2015-06-10 21:09 - 2015-06-10 21:09 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\nofar\Downloads\mbam-setup-2.1.6.1022.exe
2015-06-10 20:58 - 2015-06-10 20:58 - 03109248 _____ (Enigma Software Group USA, LLC.) C:\Users\nofar\Downloads\SpyHunter-Installer (1).exe
2015-06-10 20:55 - 2015-06-10 20:55 - 03109248 _____ (Enigma Software Group USA, LLC.) C:\Users\nofar\Downloads\SpyHunter-Installer.exe
2015-06-09 21:42 - 2015-06-09 21:42 - 00001266 _____ C:\Users\nofar\Documents\!Decrypt-All-Files-yhdofnc.txt
2015-06-09 20:38 - 2015-06-09 21:42 - 01613304 _____ C:\ProgramData\wrkudqm.html
2015-06-09 20:27 - 2015-06-09 20:27 - 00003014 _____ C:\windows\System32\Tasks\owzueed
2015-06-04 06:24 - 2015-06-04 06:24 - 00000000 ____D C:\windows\SysWOW64\⵲䝎灕⽤㔱〮ㄮ⸰㌴‴倨剅㭓圠卋※久※噁⁅⸸⸳〳㐮㬰嘠䙄㠠ㄮ⸱㌲⸷㌲㬶圠湩潤獷㜠䠠浯⁥牐浥畩㭭匠牥楶散倠捡㬱䤠牳敡㭬㌠〷㐴ㅤ㜹愸㈴ㄵ㑦敦㜹㡣㈵㌷㕢㤳㜳㍦㉤晡㭣〠〰㄰㤴㤹ⴶ噁佈ⵅ〰〰〰㬱䤠㭌䈠䥕䑌ㄠ⸵⸰〱㐮㐳※㬱〠※㬱椠硥汰牯㭥ㄠ※摤㕦㔱㐵㤵㉢㐴ㅡ捡㌷㠹㝤ぢ攲㌷㜶慥ㄴ㝢摥※⤰
2015-06-02 17:48 - 2015-06-07 17:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-05-26 21:38 - 2015-05-26 21:39 - 00175120 _____ C:\Users\nofar\Desktop\microelectrodes_ch04.PDF.yhdofnc
2015-05-26 21:36 - 2015-05-26 21:36 - 00337360 _____ C:\Users\nofar\Desktop\Cold Spring Harb Protoc 2013 Murthy.PDF.yhdofnc
2015-05-26 21:36 - 2015-05-18 22:48 - 00650880 _____ C:\Users\nofar\Desktop\JC 5-9-15.PPT.yhdofnc
2015-05-26 21:36 - 2015-05-18 21:45 - 00439056 _____ C:\Users\nofar\Desktop\zohari1994.PDF.yhdofnc
2015-05-26 21:36 - 2015-05-18 20:31 - 00522800 _____ C:\Users\nofar\Desktop\pnas.201418224SI.PDF.yhdofnc
2015-05-26 21:36 - 2015-05-05 11:45 - 00509360 _____ C:\Users\nofar\Desktop\EngelhardNofar552015TaxDocs.PDF.yhdofnc
2015-05-25 20:36 - 2015-05-25 20:41 - 00000000 ____D C:\nofar s4 backup
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-20 21:59 - 2014-06-16 20:20 - 00000000 ____D C:\Users\nofar\AppData\Roaming\Dropbox
2015-06-20 21:56 - 2009-07-14 00:45 - 00028928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-20 21:56 - 2009-07-14 00:45 - 00028928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-20 21:51 - 2011-10-25 23:52 - 02009692 _____ C:\windows\WindowsUpdate.log
2015-06-20 21:50 - 2012-02-03 14:19 - 00000938 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001UA.job
2015-06-20 21:46 - 2009-07-14 01:13 - 00006226 _____ C:\windows\system32\PerfStringBackup.INI
2015-06-20 21:38 - 2011-10-26 00:34 - 00000000 ____D C:\ProgramData\VeriFace
2015-06-20 21:37 - 2011-12-28 04:37 - 04953223 _____ C:\FaceProv.log
2015-06-20 21:37 - 2011-10-26 00:42 - 00624203 _____ C:\windows\system32\fastboot.set
2015-06-20 21:37 - 2009-07-14 01:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-06-20 21:37 - 2009-07-14 00:51 - 00083293 _____ C:\windows\setupact.log
2015-06-20 21:36 - 2013-04-06 08:36 - 00000000 ____D C:\ProgramData\Avira
2015-06-20 21:36 - 2010-11-20 23:47 - 00444938 _____ C:\windows\PFRO.log
2015-06-16 21:49 - 2014-10-09 21:17 - 00000000 ____D C:\ProgramData\Package Cache
2015-06-16 21:49 - 2013-04-06 08:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-06-16 21:49 - 2013-04-06 08:36 - 00000000 ____D C:\Program Files (x86)\Avira
2015-06-16 21:42 - 2012-02-03 14:19 - 00000886 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001Core.job
2015-06-16 00:34 - 2009-07-13 23:20 - 00000000 __RHD C:\Users\Default
2015-06-16 00:18 - 2009-07-13 22:34 - 00000215 _____ C:\windows\system.ini
