Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attacked by CryptPKO ransomware - Need help


  • This topic is locked This topic is locked
21 replies to this topic

#1 lokesh92garg

lokesh92garg

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 25 July 2015 - 08:48 AM

My system is under attack of a ransom ware cryptPKO. I am noticing these components in the registry. I have to get my data back. Can you please support me ?

I followed the discussion on http://www.bleepingcomputer.com/forums/t/558981/infected-with-ransomware-cryptpko-files-in-registry/

and tried couple of things like installing FRST.exe and other adware remover, malware remover. So, far I failed to get any success in this. Looking forward to you response

My system is 64 bit having Windows 8 installed in it.

Keys in Registry under HKEY_CLASSES_ROOT section:

CryptPKO.CrpytPKO.1

CryptSig.CryptSig.1

I have attached the log FRST.txt and Addition.text also

 

Please guide me the procedure to remove them and get my data back.

Attached Files


Edited by lokesh92garg, 25 July 2015 - 09:48 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:42 AM

Posted 26 July 2015 - 09:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Pleaser remove this program using the Add/Remove Programs applet.
TrimEngine (HKLM-x32\...\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{d65a1a66}) (Version: - BugExterminator) <==== ATTENTION


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [YTDownloader] => "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot
HKLM-x32\...\Run: [gmsd_in_005010040] => [X]
HKLM-x32\...\RunOnce: [vuupcntmb] => [X]
HKLM-x32\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,userinit.exe, [X]
HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\...\Run: [apphide] => C:\Program Files (x86)\baidu\baidu.exe [61440 2015-06-20] ()
HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\...\Run: [YTDownloader] => "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot
HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\...\Run: [DesktopSearch] => C:\ProgramData\DesktopSearch\DesktopSearch.exe -ros -tray
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2012-07-26] ()
Startup: C:\Users\Hanuman-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2012-07-26] ()
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
AutoConfigURL: [HKLM-x32] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [.DEFAULT] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-19] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-20] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-21-2591144959-2068328692-1154149984-1001] => file://C:\Windows\system32\Drivers\winpacket.pac
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hp&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hp&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hp&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hp&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hp&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT
HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hp&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT
URLSearchHook: HKLM-x32 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll (ClientConnect Ltd.)
URLSearchHook: HKLM-x32 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll (ClientConnect Ltd.)
URLSearchHook: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll (ClientConnect Ltd.)
URLSearchHook: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll (ClientConnect Ltd.)
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
SearchScopes: HKLM -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1437828427&z=b10b33dff1271aff7882024g3z0c1m9b6o6b1obz1b&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&q={searchTerms}
SearchScopes: HKLM-x32 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = http://www.v9.com/web?type=ds&ts=1433408550&from=zzgbkk123&uid=toshibaxmk5076gsx_52h6pbjjtxx52h6pbjjt&z=d02638779b77a23afb7e31cgezbc7c5zaebb4z1z8w&q={searchTerms}
SearchScopes: HKLM-x32 -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
SearchScopes: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 -> DefaultScope {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&ts=1437828600&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&ts=1437828600&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&ts=1437828600&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&ts=1437828600&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&ts=1437828600&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&ts=1437828600&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2591144959-2068328692-1154149984-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=TOSHIBAXMK5076GSX_52H6PBJJTXX52H6PBJJT&ts=1437828600&type=default&q={searchTerms}
BHO: UUNisAAloes -> {4c92652a-4088-4e10-a49e-9044da11a397} ->  No File
BHO: unnisaLees -> {9d4b0c13-4512-430f-a7de-cb584c5595c8} ->  No File
BHO: youtubeadblocker -> {9d5b66db-6be8-41aa-9b2d-1fee567b6003} ->  No File
