Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryprolocker .locky


  • This topic is locked This topic is locked
20 replies to this topic

#1 WhK_2

WhK_2

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 16 March 2016 - 06:10 PM

Hey Guys.
 
I have a machine infected by Cryplolocker .locky The virus originated from an email:

 
Mervin Schwartz [SchwartzMervin12@hiddenlevel.ca]
Dear hoof,
 
Our finance department has processed your payment, unfortunately it has been declined.
 
Please, double check the information provided in the invoice (attached to this mail) and confirm your details.
 
Thank you for understanding.
 
Mervin Schwartz
Project Manager
 
 
and the attachment of course: payment_document_493257.zip

 
 
I see that there is no remedy for unlocking the files…yet?
 
What could be done?
System restore?
Rebuilding the machine, drivers and operating system reload?

I did run anti-malware (malwarebytes and others) but did not apply the remedy.  
 
 
 Please see below the logs.

Attached Files


Edited by WhK_2, 16 March 2016 - 06:15 PM.


BC AdBot (Login to Remove)

 


#2 WhK_2

WhK_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 16 March 2016 - 06:12 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by Marina (administrator) on MARINA-PC (17-03-2016 00:11:50)
Running from C:\Users\Marina\Downloads
Loaded Profiles: Marina (Available Profiles: Marina)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Intel Corporation) C:\Program Files\Intel\Bluetooth\devmonsrv.exe
(CrypKey (Canada) Ltd.) C:\Windows\System32\Crypserv.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
() C:\Program Files\Hotkey\PowerBiosServer.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Intel Corporation) C:\Program Files\Intel\Bluetooth\obexsrv.exe
(Vodafone) C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(VIA) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
(Chicony) C:\Program Files\ChiconyCam\CECAPLF.exe
(Intel Corporation) C:\Program Files\Intel\Bluetooth\BleServicesCtrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Vodafone) C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
(Microsoft Corporation) C:\Program Files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
() C:\Program Files\Hotkey\Hotkey.exe
(KYOCERA MITA Corporation) C:\Scans\Scanner\NsCatCom.exe
(Intel Corporation) C:\Program Files\Intel\Bluetooth\mediasrv.exe
(Intel Corporation) C:\Program Files\Intel\Bluetooth\btplayerctrl.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\MSACCESS.EXE
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(EasySync Solutions) C:\Program Files\EasySync Solutions\EasySync CryptoMonitor\CryptoMonitor.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\sdclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [997920 2011-03-08] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2011-01-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1897768 2010-09-16] (Synaptics Incorporated)
HKLM\...\Run: [USB3MON] => C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [3920496 2012-05-10] (VIA)
HKLM\...\Run: [CECAPLF] => C:\Program Files\ChiconyCam\CECAPLF.exe [121456 2011-07-06] (Chicony)
HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files\Intel\Bluetooth\BleServicesCtrl.exe [152336 2012-02-17] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [MobileBroadband] => C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe [408576 2011-04-19] (Vodafone)
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\Run: [E09AXLRD_8579914] => C:\Program Files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE [351000 2008-06-03] (Microsoft Corporation)
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec678688-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec67868d-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec678692-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Hotkey.lnk [2013-08-21]
ShortcutTarget: Hotkey.lnk -> C:\Program Files\Hotkey\Hotkey.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Scanner File Utility.lnk [2015-09-10]
ShortcutTarget: Scanner File Utility.lnk -> C:\Scans\Scanner\NsCatCom.exe (KYOCERA MITA Corporation)
Startup: C:\Users\Marina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2014-08-26]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{10F88100-512A-4564-998B-96448156B696}: [NameServer] 196.207.36.251 196.207.36.254
Tcpip\..\Interfaces\{968B428D-E897-4B07-B8EA-9BEC46B253F4}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{ECEE11D8-7293-4899-B951-7FFD5846D5CE}: [DhcpNameServer] 8.8.8.8
 