2015-06-15 21:11 - 2012-04-23 01:47 - 00000000 ____D C:\Users\nofar\AppData\Roaming\Skype
2015-06-14 18:03 - 2011-12-28 04:39 - 00000000 ____D C:\Users\nofar
2015-06-11 06:06 - 2009-07-13 23:20 - 00000000 ____D C:\windows\rescache
2015-06-11 04:30 - 2014-11-16 04:43 - 00000000 __SHD C:\Users\nofar\AppData\Local\EmieBrowserModeList
2015-06-11 04:30 - 2014-04-12 20:24 - 00000000 __SHD C:\Users\nofar\AppData\Local\EmieUserList
2015-06-11 04:30 - 2014-04-12 20:24 - 00000000 __SHD C:\Users\nofar\AppData\Local\EmieSiteList
2015-06-11 04:26 - 2009-07-14 00:45 - 00393536 _____ C:\windows\system32\FNTCACHE.DAT
2015-06-11 04:22 - 2014-12-11 22:28 - 00000000 ____D C:\windows\system32\appraiser
2015-06-11 04:22 - 2014-05-09 20:02 - 00000000 ___SD C:\windows\system32\CompatTel
2015-06-11 04:22 - 2009-07-13 23:20 - 00000000 ____D C:\windows\PolicyDefinitions
2015-06-11 03:48 - 2013-08-31 12:36 - 00000000 ____D C:\windows\system32\MRT
2015-06-11 03:18 - 2011-12-28 15:28 - 140135120 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-06-10 23:29 - 2009-07-14 01:37 - 00000000 ____D C:\windows\DigitalLocker
2015-06-10 23:26 - 2014-02-16 09:00 - 00000000 ____D C:\ProgramData\Conduit
2015-06-09 21:42 - 2015-04-08 13:42 - 00000000 ____D C:\Users\nofar\Desktop\hr
2015-06-09 21:42 - 2014-06-18 07:48 - 00000000 ____D C:\Users\nofar\Documents\old
2015-06-09 21:42 - 2014-06-13 06:12 - 00000000 ____D C:\Users\nofar\Documents\book246_pdf
2015-06-09 21:42 - 2012-10-16 06:46 - 00000000 ____D C:\Users\nofar\Documents\work
2015-06-09 21:39 - 2012-09-12 13:11 - 00000000 ____D C:\Users\nofar\Documents\wedding
2015-06-09 21:39 - 2012-06-03 14:14 - 00000000 ____D C:\Users\nofar\Dopamine-Dependent Long-Term Depression Is Expressed in Striatal Spiny Neurons of Both Direct and Indirect Pathways  Implications for Parkinson's Disease_files
2015-06-09 21:37 - 2013-05-11 12:25 - 00000000 ____D C:\Users\nofar\AppData\Roaming\TeamViewer
2015-06-09 21:37 - 2012-01-07 10:43 - 00000000 ____D C:\Users\nofar\Documents\Youcam
2015-06-09 21:34 - 2014-04-04 13:12 - 00000000 ____D C:\Users\nofar\AppData\Roaming\Zoom
2015-06-09 21:30 - 2014-04-01 07:55 - 00000000 ____D C:\Users\nofar\AppData\Roaming\avidemux
2015-06-09 21:30 - 2011-12-28 04:39 - 00000000 ____D C:\Users\nofar\AppData\Local\VirtualStore
2015-06-09 21:05 - 2012-04-05 17:22 - 00000000 ____D C:\ben
2015-06-09 21:04 - 2014-07-25 01:08 - 00000000 ____D C:\Users\nofar\AppData\Roaming\vlc
2015-06-09 20:53 - 2014-01-21 15:59 - 00000000 ____D C:\pics irit
2015-06-09 20:27 - 2011-12-28 04:41 - 00000000 ____D C:\ProgramData\Energy Management
2015-06-09 05:26 - 2013-04-06 08:37 - 00153256 _____ (Avira Operations GmbH & Co. KG) C:\windows\system32\Drivers\avgntflt.sys
2015-06-09 05:26 - 2013-04-06 08:37 - 00132656 _____ (Avira Operations GmbH & Co. KG) C:\windows\system32\Drivers\avipbb.sys
2015-06-07 17:40 - 2014-04-03 09:00 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-07 17:34 - 2013-03-19 10:22 - 00000000 ____D C:\Users\nofar\AppData\Roaming\uTorrent
2015-05-31 19:30 - 2015-05-18 20:31 - 04660784 _____ C:\Users\nofar\Desktop\drosophila navigation nature.PDF.yhdofnc
2015-05-27 12:17 - 2015-01-12 15:12 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-05-21 20:44 - 2012-04-23 01:46 - 00000000 ____D C:\ProgramData\Skype
 