BHO: No Name -> {A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C} ->  No File
BHO: BitSaaver -> {b974a166-8395-48dd-a45d-d5be2145d090} -> C:\Program Files (x86)\BitSaaver\xmFFykmAjEnqOl.x64.dll [2015-01-30] ()
BHO: unisalees -> {c2dc0549-8704-48af-bc5b-922a902307b2} ->  No File
BHO: unaisales -> {d504532e-3ddc-40de-aca3-82dd54c533d3} ->  No File
BHO-x32: GoodTab Class -> {1F91A9A1-01BA-4c81-863D-3BA0751E1419} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-07-23] (Thinkgood Co. Limited)
BHO-x32: NCH EN Toolbar -> {37483b40-c254-4a72-bda4-22ee90182c1e} -> C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll [2014-09-30] (ClientConnect Ltd.)
BHO-x32: youtubeadblocker -> {78fe7c92-bb89-4917-acf7-08be2d25106c} -> C:\Program Files (x86)\youtubeadblocker\bib4aI5BLBHWqD.dll [2015-01-08] ()
BHO-x32: unnisaLees -> {9d4b0c13-4512-430f-a7de-cb584c5595c8} -> C:\Program Files (x86)\unnisaLees\cfdxwgKnvFa3KJ.dll [2015-01-16] ()
BHO-x32: youtubeadblocker -> {9d5b66db-6be8-41aa-9b2d-1fee567b6003} -> C:\Program Files (x86)\youtubeadblocker\yWGs1bx17HuFoJ.dll [2015-01-08] ()
BHO-x32: BitSaaver -> {b974a166-8395-48dd-a45d-d5be2145d090} -> C:\Program Files (x86)\BitSaaver\xmFFykmAjEnqOl.dll [2015-01-30] ()
BHO-x32: unisalees -> {c2dc0549-8704-48af-bc5b-922a902307b2} -> C:\Program Files (x86)\unisalees\v5oryH5KGMzs0l.dll [2015-01-08] ()
Toolbar: HKLM - NCH EN Toolbar - {37483B40-C254-4A72-BDA4-22EE90182C1E} - C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll [2014-09-30] (ClientConnect Ltd.)
Toolbar: HKLM-x32 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll [2014-09-30] (ClientConnect Ltd.)
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=10 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll [2015-07-25] (globalUpdate)
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=4 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll [2015-07-25] (globalUpdate)
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2591144959-2068328692-1154149984-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hehijbfgiekmjfkfjpbkbammjbdenadd] - C:\Windows\SysWOW64\IE-Tab_v5.8.13.1.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ifohbjbgfchkkfhphahclmkpgejiplfo] - C:\Users\Hanuman-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ogfjmhfnldnajmfaofeiaepghjenbgjo] - C:\Users\Hanuman-PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\ep.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - https://clients2.google.com/service/update2/crx
S2 comyninu; C:\Program Files (x86)\7EAC257F-1437827698-6743-A7B6-B4B52F3656E2\hnsp8B16.tmp [161792 2015-07-25] () [File not signed]
S2 globalUpdate; C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe [68608 2015-07-25] (globalUpdate) [File not signed] <==== ATTENTION
S3 globalUpdatem; C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe [68608 2015-07-25] (globalUpdate) [File not signed] <==== ATTENTION
S2 hyverumu; C:\Program Files (x86)\7EAC257F-1437827698-6743-A7B6-B4B52F3656E2\jnsu58B9.tmp [209920 2015-07-25] () [File not signed]
S2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-07-23] (XTab system)
S2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [602112 2015-05-20] (Windows SysTool) [File not signed] <==== ATTENTION
S3 HWDeviceService64.exe; "C:\ProgramData\DatacardService\HWDeviceService64.exe" -/service [X]
S2 wonipyqy; C:\Program Files (x86)\7EAC257F-1437827698-6743-A7B6-B4B52F3656E2\knsk25AD.tmpfs [X]
S3 ew_hwusbdev; \SystemRoot\system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; \SystemRoot\System32\drivers\ew_usbenumfilter.sys [X]
S3 huawei_enumerator; \SystemRoot\System32\drivers\ew_jubusenum.sys [X]
S3 hwdatacard; \SystemRoot\system32\DRIVERS\ewusbmdm.sys [X]
C:\Program Files (x86)\YTDownloader
C:\Program Files (x86)\baidu
C:\ProgramData\DesktopSearch
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
C:\Users\Hanuman-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
C:\Windows\system32\Drivers\winpacket.pac
C:\Users\Hanuman-PC\AppData\LocalLow\NCH_EN\prxtbNCH0.dll
C:\Program Files (x86)\BitSaaver
C:\Program Files (x86)\MiuiTab
C:\Program Files (x86)\youtubeadblocker
C:\Program Files (x86)\unnisaLees
C:\Program Files (x86)\7EAC257F-1437827698-6743-A7B6-B4B52F3656E2
C:\ProgramData\WindowsMangerProtect
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\BHKN5T4sOi1Ax16UPEq11WWB.job => C:\Users\Hanuman-PC\AppData\Roaming\BHKN5T4sOi1Ax16UPEq11WWB.exe <==== ATTENTION
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore1d0c6db8a8c0178.job => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe <==== ATTENTION
Task: C:\Windows\Tasks\Launch 13733.job => C:\Program Files (x86)\YTDownloader\YTDownloader.exe <==== ATTENTION
Task: C:\Windows\Tasks\SmartWeb Upgrade Trigger Task.job => C:\Users\Hanuman-PC\AppData\Local\SmartWeb\SmartWebHelper.exe <==== ATTENTION
Task: C:\Windows\Tasks\x5ii9Xohdmi8ZXkkVnN.job => C:\Users\Hanuman-PC\AppData\Roaming\x5ii9Xohdmi8ZXkkVnN.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:15D5AA51