Internet Explorer:
==================
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.co.za/
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://nmd.msn.com
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.mecer.co.za
SearchScopes: HKLM -> DefaultScope {E31E1C16-6687-400A-BB79-F621C72621A9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {E31E1C16-6687-400A-BB79-F621C72621A9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3224813657-2164533672-2916792233-1000 -> DefaultScope {C148EDFA-3A25-4C9E-9FB6-1565A469F664} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3224813657-2164533672-2916792233-1000 -> {C148EDFA-3A25-4C9E-9FB6-1565A469F664} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-01-30] (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll [2012-02-10] (Microsoft Corporation.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll [2012-02-10] (Microsoft Corporation.)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-03-29] (Belarc, Inc.)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32.dll [2011-08-11] ()
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-03-15] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-03-15] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-03-15]
CHR Extension: (Google Docs) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-03-15]
CHR Extension: (Google Drive) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-03-15]
CHR Extension: (YouTube) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-03-15]
CHR Extension: (Google Sheets) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-03-15]
CHR Extension: (Google Docs Offline) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-03-15]
CHR Extension: (Gmail) - C:\Users\Marina\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-03-15]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMPPALR3; C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [509440 2012-01-09] (Intel Corporation)
R2 Bluetooth Device Monitor; C:\Program Files\Intel\Bluetooth\devmonsrv.exe [1014096 2012-02-21] (Intel Corporation)
R3 Bluetooth Media Service; C:\Program Files\Intel\Bluetooth\mediasrv.exe [1304912 2012-02-21] (Intel Corporation)
R2 Bluetooth OBEX Service; C:\Program Files\Intel\Bluetooth\obexsrv.exe [1104208 2012-02-21] (Intel Corporation)
R2 BTHSSecurityMgr; C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [104208 2012-01-17] (Intel® Corporation)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [276288 2012-05-24] (Intel Corporation)
R2 Crypkey License; C:\Windows\system32\crypserv.exe [122880 2008-05-08] (CrypKey (Canada) Ltd.) [File not signed]
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel® Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165144 2012-05-15] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [11736 2010-11-11] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [241936 2012-02-26] ()
R3 NisSrv; c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [206360 2010-11-11] (Microsoft Corporation)
R2 PowerBiosServer; C:\Program Files\Hotkey\PowerBiosServer.exe [35328 2011-02-18] () [File not signed]
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2012-05-03] (VIA Technologies, Inc.)
R2 VmbService; C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [9216 2011-04-19] (Vodafone) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2324752 2012-02-26] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AMPPAL; C:\Windows\System32\DRIVERS\AMPPAL.sys [141312 2012-01-09] (Windows ® Win 7 DDK provider)
S3 AMPPALP; C:\Windows\System32\DRIVERS\amppal.sys [141312 2012-01-09] (Windows ® Win 7 DDK provider)
S3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [76800 2011-11-30] (Intel Corporation)
S3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [558592 2011-11-30] (Intel Corporation)
R0 cbfltfs3; C:\Windows\System32\drivers\cbfltfs3.sys [239552 2015-04-01] (EldoS Corporation)
R3 eapihdrv; C:\Users\Marina\AppData\Local\Temp\ehdrv.sys [135760 2016-03-15] (ESET)
S3 huawei_cdcacm; C:\Windows\System32\DRIVERS\ew_jucdcacm.sys [85760 2011-04-18] (Huawei Technologies Co., Ltd.)
S3 huawei_ext_ctrl; C:\Windows\System32\DRIVERS\ew_juextctrl.sys [26496 2011-04-18] (Huawei Technologies Co., Ltd.)
S3 huawei_wwanecm; C:\Windows\System32\DRIVERS\ew_juwwanecm.sys [168448 2011-04-18] (Huawei Technologies Co., Ltd.)
S3 ibtfltcoex; C:\Windows\System32\DRIVERS\iBtFltCoex.sys [48128 2012-02-14] (Intel Corporation)
S3 intaud_WaveExtensible; C:\Windows\System32\drivers\intelaud.sys [30136 2012-04-19] (Intel Corporation)
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [15680 2012-05-21] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [350016 2012-05-21] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [793920 2012-05-21] (Intel Corporation)
R3 iwdbus; C:\Windows\System32\DRIVERS\iwdbus.sys [22456 2012-04-19] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-03-16] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [46080 2011-11-10] (Intel Corporation)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
R1 MpKslb3e321d4; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A33E4BA2-0800-432B-AF82-3FDDD95FFA84}\MpKslb3e321d4.sys [39168 2016-03-16] (Microsoft Corporation)
R3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [43392 2010-10-24] (Microsoft Corporation)
R3 NETwNs32; C:\Windows\System32\DRIVERS\Netwsn00.sys [10339840 2012-02-20] (Intel Corporation)
R1 NetworkX; C:\Windows\system32\ckldrv.sys [21638 2008-08-22] () [File not signed]
R3 RSBASTOR; C:\Windows\System32\DRIVERS\RtsBaStor.sys [219752 2012-05-09] (Realtek Semiconductor Corp.)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1832560 2012-05-03] (VIA Technologies, Inc.)