==================== Files in the root of some directories =======
 
2012-02-04 17:15 - 2015-04-15 23:23 - 0025088 _____ () C:\Users\nofar\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-06-09 20:38 - 2015-06-09 21:42 - 1613304 _____ () C:\ProgramData\wrkudqm.html
 
Some files in TEMP:
====================
C:\Users\nofar\AppData\Local\Temp\avgnt.exe
C:\Users\nofar\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp75deps.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-06-16 06:02
 
==================== End of log ============================


BC AdBot (Login to Remove)

 


#2 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 23 June 2015 - 03:09 PM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 5 days will result in this thread being closed.


Hello benkx,

My name is mAL_rEm018, but feel free to call me mAL.  I'm an undergraduate trainee and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.
 

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Since you are infected with ransomware, please be aware that we might be unable to recover your files.  I advise you to save your personal data and if we are unable to get it back now, it might be possible to do so in the future.  The instructions for backing up your computer can be found in the following links:


Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:

  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I notice that you ran several tools prior to posting here. I understand that you want to get rid of this infection as soon as possible, however I must ask you to refrain from doing so while we work together. Certain tools are created to target specific infections and the tools you are using will not get rid of the problem. If you keep using them while I ask you to run additional scans, they could impede my ability to provide a proper diagnosis of your computer.


While I am reviewing the log you provided, please do the following:


  • Please rerun FRST as you did before, make sure to check the Addition.txt box before clicking Scan.  Please post the contents of Addition.txt in your next reply.


-----------------------------------------
In your next reply, I would like to see..

  • Addition.txt

Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#3 benkx

benkx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 23 June 2015 - 09:14 PM

Hi Mal, thank you for your help. I've began backupping the PC using DriveImage, it will take abouit 3.5 days according to its estimation. I'm attaching the Addition.txt file below. Meanwhile I have another question: you've said that it might be that I'll need to reformat everything if we can't solve the problem. The backup is being copied to an external drive that is presumably also infected by now. If we can't remove the virus how will I access the backup?

 

Thanks,

 

b

 

-----------------------------------------------------------------------------------

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by nofar at 2015-06-20 22:21:12
Running from C:\Users\nofar\Desktop
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2600357391-3155684455-3503250330-500 - Administrator - Disabled)
Guest (S-1-5-21-2600357391-3155684455-3503250330-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-2600357391-3155684455-3503250330-1002 - Limited - Enabled)
nofar (S-1-5-21-2600357391-3155684455-3503250330-1001 - Administrator - Enabled) => C:\Users\nofar