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#3 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 27 July 2015 - 12:05 PM

Hello Nasdaq

 

Thanks for your response, I have few updates for you which I would like to tell before running the script fixlist.txt

Before your response, I had done couple of things following the steps mentioned in http://www.bleepingcomputer.com/forums/t/558981/infected-with-ransomware-cryptpko-files-in-registry/

Steps that I followed were:

1. Running adwarecleaner by Xplode

2. Running malwarebytes anti malware

3. running junkware removal tool

 

After Applying these steps, I ran FRST scan again and FRST.txt file got updated (Please refer to the updated file in attachment).

I just want to confirm If I should run FIX in FRST.exe using the fixlist.txt (as given in your response) or fixlist.txt needs to be revised as per updated FRST.txt(attached)

 

Please confirm the next step so that I can do the needful and get the data back. I would again like to thank you for following up on this. Looking forward to you response.

 

Attached Files

  • Attached File  FRST.txt   46.29KB   0 downloads


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:42 AM

Posted 27 July 2015 - 01:41 PM

Run the Fixlist.txt file as submitted.
Anything no longer available will not be found.

No problems.

#5 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 28 July 2015 - 12:03 PM

Sir

 

Thanks for your help, kindly find the attached files having log for all the mentioned steps in order. Kindly suggest the next step.

Currently, System is working ok as such but the encryption problem still exist. I am attaching the screenshot of the error that I am getting if I try to open any file. The screenshot attached (sshot.PNG) is for a pdf file but same applies to all other types of extensions possible that exist in my system.

 

New files that I am creating now are not getting encrypted but old files that got encrypted are still not accessible. Looking forward to your response. Kindly suggest the needful

 

Attached Files



#6 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 28 July 2015 - 01:03 PM

I would like to add one more point over here. It might be helpful. I have a file in all the folders and you can refer to the attachment to take a look at the file. Earlier there used to be same message pop up on system boot but now atleast there is no pop up but file still exist.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:42 AM

Posted 28 July 2015 - 01:13 PM

Are all the compromised files extension been changed to .i8xmgq ?

If so rename the files and just remove the .i8xmgq leave the normal extension intact.

for example invoice.pdf.i8xmgq rename it invoice.pdf

Can you open it?
 

System is working ok as such but the encryption problem still exist

This is strange normally once the file are encrypted the infection is removed.

Please run the Farbar Recovery Scan Tool. Enter tsseCryp.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

Let me check the registry.

Please run the Farbar Recovery Scan Tool. Enter CryptPKO;CryptSig;A0752120-6D75-D111-B5B1-0800095A2318 in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

Edited by nasdaq, 28 July 2015 - 01:23 PM.


#8 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 28 July 2015 - 01:34 PM

When I try to rename a file, I am not able to remove .ix8mgq because its not visible in the name. When I try to open any file be it xls, xlsx, db, pdf, etc. it shows same error as given in previous screenshot.

When I try to rename, It just shows invoice.pdf not invoice.pdf.ix8mgq due to which I can't remove .ix8mgq part out of it.