R3 wdkmd; C:\Windows\System32\DRIVERS\WDKMD.sys [39320 2012-04-19] (Intel Corporation)
R3 efavdrv; \??\C:\Windows\system32\drivers\efavdrv.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-03-17 00:11 - 2016-03-17 00:13 - 00019778 _____ C:\Users\Marina\Downloads\FRST.txt
2016-03-17 00:11 - 2016-03-17 00:11 - 00000000 ____D C:\FRST
2016-03-17 00:09 - 2016-03-17 00:10 - 01725440 _____ (Farbar) C:\Users\Marina\Downloads\FRST.exe
2016-03-16 23:27 - 2016-03-16 23:28 - 00000000 ___DC C:\Users\Marina\AppData\Local\MigWiz
2016-03-16 05:40 - 2016-03-16 23:22 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-16 05:39 - 2016-03-16 05:39 - 00001072 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-16 05:39 - 2016-03-16 05:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-16 05:39 - 2016-03-16 05:39 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-03-16 05:39 - 2016-03-16 05:39 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-03-16 05:39 - 2015-10-05 09:50 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-16 05:39 - 2015-10-05 09:50 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-16 05:39 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\)vbxbklsjtmjklwkxewdqj.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\!tklsjtmjklwkxebcicklb.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00006200 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\^gizvtklsjtmjklwkxentg.tiff
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Downloads\@qfvmotklsjtmjklwkxetf
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Documents\%nklsjtmjklwkxeqckdqqa
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Desktop\%ndyklsjtmjklwkxepjkay
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\AAODFxklsjtmjklwkxeihvjpvb
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\$xklsjtmjklwkxeihvjpvb
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\#gklsjtmjklwkxeamgopzc
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\!klsjtmjklwkxelddworwq
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ____D C:\Users\Marina\AppData\Local\EasySync_Solutions
2016-03-16 05:33 - 2015-04-01 16:31 - 00239552 _____ (EldoS Corporation) C:\Windows\system32\Drivers\cbfltfs3.sys
2016-03-16 05:32 - 2016-03-16 05:32 - 00001227 _____ C:\Users\Public\Desktop\CryptoMonitor.lnk
2016-03-16 05:32 - 2016-03-16 05:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasySync CryptoMonitor
2016-03-16 05:32 - 2016-03-16 05:32 - 00000000 ____D C:\ProgramData\Caphyon
2016-03-16 05:32 - 2016-03-16 05:32 - 00000000 ____D C:\Program Files\EasySync Solutions
2016-03-16 05:25 - 2016-03-15 21:56 - 22908888 _____ (Malwarebytes ) C:\Users\Marina\Downloads\mbam-setup-2.2.0.1024.exe
2016-03-16 05:25 - 2016-03-15 18:44 - 10091440 _____ (EasySync Solutions) C:\Users\Marina\Downloads\EasySync_CryptoMonitor_Setup.exe
2016-03-15 21:50 - 2016-03-15 21:50 - 141270216 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-03-15 21:36 - 2016-03-15 21:49 - 54887136 _____ (Microsoft Corporation) C:\Users\Marina\Downloads\Windows-KB890830-V5.34.exe
2016-03-15 21:18 - 2016-03-15 21:19 - 02760672 _____ C:\Users\Marina\Downloads\pandaunransom.exe
2016-03-15 21:17 - 2016-03-15 21:30 - 55550688 _____ (Microsoft Corporation) C:\Users\Marina\Downloads\Windows-KB890830-x64-V5.34.exe
2016-03-15 21:14 - 2016-03-15 21:14 - 00000000 ____D C:\ProgramData\ESET
2016-03-15 21:12 - 2016-03-15 21:14 - 02273880 _____ (ESET) C:\Users\Marina\Downloads\ERARemover_x86.exe
2016-03-15 21:03 - 2016-03-15 21:04 - 00000000 ____D C:\Users\Marina\AppData\Roaming\EasySync Solutions
2016-03-15 21:03 - 2016-03-15 18:44 - 10091440 _____ (EasySync Solutions) C:\Users\Marina\Documents\EasySync_CryptoMonitor_Setup.exe
2016-03-15 16:39 - 2016-03-15 16:39 - 00000000 ____D C:\Program Files\ESET
2016-03-15 16:34 - 2016-03-15 16:38 - 02870984 _____ (ESET) C:\Users\Marina\Downloads\esetsmartinstaller_enu.exe
2016-03-15 15:35 - 2016-03-15 22:56 - 00000000 ____D C:\Users\Marina\AppData\Local\Google
2016-03-15 15:35 - 2016-03-15 15:35 - 00002225 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-15 15:31 - 2016-03-16 23:36 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-03-15 15:31 - 2016-03-16 22:18 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-03-15 15:31 - 2016-03-15 15:35 - 00000000 ____D C:\Program Files\Google
2016-03-15 15:24 - 2016-03-15 15:31 - 00000000 ____D C:\Users\Marina\AppData\Local\Deployment
2016-03-15 15:24 - 2016-03-15 15:24 - 00000000 ____D C:\Users\Marina\AppData\Local\Apps\2.0
2016-03-15 15:06 - 2016-03-15 15:23 - 89692744 _____ (Kaspersky Lab ZAO) C:\Users\Marina\Downloads\KVRT.exe
2016-03-15 12:30 - 2016-03-15 12:30 - 00000064 _____ C:\Users\Marina\Desktop\Annual Schools Survey 2016 (Ordinary Schools).ldb
2016-03-15 12:28 - 2016-03-15 12:29 - 00000000 ____D C:\KVRT_Data
2016-03-15 12:28 - 2016-03-02 09:39 - 90683464 _____ (Kaspersky Lab ZAO) C:\Users\Marina\Downloads\KVRT (4).exe
2016-03-15 09:51 - 2016-03-15 09:51 - 00096912 _____ C:\Users\Marina\Desktop\2016 ASOE 700230912 LAERSKOOL KAMEELDRIFT.xml
2016-03-15 08:34 - 2016-03-15 08:34 - 03008646 _____ C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp
2016-03-15 08:31 - 2016-03-15 14:17 - 44834816 _____ C:\Users\Marina\Desktop\Annual Schools Survey 2016 (Ordinary Schools).mdb
2016-03-15 08:30 - 2016-03-15 08:30 - 12955981 _____ C:\Users\Marina\Documents\09C0ECA40504F8680AB8B4FBB99244F9.locky