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Disabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM-x32\...\uTorrent) (Version: 3.3.0.29342 - BitTorrent Inc.)
64 Bit HP CIO Components Installer (Version: 18.2.4 - Hewlett-Packard) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
7-Zip 9.22beta (HKLM-x32\...\7-Zip) (Version:  - )
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Flash Player 12 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Illustrator CS (HKLM-x32\...\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}) (Version: 11 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.11) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.8.638 - Adobe Systems, Inc.)
Adobe SVG Viewer 3.0 (HKLM-x32\...\Adobe SVG Viewer) (Version:  3.0 - Adobe Systems, Inc.)
Amazon Kindle (HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\Amazon Kindle) (Version:  - Amazon)
ArcSoft TotalMedia 3.5 (HKLM-x32\...\{FAD27DDE-2093-425D-8B0B-34BFAD0731DB}) (Version:  - ArcSoft)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.36 - Atheros Communications Inc.)
Aventail Connect (HKLM\...\{C338ACAC-7162-42E3-8B8C-85E5746F4A2E}) (Version: 10.71.421 - SonicWALL Aventail)
Avidemux 2.6 - 64bits (HKLM-x32\...\Avidemux 2.6 - 64bits (64-bit)) (Version: 2.6.8.9046 - )
Avira (HKLM-x32\...\{0696cc37-db90-4000-be99-4a173ca7c8af}) (Version: 1.1.39.17987 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.39.17987 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.11.574 - Avira Operations GmbH & Co. KG)
Brain Explorer 2 (HKLM-x32\...\{27B05C50-D121-4C1A-A7D5-4CDBC64B0035}) (Version: 2.3.0.2355 - Allen Institute)
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - Canon Inc.)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.2.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MX450 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX450_series) (Version: 1.00 - Canon Inc.)
Canon MX450 series On-screen Manual (HKLM-x32\...\Canon MX450 series On-screen Manual) (Version: 7.6.0 - Canon Inc.)
Canon MX450 series User Registration (HKLM-x32\...\Canon MX450 series User Registration) (Version:  - ‭Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.4852 - CDBurnerXP)
Check Point SSL Network Extender Service (HKLM-x32\...\{26707f9b-8342-4075-a4bb-cfa356bfbd5f}) (Version: 7.01.0000 - CheckPoint)
Cisco AnyConnect Secure Mobility Client  (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.0.10055 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (x32 Version: 3.0.10055 - Cisco Systems, Inc.) Hidden
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.54.1.0 - Conexant)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.45.3.0297 - DT Soft Ltd)
Dropbox (HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\Dropbox) (Version: 3.6.7 - Dropbox, Inc.)
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 6.0.2.0 - Lenovo)
Energy Management (x32 Version: 6.0.2.0 - Lenovo) Hidden
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.1.37.5085 - Gretech Corporation)
Google Chrome (HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\Google Chrome) (Version: 43.0.2357.124 - Google Inc.)
Google Talk Plugin (HKLM-x32\...\{CA3DD97D-1FD7-37A7-BD5C-FC4430C8B8E6}) (Version: 5.41.2.0 - Google)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2342 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.5.1001 - Intel Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
K-Lite Codec Pack 9.9.5 (Full) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 9.9.5 - )
Lenovo EasyCamera (HKLM-x32\...\{AD40A06A-77AB-4E2E-B2AA-FDE106A9977A}) (Version: 1.1.1.7 - Suyin Optronics Corp.)
Lenovo EE Boot Optimizer (HKLM\...\Lenovo EE Boot Optimizer) (Version: 0.0.1.6 - Lenovo)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.1628 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 7.0.1628 - CyberLink Corp.) Hidden
Lenovo YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.3728 - CyberLink Corp.)
Lenovo YouCam (x32 Version: 3.1.3728 - CyberLink Corp.) Hidden
Lenovo_Wireless_Driver (HKLM-x32\...\{28ABE740-47F3-441B-9437-852F6A64EFF8}) (Version: 1.02.01 - Lenovo)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
MATLAB R2011a (HKLM\...\MatlabR2011a) (Version: 7.12 - The MathWorks, Inc.)
Media Go (HKLM-x32\...\{B55B7EAE-C58C-496E-A383-3A6ABDD83A62}) (Version: 2.5.290 - Sony)
Media Go Video Playback Engine 2.4.129.12060 (HKLM-x32\...\{7C5AEEE1-6D7C-8922-4548-7BF9096077EC}) (Version: 2.4.129.12060 - Sony)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM-x32\...\{9011040D-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 38.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 38.0.5 (x86 en-US)) (Version: 38.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
NWZ-W270 WALKMAN Guide (HKLM-x32\...\{095CE261-B919-4FB5-8520-EDCB89C937F4}) (Version: 2.2.0.11162 - Sony Corporation)
PlayStation®Store (HKLM-x32\...\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}) (Version: 4.18.0.15698 - Sony Computer Entertainment Inc.)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.7303 - CyberLink Corp.)
Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 6.1.7600.10003 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.52 - Piriform)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.4.0.9058 - Microsoft Corporation)
Skype™ 7.4 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.4.102 - Skype Technologies S.A.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.0.0 - Synaptics Incorporated)
TeamViewer 8 (HKLM-x32\...\TeamViewer 8) (Version: 8.0.30992 - TeamViewer)
UserGuide (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.6 - Lenovo)
UserGuide (x32 Version: 1.0.0.6 - Lenovo) Hidden
VeriFace (HKLM-x32\...\VeriFace) (Version: 4.0.0.1224 - Lenovo)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Windows Driver Package - Lenovo (ACPIVPC) System  (12/02/2010 6.1.0.1) (HKLM\...\EA12B1FB53CE4E387C31A85236C41EF559B5E392) (Version: 12/02/2010 6.1.0.1 - Lenovo)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Zoom (HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\ZoomUMX) (Version: 2.1 - Zoom Video Communications, Inc.)
גלריית התמונות של Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
פקד ActiveX של Windows Live Mesh עבור חיבורים מרוחקים (HKLM-x32\...\{9D4C7DFA-CBBB-4F06-BDAC-94D831406DF0}) (Version: 15.4.5722.2 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"xfn8\..\mshtml,RunHTMLApplication ";eval("usxzs7<odv!@buhwdYNckdbu)#VRbshqu (the data entry has 28620 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\nofar\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\nofar\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File