 

Please refer to the below mentioned search log from search.txt that I obtained after following the given instructions:

 

Farbar Recovery Scan Tool (x64) Version:25-07-2015
Ran by Hanuman-PC at 2015-07-29 00:00:24
Running from C:\Users\Hanuman-PC\Downloads
Boot Mode: Normal
 
================== Search Registry: "CryptPKO;CryptSig" ===========
 
 
===================== Search result for "CryptPKO" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptPKO.CryptPKO.1]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
 
 
===================== Search result for "CryptSig" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptSig Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptSig.CryptSig"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptSig.CryptSig.1]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptSig Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptSig.CryptSig"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptSig Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptSig.CryptSig"
====== End of Search ======


#9 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 28 July 2015 - 01:44 PM

please wait for the updated Search log. I didn't notice the edit that you made. Will post log according to edited instructions in next reply. Kindly wait for few minutes



#10 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 28 July 2015 - 01:51 PM

Please refer to the log below in order of instructions:

 

-------------Search File Log--------------------

Farbar Recovery Scan Tool (x64) Version:25-07-2015
Ran by Hanuman-PC at 2015-07-29 00:13:54
Running from C:\Users\Hanuman-PC\Downloads
Boot Mode: Normal
 
================== Search Files: "tsseCryp.dll" =============
 
====== End of Search ======
 
----------------Search Registry Log----------------
 
Farbar Recovery Scan Tool (x64) Version:25-07-2015
Ran by Hanuman-PC at 2015-07-29 00:21:25
Running from C:\Users\Hanuman-PC\Downloads
Boot Mode: Normal
 
================== Search Registry: "CryptPKO;CryptSig;A0752120-6D75-D111-B5B1-0800095A2318" ===========
 
 
===================== Search result for "CryptPKO" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptPKO.CryptPKO.1]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptPKO Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptPKO.CryptPKO"
 
 
===================== Search result for "CryptSig" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptSig Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptSig.CryptSig"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptSig.CryptSig.1]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptSig Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptSig.CryptSig"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]
""="CryptSig Class"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
""="CryptSig.CryptSig"
====== End of Search ======


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:42 AM

Posted 29 July 2015 - 07:23 AM

Sorry about the issues where I edited my topic.
After sending my suggested fix I searched Google for CryptPKO to found out which registry key was causing this.


Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptPKO.CryptPKO.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptSig.CryptSig.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\VersionIndependentProgID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}]


Restart the when completed.

You can delete the fixme.reg file when done.


If the removal of the keys is successful delete the file in bold
C:\WINDOWS\system32\tsseCryp.dll

Restart the computer to reset the registry.

====
 

I am not able to remove .ix8mgq because its not visible in the name. When I try to open any file be it xls, xlsx, db, pdf, etc. it shows same error as given in previous screenshot.
When I try to rename, It just shows invoice.pdf not invoice.pdf.ix8mgq due to which I can't remove .ix8mgq part out of it.


Now that the registry keys have been deleted try to rename a file and see if you can open it.

#12 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 29 July 2015 - 12:15 PM

I followed the steps mentioned and updated the registry. Few thing I would like to tell are mentioned below:

1. There was no file named tsseCryp.dll inside System32 folder.

2. I restarted the computer and tried to rename the file but again its not showing .ix8mgq at rename time. When I tried to open the file it showed the same error as attached in screenshot previously.

 

I ran FRST.exe also after following the steps and searched Registry and obtained the search log as the file attached.

I also tried to delete those keys manually by going to regedit.exe but its not getting deleted that way as well. Please refer to the screenshot sshot2.PNG

 

So, Till now files are not getting open.

Attached Files


Edited by lokesh92garg, 29 July 2015 - 12:46 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:42 AM

Posted 29 July 2015 - 12:53 PM

Press the at the same time the following keys on the keyboard.

Windows key + R

Type REGEDIT in the run box and click OK.

This will open the Registry editor.

Find out and let me know if this key is present.
HKEY_CLASSES_ROOT\CLSID\{A0752120-6D75-D111-B5B1-0800095A2318}

#14 lokesh92garg

lokesh92garg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 29 July 2015 - 01:01 PM

HKEY_CLASSES_ROOT\CLSID\{A0752120-6D75-D111-B5B1-0800095A2318}  is NOT present in the registry editor.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:42 AM

Posted 29 July 2015 - 01:33 PM

Why my fix to remove the keys from the registry did not work. Try this.


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptPKO.CryptPKO.1
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C717-39BF-11D1-8CD9-00C04FC29D45}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CryptSig.CryptSig.1
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I want to try to remove the .i8xmgq from the files.
To test it I need to know the complete path were the files are located.

For now will make a try on this file.

invoice.pdf.i8xmgq

Run the Farbar tool and in the Search box enter invoice.pdf.i8xmgq

Post the results and wait for further instruction.

I'm leaving for a few hours will get back to you as soon as I can.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users