2016-03-15 08:30 - 2016-03-15 08:30 - 02323902 _____ C:\Users\Marina\Downloads\09C0ECA40504F8687E8EDDFC5F7ED55A.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02634447 _____ C:\Users\Marina\Downloads\09C0ECA40504F868BBF15E8899C7A9F9.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02634447 _____ C:\Users\Marina\Downloads\09C0ECA40504F868A9658D1D6A722EB6.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02617219 _____ C:\Users\Marina\Downloads\09C0ECA40504F8680C74D0929AACE643.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F86875E20CFFAE1CA96A.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F8686D8FE875A22968BD.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F8685D94E07901F9B850.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F868173A7DB13FF62206.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02455262 _____ C:\Users\Marina\Downloads\09C0ECA40504F8687B1B97FAF8B8A5EB.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02455262 _____ C:\Users\Marina\Downloads\09C0ECA40504F8683EEED796FC6D4C62.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02423956 _____ C:\Users\Marina\Downloads\09C0ECA40504F868DFC2DEBC40F19771.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02156940 _____ C:\Users\Marina\Downloads\09C0ECA40504F8689B4C5828A227A456.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02182784 _____ C:\Users\Marina\Desktop\09C0ECA40504F868B76E58B9EE5BF3B1.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02182780 _____ C:\Users\Marina\Desktop\09C0ECA40504F8686A3618CD45FBDE76.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02077089 _____ C:\Users\Marina\Desktop\09C0ECA40504F8681F21E47D1D111884.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02038596 _____ C:\Users\Marina\Desktop\09C0ECA40504F868850833754C56096C.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02025193 _____ C:\Users\Marina\Desktop\09C0ECA40504F868AD118AFF8025E0A5.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01823775 _____ C:\Users\Marina\Desktop\09C0ECA40504F86850F6D60CAC584496.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01822020 _____ C:\Users\Marina\Documents\09C0ECA40504F868311938376D1A27FB.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01374532 _____ C:\Users\Marina\Desktop\09C0ECA40504F8687BDF4CEF0454AA4C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00597828 _____ C:\Users\Marina\Desktop\09C0ECA40504F868A0B87DFB055A072D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00140612 _____ C:\Users\Marina\Desktop\09C0ECA40504F868431C810706B27D66.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00140612 _____ C:\Users\Marina\Desktop\09C0ECA40504F86816729440B47119F7.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00074057 _____ C:\Users\Marina\Downloads\09C0ECA40504F8689C80B68EB0D8A9F5.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00055957 _____ C:\Users\Marina\Documents\09C0ECA40504F868CAE2970EEC4E70ED.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00030506 _____ C:\Users\Marina\Documents\09C0ECA40504F8682097F4B041CB7650.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00028468 _____ C:\Users\Marina\Documents\09C0ECA40504F868807CF8B703D3AD81.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00025762 _____ C:\Users\Marina\Documents\09C0ECA40504F868034C9DA018E73A0D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00025420 _____ C:\Users\Marina\Documents\09C0ECA40504F86808BD7FA661676929.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00024429 _____ C:\Users\Marina\Documents\09C0ECA40504F8683F620D5BFDA2A668.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023942 _____ C:\Users\Marina\Documents\09C0ECA40504F8686EEADAFFACAA11F8.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023693 _____ C:\Users\Marina\Documents\09C0ECA40504F868EADC97BB1AAD0585.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023510 _____ C:\Users\Marina\Documents\09C0ECA40504F8687BD3C2014553EAF2.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00022060 _____ C:\Users\Marina\Documents\09C0ECA40504F8686C3F63775B47DEC8.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00021395 _____ C:\Users\Marina\Documents\09C0ECA40504F868137F55C6C990C26F.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00021211 _____ C:\Users\Marina\Documents\09C0ECA40504F86892CC449355AB3B04.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020535 _____ C:\Users\Marina\Documents\09C0ECA40504F8688D6FF17A072089AA.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020422 _____ C:\Users\Marina\Documents\09C0ECA40504F8683F1DC8DFCFCA3C22.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020248 _____ C:\Users\Marina\Documents\09C0ECA40504F868D846396FCBDDED07.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019562 _____ C:\Users\Marina\Documents\09C0ECA40504F868C5B08464B32B2CD9.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019267 _____ C:\Users\Marina\Documents\09C0ECA40504F86885A59FC04EDF89DE.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019168 _____ C:\Users\Marina\Documents\09C0ECA40504F86809234B96F7FF7DBA.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019020 _____ C:\Users\Marina\Documents\09C0ECA40504F868FA2CC9B7447F308B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018672 _____ C:\Users\Marina\Documents\09C0ECA40504F868C93D16CBE6E39259.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018083 _____ C:\Users\Marina\Documents\09C0ECA40504F86838A954F4DF828398.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018076 _____ C:\Users\Marina\Documents\09C0ECA40504F868D2B4C962D40674BF.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017894 _____ C:\Users\Marina\Documents\09C0ECA40504F8681D17F0A38E5AB11E.