==================== Restore Points =========================

16-06-2015 06:09:28 Scheduled Checkpoint

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2015-06-16 00:18 - 00000027 ____A C:\windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {28AEB5CA-1D89-42ED-90C7-F77934A7BD41} - System32\Tasks\{43C4D68B-A129-46DA-8206-1C5E5D1DDE3E} => pcalua.exe -a C:\Users\nofar\Downloads\ngsetup_en.exe -d C:\Users\nofar\Desktop
Task: {2A8AF077-6714-40CB-86FC-403322F82F41} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {2BE706EA-31B0-4E2D-B8B1-90EDF96984DB} - System32\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001UA => C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2015-06-20] (Dropbox, Inc.)
Task: {41EF556C-AB64-4D43-9DE1-AA058E6D9CE6} - \BackgroundContainer Startup Task No Task File <==== ATTENTION
Task: {43A30E68-0515-4B6D-991F-E37ACD88D349} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\Logon => C:\Windows\system32\GWX\GWX.exe [2015-05-07] (Microsoft Corporation)
Task: {762AC8A4-08F0-4A87-820B-BF9FE75E9FC0} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => C:\Windows\system32\compattel\DiagTrackRunner.exe [2015-03-16] (Microsoft Corporation)
Task: {7D9D128A-61AE-4113-99BA-18C9674B2650} - System32\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001Core => C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2015-06-20] (Dropbox, Inc.)
Task: {8CFBFD51-60D3-4157-8149-6093EEDC15CA} - System32\Tasks\MirageAgent => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [2011-01-28] (CyberLink)
Task: {934423C4-EA21-4746-BEEF-30F77F47BBEC} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle => C:\Windows\system32\GWX\GWX.exe [2015-05-07] (Microsoft Corporation)
Task: {A716C25B-2A3A-4A02-8F3B-57D15B586AA0} - System32\Tasks\owzueed => C:\Users\nofar\AppData\Local\Temp\bxbbmkl.exe <==== ATTENTION
Task: {AC69BB9D-C0F2-4100-9E0E-871F66D36BAA} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => schtasks
Task: {B47F98A7-2EA1-4EF7-9142-F7B988385D42} - System32\Tasks\wake up => C:\movies\באטמן האביר האפל\The Dark KnightThe Dark Knight[2008]DvDrip[Eng]-FXG.avi [2010-11-28] ()
Task: {B6BDDBB8-4280-4CE9-8305-7BD6D9CB6A9F} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTask => C:\Windows\system32\Wat\WatAdminSvc.exe
Task: {C26901AC-F303-49B6-B638-0989C0AA3BD3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001UA => C:\Users\nofar\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)
Task: {DB447E7B-3DAA-446E-A0EE-72326192A6E2} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-05-07] (Microsoft Corporation)
Task: {EDCB40C6-F7AB-4922-9365-D54B531937F7} - System32\Tasks\{F417FE02-6B08-4000-8BF2-B24163604E17} => C:\Program Files (x86)\Adobe\Illustrator CS\Support Files\Contents\Windows\Illustrator.exe [2003-09-18] (Adobe Systems, Inc.)
Task: {F0822954-8A1E-49A2-AF67-8665329BCFDD} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-05-07] (Microsoft Corporation)
Task: {FADD128B-8687-4230-B3A6-321C6CAEED1B} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001Core => C:\Users\nofar\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)
Task: C:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001Core.job => C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001UA.job => C:\Users\nofar\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001Core.job => C:\Users\nofar\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600357391-3155684455-3503250330-1001UA.job => C:\Users\nofar\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2014-10-09 05:51 - 2014-10-09 05:51 - 00250664 _____ () C:\windows\ngmsi.dll
2011-10-26 00:34 - 2011-10-26 00:34 - 01508192 _____ () C:\windows\system32\IcnOvrly.dll
2011-10-26 00:08 - 2011-03-25 05:28 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2008-12-19 23:20 - 2011-10-26 00:45 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2008-12-19 23:20 - 2011-10-26 00:45 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2013-01-12 16:00 - 2007-04-19 03:33 - 00035584 _____ () C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\uPiApi.dll
2013-01-12 16:00 - 2007-04-19 03:39 - 00436992 _____ () C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\fpxlib.dll
2013-01-12 16:00 - 2007-04-19 03:29 - 00273216 _____ () C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\magengin.dll
2013-01-12 16:00 - 2007-04-19 03:29 - 00187136 _____ () C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\kgl.dll
2009-07-13 17:03 - 2009-07-13 21:15 - 00364544 _____ () C:\Windows\SysWOW64\msjetoledb40.dll
2011-10-26 00:34 - 2011-10-26 00:34 - 00013664 _____ () C:\Program Files (x86)\Lenovo\VeriFace\ChooseLang.dll
2014-10-17 04:17 - 2014-10-17 04:17 - 00169472 _____ () C:\windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\17c296575fad30d021e6370dc70cf800\IsdiInterop.ni.dll
2011-10-26 00:06 - 2011-02-18 04:16 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2015-06-20 21:54 - 2015-06-20 21:54 - 00043008 _____ () c:\users\nofar\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp75deps.dll
2015-03-04 17:45 - 2015-03-19 03:15 - 00750080 _____ () C:\Users\nofar\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2015-03-04 17:45 - 2015-03-19 03:15 - 00047616 _____ () C:\Users\nofar\AppData\Roaming\Dropbox\bin\libEGL.dll
2015-03-04 17:45 - 2015-03-19 03:15 - 00865280 _____ () C:\Users\nofar\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2015-03-04 17:45 - 2015-03-19 03:15 - 00200704 _____ () C:\Users\nofar\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2015-03-04 17:45 - 2015-03-19 03:15 - 00010240 _____ () C:\Users\nofar\AppData\Roaming\Dropbox\bin\QtQuick.2\qtquick2plugin.dll
2015-03-04 17:45 - 2015-03-19 03:15 - 00726016 _____ () C:\Users\nofar\AppData\Roaming\Dropbox\bin\QtQuick\Controls\qtquickcontrolsplugin.dll
2015-03-04 17:45 - 2015-03-19 03:15 - 00010240 _____ () C:\Users\nofar\AppData\Roaming\Dropbox\bin\QtQuick\Window.2\windowplugin.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\nofar\Desktop\Murthy's lab:com.dropbox.attributes