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017823 _____ C:\Users\Marina\Documents\09C0ECA40504F868751A225C8640346B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017561 _____ C:\Users\Marina\Documents\09C0ECA40504F868C2E603DD486A17EB.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017536 _____ C:\Users\Marina\Documents\09C0ECA40504F868C60B8E8C002040E5.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017491 _____ C:\Users\Marina\Documents\09C0ECA40504F86858297976D9FDF49B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017219 _____ C:\Users\Marina\Documents\09C0ECA40504F86885FA0B80A7224160.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016989 _____ C:\Users\Marina\Documents\09C0ECA40504F868E492347C145E2939.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016931 _____ C:\Users\Marina\Documents\09C0ECA40504F868E190E8BC5188CB50.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016896 _____ C:\Users\Marina\Documents\09C0ECA40504F868525B65DD42194314.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016792 _____ C:\Users\Marina\Documents\09C0ECA40504F86824A9039FB87C8C61.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016768 _____ C:\Users\Marina\Documents\09C0ECA40504F8682D8D833F7B7DE3E9.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015571 _____ C:\Users\Marina\Documents\09C0ECA40504F868AFEF8A442406C19C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015350 _____ C:\Users\Marina\Documents\09C0ECA40504F868BFFA5B48D9BD81F3.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015189 _____ C:\Users\Marina\Documents\09C0ECA40504F8682F9372ED76E3F1A4.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015180 _____ C:\Users\Marina\Documents\09C0ECA40504F868AA9E6D2208C4780D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014960 _____ C:\Users\Marina\Documents\09C0ECA40504F86839495D98CDCEEA55.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014723 _____ C:\Users\Marina\Documents\09C0ECA40504F868F3ACB061D243761C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014571 _____ C:\Users\Marina\Documents\09C0ECA40504F868C4096BAB87A8BFB3.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00013558 _____ C:\Users\Marina\Documents\09C0ECA40504F86816A6B04E4CCCBE61.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00005974 _____ C:\Users\Marina\Desktop\09C0ECA40504F86845E4702AE63F9A9D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00004069 _____ C:\Users\Marina\Downloads\09C0ECA40504F868CF105D84997A5E0A.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00001931 _____ C:\09C0ECA40504F86843D36E1E417FD93C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00001073 _____ C:\Users\Marina\Downloads\_Locky_recover_instructions.txt
2016-03-15 08:26 - 2016-03-15 08:26 - 00001073 _____ C:\_Locky_recover_instructions.txt
2016-03-15 08:26 - 2016-03-15 08:26 - 00000860 _____ C:\09C0ECA40504F868473B2430BAA1D49D.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00106820 _____ C:\Users\Marina\Documents\09C0ECA40504F868C042BC31C6DD11DA.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00038212 _____ C:\Users\Marina\Documents\09C0ECA40504F868B87BBA148946E79E.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00035652 _____ C:\Users\Marina\Documents\09C0ECA40504F868DA9B8A9D2FD89DF1.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00014660 _____ C:\Users\Marina\Documents\09C0ECA40504F8688C0F07F860B0F5D2.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00001073 _____ C:\Users\Marina\Documents\_Locky_recover_instructions.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-03-17 00:09 - 2009-07-14 06:34 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-17 00:09 - 2009-07-14 06:34 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-16 22:13 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\system32\NDF
2016-03-16 05:33 - 2014-01-30 08:08 - 00000000 ____D C:\Users\Marina
2016-03-16 05:32 - 2010-11-20 23:01 - 00771502 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-16 05:32 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\inf
2016-03-15 09:51 - 2016-01-26 08:14 - 00000000 ____D C:\ExportData
2016-03-15 08:36 - 2013-09-04 15:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2016-03-15 08:33 - 2014-01-30 08:41 - 00000000 ____D C:\Users\Marina\Documents\Steve
2016-03-15 08:28 - 2015-05-03 21:20 - 00000000 ____D C:\Users\Marina\Desktop\Izaan Fotos
2016-03-15 08:28 - 2014-01-30 08:36 - 00000000 ____D C:\Users\Marina\Desktop\Love on the Mountain fotos
2016-03-15 08:27 - 2014-12-04 12:57 - 00000000 ____D C:\Users\Marina\Desktop\sanja
2016-03-15 08:27 - 2014-01-30 08:39 - 00000000 ____D C:\Users\Marina\Documents\GdeIpLessonPlans
2016-03-15 08:27 - 2014-01-30 08:39 - 00000000 ____D C:\Users\Marina\Documents\GdeFpLessonPlans
2016-03-15 08:26 - 2014-08-12 11:28 - 00000000 ____D C:\ProgramData\Vodafone
2016-03-15 08:26 - 2014-01-30 08:40 - 00000000 ____D C:\Users\Marina\Documents\Marina's Doc's van ander Pc
2016-03-15 08:26 - 2014-01-30 08:40 - 00000000 ____D C:\Users\Marina\Documents\GdeSpLessonPlans
2016-03-15 08:26 - 2014-01-30 08:39 - 00000000 ____D C:\Users\Marina\Documents\annual report pip
2016-03-15 08:26 - 2014-01-30 08:36 - 00000000 ____D C:\Users\Marina\Desktop\IQMS
2016-03-15 08:26 - 2014-01-30 08:36 - 00000000 ____D C:\Users\Marina\Desktop\IFA
2016-03-15 08:25 - 2014-01-30 08:40 - 00000000 ____D C:\Users\Marina\Documents\IQMS.MARLET
2016-03-15 08:25 - 2014-01-30 08:38 - 00000000 ____D C:\Scans
2016-03-15 08:02 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-10 13:21 - 2014-08-05 13:18 - 00000000 ____D C:\Users\Marina\AppData\Local\ElevatedDiagnostics
 
==================== Files in the root of some directories =======
 
2015-08-31 08:06 - 2015-10-02 08:35 - 0005120 _____ () C:\Users\Marina\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-12-10 11:29 - 2014-12-10 11:29 - 0004096 ____H () C:\Users\Marina\AppData\Local\keyfile3.drm
2011-04-18 15:39 - 2011-04-18 15:39 - 0226364 ____R () C:\ProgramData\DeviceManager.xml.rc4
 
Some files in TEMP:
====================
C:\Users\Marina\AppData\Local\Temp\_is9840.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-03-15 23:58
 
==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by Marina (2016-03-17 00:14:28)
Running from C:\Users\Marina\Downloads
Microsoft Windows 7 Professional  Service Pack 1 (X86) (2014-01-30 06:08:51)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3224813657-2164533672-2916792233-500 - Administrator - Disabled)
Guest (S-1-5-21-3224813657-2164533672-2916792233-501 - Limited - Disabled)
Marina (S-1-5-21-3224813657-2164533672-2916792233-1000 - Administrator - Enabled) => C:\Users\Marina
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {108DAC43-C256-20B7-BB05-914135DA5160}
AS: Microsoft Security Essentials (Enabled - Up to date) {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
2007 Microsoft Office Suite Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Adobe Flash Player 10 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 10.3.181.14 - Adobe Systems Incorporated)
Adobe Reader X (10.0.1) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA0000000001}) (Version: 10.0.1 - Adobe Systems Incorporated)
Belarc Advisor 8.3 (HKLM\...\Belarc Advisor) (Version: 8.3.2.0 - Belarc Inc.)
Bing Bar (HKLM\...\{D6C3C9E7-D334-4918-BD57-5B1EF14C207D}) (Version: 7.1.361.0 - Microsoft Corporation)
BisonCam (HKLM\...\{5BBC4803-C96E-4D3E-9D1D-2E43774C4062}) (Version:  - BisonCam)
BluBox (HKLM\...\{AA8770A4-6891-49C7-B706-587327AAC749}_is1) (Version: 5.0.3 - iBlubox Ltd.)
ChiconyCam (HKLM\...\{A2201542-DA80-457F-8BD9-6C9C90196481}) (Version: 1.0.54.0521 - Chicony Electronics Co.,Ltd.)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
EasySync CryptoMonitor (HKLM\...\EasySync CryptoMonitor 2.0.420.0) (Version: 2.0.420.0 - EasySync Solutions)
EasySync CryptoMonitor (Version: 2.0.420.0 - EasySync Solutions) Hidden
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
Google Chrome (HKLM\...\Google Chrome) (Version: 49.0.2623.87 - Google Inc.)
Google Update Helper (Version: 1.3.29.5 - Google Inc.) Hidden
Head Count 2016 version 1.2 (HKLM\...\{F062ADD2-596A-4F5C-9787-7AD816BEBE74}_is1) (Version: 1.2 - Gauteng Department of Education)
Hotkey 6.0046 (HKLM\...\InstallShield_{164714B6-46BC-4649-9A30-A6ED32F03B5A}) (Version: 6.0046 - NoteBook)
Hotkey 6.0046 (Version: 6.0046 - NoteBook) Hidden
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.12.1498 - Intel Corporation)
Intel® OpenCL CPU Runtime (HKLM\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version:  - Intel Corporation)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2761 - Intel Corporation)
Intel® PROSet/Wireless for Bluetooth® + High Speed (HKLM\...\{37EC048A-81A2-452A-8D1F-3BE2018E767D}) (Version: 15.1.0.0096 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology (HKLM\...\{520C4DD4-2BC7-409B-BA48-E1A4F832662D}) (Version: 2.1.0.0140 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.5.235 - Intel Corporation)
Intel® WiDi (HKLM\...\{728985C5-A04B-457C-9D62-15360F3EAF85}) (Version: 3.1.29.0 - Intel Corporation)
Intel® PROSet/Wireless WiFi Software (HKLM\...\{E97F409F-9E1C-42A0-B72D-765A78DF3696}) (Version: 15.01.0000.0830 - Intel Corporation)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kyocera Product Library (HKLM\...\Kyocera Product Library) (Version: 4.2.1909 - KYOCERA Document Solutions Inc.)