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...\huji.ac.il -> hxxps://huji.ac.il

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 75.75.75.75 - 75.75.76.76

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{DC134E0C-678C-4912-B80E-D731E7A1A81E}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{9B6FC5C7-A442-4A81-B856-C01FADDB5DB1}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{52387186-F4C8-4EA1-960D-5B232530149C}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{F44DC237-A7B4-428B-B763-58B6D32E2A3D}] => (Allow) LPort=2869
FirewallRules: [{F98DCF76-D6AC-49B5-B613-DC45DB5335D8}] => (Allow) LPort=1900
FirewallRules: [{E8093A29-BB71-4B28-9993-F846E858DBDE}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{A89AB197-4A4B-4057-8BEE-7DCF02D0CB93}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [TCP Query User{BCA29C13-90F6-4605-AFEE-4F88C0F7CF7F}C:\program files (x86)\internet explorer\iexplore.exe] => (Block) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [UDP Query User{E11D62EB-EA1E-42EC-B01A-D90DF054F064}C:\program files (x86)\internet explorer\iexplore.exe] => (Block) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [{8C27678A-F401-4231-990A-E806490B8A03}] => (Allow) C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe
FirewallRules: [{05738D01-EB02-46DC-8122-B6D7C3F356C9}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{BEEBE537-0E4E-4AA7-9C4F-F4AB16F65EF6}] => (Allow) C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TotalMedia.exe
FirewallRules: [{C128DBDD-8A5E-4C7F-84D2-5D2A12D3F876}] => (Allow) C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TotalMedia.exe
FirewallRules: [{B560BBD0-BB52-493C-8FE2-B6E566D08789}] => (Allow) C:\ben\downloads\uTorrent\uTorrent.exe
FirewallRules: [{E5ECFAFA-7E7F-4843-9B35-66FE38720A31}] => (Allow) C:\ben\downloads\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{CCB8A1B8-F784-4684-9CC4-CA24530483B3}C:\program files (x86)\internet explorer\iexplore.exe] => (Block) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [UDP Query User{706CFB54-3EAA-4715-85FA-4E3736F67B1F}C:\program files (x86)\internet explorer\iexplore.exe] => (Block) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [{7BBB2130-747C-4A22-9EE5-A9FEDE5979FD}] => (Allow) C:\Users\nofar\AppData\Roaming\Zoom\bin\Zoom.exe
FirewallRules: [{497C3F14-1F6F-432A-9B97-19B3A40F0F83}] => (Allow) C:\Users\nofar\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{9DE0478C-9899-4AD5-BEF1-5B0934848EF6}] => (Allow) C:\Users\nofar\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{8DECD4D6-3F4A-4A82-969A-1641AA03053E}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
FirewallRules: [{4FEF0DA9-F559-4134-96A0-AC2683255D8E}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
FirewallRules: [{6F381149-38D8-4CC2-8757-E79C235E391A}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
FirewallRules: [{A5C150DB-3452-4D79-8B8A-AD6246D1C524}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
FirewallRules: [TCP Query User{183186F9-DA9B-4EAE-AA7E-4D5EB424DB87}C:\users\nofar\appdata\roaming\dropbox\bin\dropbox.exe] => (Allow) C:\users\nofar\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [UDP Query User{35995332-9199-4AC3-9DC3-2653B36447F8}C:\users\nofar\appdata\roaming\dropbox\bin\dropbox.exe] => (Allow) C:\users\nofar\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [{531EBD92-4819-4EC1-9855-0F1F1FCE1059}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{8A968F05-F21A-48DD-AAE7-9DBFFB4C77F4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{E9592A81-F672-4C5E-89C3-BB60E60F1E16}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{521C405F-27AC-4C33-908E-02FC8E8DCD69}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe

==================== Faulty Device Manager Devices =============

Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/20/2015 09:45:52 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (06/20/2015 09:45:52 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (06/20/2015 09:39:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/16/2015 09:51:49 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (06/16/2015 09:51:49 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (06/16/2015 09:45:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/16/2015 00:24:00 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (06/16/2015 00:24:00 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (06/16/2015 00:19:14 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/15/2015 11:25:29 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

System errors:
=============
Error: (06/20/2015 10:10:25 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1053TrustedInstaller{752073A1-23F2-4396-85F0-8FDB879ED0ED}

Error: (06/20/2015 10:10:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Modules Installer service failed to start due to the following error:
%%1053

Error: (06/20/2015 10:10:24 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.

Error: (06/20/2015 09:47:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Intel® Management and Security Application User Notification Service service failed to start due to the following error:
%%1053

Error: (06/20/2015 09:47:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Intel® Management and Security Application User Notification Service service to connect.

Error: (06/20/2015 09:40:53 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Error: (06/20/2015 09:39:24 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (06/20/2015 09:38:58 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The TeamViewer 8 service failed to start due to the following error:
%%1053

Error: (06/20/2015 09:38:56 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the TeamViewer 8 service to connect.

Error: (06/20/2015 09:37:50 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMService service failed to start due to the following error:
%%1053

Microsoft Office:
=========================
Error: (06/20/2015 09:45:52 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (06/20/2015 09:45:52 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (06/20/2015 09:39:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/16/2015 09:51:49 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (06/16/2015 09:51:49 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (06/16/2015 09:45:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/16/2015 00:24:00 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (06/16/2015 00:24:00 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (06/16/2015 00:19:14 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/15/2015 11:25:29 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

CodeIntegrity Errors:
===================================
  Date: 2015-06-16 00:09:59.548
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-06-16 00:09:59.488
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Core™ i3-2330M CPU @ 2.20GHz
Percentage of memory in use: 81%
Total physical RAM: 4039.86 MB
Available physical RAM: 731.42 MB
Total Pagefile: 8077.93 MB
Available Pagefile: 2307.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:254.14 GB) (Free:21.87 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:26.76 GB) NTFS
Drive e: (My Passport) (Fixed) (Total:931.48 GB) (Free:512.6 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 7DD9CFBD)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=254.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=14.8 GB) - (Type=12)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 393FD0EA)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of log ============================



#4 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 24 June 2015 - 01:54 PM

Hello benkx,

Your computer has been badly compromised..

HKU\S-1-5-21-2600357391-3155684455-3503250330-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"xfn8\..\mshtml,RunHTMLApplication ";eval("usxzs7<odv!@buhwdYNckdbu)#VRbshqu (the data entry has 28612 more characters). <==== Poweliks!

Poweliks is a serious infection that not only installs several other malware (such as Ransomware), but also causes the infected computer to become part of a "click-fraud" botnet. The compromised computer is remotely controlled by the malware creator(s), which is why I advise you to read the following article very carefully before making any type of decision: Remote Access Infections ... (why you should repave) .


This is what I propose...

We can try several methods to recover your encrypted files, however please be aware that there is a significant chance that we may not be able to do so.

In view of the nature of the infection on your computer, you should seriously consider performing a reformat and re-install of Windows 7. However, the choice to do so is yours to make, so please let me know how you would like to proceed in your next reply and then I will provide you with further instructions.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#5 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 26 June 2015 - 02:54 PM

Hello benkx,

Do you still need help?  It's been 48 hours since my last reply.  If you don't require assistance anymore I would really appreciate it if you let me know.

mAL


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#6 benkx

benkx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2015 - 04:11 PM

Hi mAL

Sorry for the delay, I've been reading on this issue and deciding what to do. I would like go ahead and try to clean the PC. I realize that it is problematic for several reasons but having been very negligent in terms of perorming regular backups it behooves me to take this extra step. Thank you very much for your help.



#7 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 26 June 2015 - 11:14 PM

Hello benkx,
 

I've been reading on this issue and deciding what to do. I would like go ahead and try to clean the PC. I realize that it is problematic for several reasons but having been very negligent in terms of perorming regular backups it behooves me to take this extra step.

I hope I can get you to reconsider about cleaning the computer.  Even if we are able to remove all the infections on your computer, this will not change the fact that your computer has been compromised and there is absolutely nothing we can do about that.  Please read the article again: Remote Access Infections ... (why you should repave) . Take the time to think about your decision and the impact it could potentially have in the future.  I don't expect an answer right away and if after we try to recover your personal files you still stand by your decision, then we will proceed with the cleaning of your computer.
 

I've began backupping the PC using DriveImage, it will take abouit 3.5 days according to its estimation.