Kyocera Scanner File Utility (HKLM\...\{61C79AE1-5403-4687-AC68-28BFA5EF3895}) (Version: 3.16.9 - KyoceraMita)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Encarta Premium 2009 (HKLM\...\{09040081-2C94-4A67-8E55-8483C019C7D2}) (Version: 2009 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 2.0.719.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Platform (Version: 1.39 - VIA Technologies, Inc.) Hidden
Realtek Ethernet Controller Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.54.309.2012 - Realtek)
Realtek PCIE Card Reader (HKLM\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.27020 - Realtek Semiconductor Corp.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.1.14.0 - Synaptics Incorporated)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VIA Platform Device Manager (HKLM\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.39 - VIA Technologies, Inc.)
Vodafone Mobile Broadband Lite (HKLM\...\{6C29152D-3FF9-43B2-84E4-9B35FC0BF5C2}) (Version: 10.2.103.31248 - Vodafone)
WebCam Installer (HKLM\...\InstallShield_{2A14D7BC-1876-4B38-830B-18856C27F550}) (Version: 4.041 - WebCam)
WebCam Installer (Version: 4.041 - WebCam) Hidden
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {24065A47-05C7-43B4-A455-98529A86E79D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-03-15] (Google Inc.)
Task: {28D4A9FA-C802-46D3-8630-76FAC378913D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-03-15] (Google Inc.)
Task: {9C157B27-55AE-4F0E-BB08-F1F7731A7A23} - System32\Tasks\Microsoft\Microsoft Antimalware\MP Scheduled Scan => c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11] (Microsoft Corporation)
Task: {C6EDC684-6DAD-4B1A-9110-2FBCA045ACD3} - System32\Tasks\CryptoMonitor_SU => C:\Program Files\EasySync Solutions\EasySync CryptoMonitor\CryptoMonitor.exe [2015-05-06] (EasySync Solutions)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2007-11-06 14:26 - 2014-01-30 10:36 - 00011264 _____ () C:\Windows\System32\KOBZQJBL.dll
2011-02-18 15:57 - 2011-02-18 15:57 - 00035328 _____ () C:\Program Files\Hotkey\PowerBiosServer.exe
2014-08-24 19:54 - 2014-08-24 19:54 - 00172032 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\de4aaa11d46d614b5330b337b67e5227\IsdiInterop.ni.dll
2013-08-21 20:46 - 2011-11-29 20:00 - 00059392 _____ () C:\Program Files\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2013-08-21 20:26 - 2012-05-10 15:03 - 01198872 _____ () C:\Program Files\Intel\Intel® Management Engine Components\UNS\ACE.dll
2013-08-21 20:29 - 2012-05-10 09:45 - 00080496 ____R () C:\Program Files\VIA\VIAudioi\VDeck\QsApoApi.dll
2013-08-21 20:29 - 2012-05-10 09:45 - 00113264 ____R () C:\Program Files\VIA\VIAudioi\VDeck\Dts2ApoApi.dll
2013-07-03 08:07 - 2012-05-21 10:38 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2011-04-19 16:12 - 2011-04-19 16:12 - 00308736 _____ () C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\Vodafone.View.Taskbar.dll
2009-07-13 23:03 - 2009-07-14 03:15 - 00364544 _____ () C:\Windows\system32\msjetoledb40.dll
2008-06-03 11:06 - 2008-06-03 11:06 - 00269080 _____ () C:\Program Files\Common Files\Microsoft Shared\Reference 2009\ERSREGPR.DLL
2008-06-03 11:06 - 2008-06-03 11:06 - 00228120 _____ () C:\Program Files\Common Files\Microsoft Shared\Reference 2009\MSENCDAT.DLL
2008-06-03 11:06 - 2008-06-03 11:06 - 00178968 _____ () C:\Program Files\Common Files\Microsoft Shared\Reference 2009\ENCCONT.DLL
2008-06-03 11:06 - 2008-06-03 11:06 - 00351000 _____ () C:\Program Files\Common Files\Microsoft Shared\Reference 2009\MSENCXML.DLL
2008-06-03 11:05 - 2008-06-03 11:05 - 00068376 _____ () C:\Program Files\Microsoft Encarta\Encarta Premium DVD 2009\EDICTEIT.EBK
2012-04-13 11:35 - 2012-04-13 11:35 - 04727808 _____ () C:\Program Files\Hotkey\Hotkey.exe
2009-06-06 14:50 - 2009-06-06 14:50 - 00019968 _____ () C:\Program Files\Hotkey\Audiodll.dll
2015-09-10 14:53 - 2000-11-09 11:17 - 00190464 _____ () C:\Scans\Scanner\HgTiff2Pdf.dll