Were you able to complete the backup with DriveImage?  If not, Stop and let me know right away!


Now let's get to work :)


Please answer the following question..

  • I noticed that you have Shadow Explorer installed on your computer.

    2015-06-10 23:37 - 2015-06-10 23:37 - 00000000 ____D C:\Users\nofar\AppData\Roaming\www.shadowexplorer.com
    2015-06-10 23:35 - 2015-06-10 23:35 - 00137737 _____ C:\Users\nofar\Downloads\ShadowExplorer-0.9-portable.zip
    2015-06-10 23:35 - 2015-06-10 23:35 - 00000000 ____D C:\Users\nofar\Downloads\ShadowExplorer-0.9-portable

    Did you have success in recovering any files with this software?


Restoring files/folders using Previous Versions


  • Select a file/or folder that was encrypted and Right-Click on it.
  • Click on Restore previous versions.
  • By looking under the column Date modified try to find a version prior to the time your files were encrypted.
  • Select the proper previous version and click on Copy...
  • A window will open, please navigate to your desktop and click Copy.
  • The previous version of the file should now appear on your desktop.
  • If this method worked, try it on the other files/folders.
  • If it failed, let me know in your next post.  We still have a few options at our disposal.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#8 benkx

benkx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 27 June 2015 - 03:37 PM

Hi mal, thanks for your help. Drive image was able to complete the backup, which I saved in an external drive. Shadow explorer did not find any shadow copies. There were no previous versions in any of the files or folders that I tested. Before contacting you I used two file recovery programs, photorec and recuva. Photorec did not complete the scan ( it got stuck in a loop both times I ran it) , recuva did manage to complete the scan. However, it doesn't seem they were able to recover the important files (to
is is harder to know with photorec since the files it recovers have random names). The files that are important to me are mostly jog files located in two folders in the PC.

#9 benkx

benkx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 27 June 2015 - 03:39 PM

Sorry for the typos. The last paragraph should read:
However, it doesn't seem they were able to recover the important files (this is harder to know with photorec since the files it recovers have random names). The files that are important to me are mostly JPG files located in two folders in the PC.

#10 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 28 June 2015 - 12:44 AM

Hello benkx,
 

However, it doesn't seem they were able to recover the important files (to
is is harder to know with photorec since the files it recovers have random names).

Photorec outputs the files it recovered with random names by default.  I'm afraid you will have to search through all the files to see which one were recovered and rename them.  Since the files you are interested in are jpeg files, it might save time to do the following:



  • Open the folder Photorec has inserted the recovered files.
  • In the search box, located at the top-right of the window, copy/paste the following:

    For JPG files:
    
    *.jpg
    
    
    For Jpeg files:
    
    *.jpeg
    
    
  • This should give you a more manageable list to search through.
  • Rename the files you wish to keep and save them onto your external hard drive.

If the files you wish to recover were not in the folder, then I'm afraid we will not be able to recover them at this time.  Photorec and Recuva are both very powerful program for recovering lost files and folders and if you were unable to do so with them, there's not much else I can propose to retrieve your encrypted files.  Keep the encrypted files onto your external hard drive and a solution might present itself in the future for recovering them.

In my previous post I asked you if you would consider formating your computer.  Please let me know your thoughts concerning this.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#11 benkx

benkx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 28 June 2015 - 10:41 PM

Hi,

I confrimed that the files I care about were not recovered by the software I used. I agree that the PC should be formatted, but I would like to do that after exhausting all posibilities of recovering the files. Could you recommend some other programs or methods to do so? Another issue is that of the external hard drive I've been using to back up my files; it is probably infected as well and would need to be cleaned, is that right?

thanks

 

b



#12 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 29 June 2015 - 04:36 PM

Hello benkx,
 

I confrimed that the files I care about were not recovered by the software I used. I agree that the PC should be formatted, but I would like to do that after exhausting all posibilities of recovering the files. Could you recommend some other programs or methods to do so?

CTB Locker is a nasty infection because it not only encrypts your files, but it tries to remove all "older versions" of them.  I already mentioned that Recuva and Photorec are very powerful powerful programs for recovering lost files.  I can certainly give you a list of File Recovering software that have a good reputation.  However since all the other methods did not work, the chances of any of them retrieving the files you want are very slim.   




Another issue is that of the external hard drive I've been using to back up my files; it is probably infected as well and would need to be cleaned, is that right?

Whether your external hard drive is infected or not depends on several factors: the types of files that were backed up, the infections that were/are present on your computer, etc..  I will give you the instructions to reformat your computer as well as some precautionary steps for restauring the files from your external hard drive.  Please let me know the model of your computer, so that I can provide you with accurate instructions to carry out the reformat.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#13 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 838 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:00 AM

Posted 03 July 2015 - 12:42 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users