2013-07-10 18:07 - 2013-07-10 18:07 - 00756888 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
2011-05-31 17:23 - 2011-05-31 17:23 - 00289616 _____ () C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL
2016-03-15 15:35 - 2016-03-08 04:48 - 01676440 _____ () C:\Program Files\Google\Chrome\Application\49.0.2623.87\libglesv2.dll
2016-03-15 15:35 - 2016-03-08 04:48 - 00086168 _____ () C:\Program Files\Google\Chrome\Application\49.0.2623.87\libegl.dll
2016-03-15 21:15 - 2016-03-08 12:16 - 17541312 _____ () C:\Users\Marina\AppData\Local\Google\Chrome\User Data\PepperFlash\21.0.0.182\pepflashplayer.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 04:04 - 2009-06-10 23:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp
DNS Servers: 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{2D31EC99-CF6D-42FE-842B-E436159A7096}] => (Allow) C:\Program Files\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{7EEE81A8-476C-45EE-A500-3E5A564D0A97}] => (Allow) LPort=2869
FirewallRules: [{F9B6F1E6-A914-455A-A590-0532D2913051}] => (Allow) LPort=1900
FirewallRules: [{4BCC00AB-1FF8-4E4E-8DA7-619B356F61E0}] => (Allow) C:\Program Files\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{C1294556-282C-481B-A521-C71FCFF33377}] => (Allow) C:\Program Files\Windows Live\Mesh\MOE.exe
FirewallRules: [{9045E48E-E19C-4780-85C7-6E673123336A}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{E33EF185-874D-4894-9A14-B0AE624CC827}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [TCP Query User{E789F7E6-EF61-4DB1-9C8D-46A87CA25F98}C:\users\marina\downloads\ftp utility\kmftp.exe] => (Allow) C:\users\marina\downloads\ftp utility\kmftp.exe
FirewallRules: [UDP Query User{AE9D2678-7E70-4A38-A6E3-06FCE99B3E6B}C:\users\marina\downloads\ftp utility\kmftp.exe] => (Allow) C:\users\marina\downloads\ftp utility\kmftp.exe
FirewallRules: [TCP Query User{C810AD19-6312-4E37-8C6D-A56F3196A932}C:\scans\scanner\nscatcom.exe] => (Allow) C:\scans\scanner\nscatcom.exe
FirewallRules: [UDP Query User{49B3C4B2-3157-4868-A34E-DDC159060256}C:\scans\scanner\nscatcom.exe] => (Allow) C:\scans\scanner\nscatcom.exe
FirewallRules: [{4D64359D-53A0-4EF4-A821-BC8FB808D543}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{B557BAF8-741F-4B55-BD0C-855B0C510324}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
 
==================== Restore Points =========================
 
16-03-2016 23:30:22 Windows Backup
 
==================== Faulty Device Manager Devices =============
 
Name: Microsoft Virtual WiFi Miniport Adapter
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation. 
 
Name: Microsoft Virtual WiFi Miniport Adapter #2
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation. 
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/16/2016 10:25:50 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x80070422).
 
Error: (03/16/2016 05:32:52 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\msiexec.exe /V; Description = Installed EasySync CryptoMonitor; Error = 0x80070422).
 
Error: (03/16/2016 05:32:51 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\msiexec.exe /V; Description = Installed EasySync CryptoMonitor; Error = 0x80070422).
 
Error: (03/16/2016 05:29:48 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\servicing\TrustedInstaller.exe; Description = Windows Modules Installer; Error = 0x80070422).
 
Error: (03/16/2016 05:29:48 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x80070422).
 
Error: (03/16/2016 12:05:43 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).
 
Error: (03/15/2016 11:59:59 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Activation context generation failed for "imaging1".Error in manifest or policy file "imaging2" on line imaging3.
The element imaging appears as a child of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by this version of Windows.
 
Error: (03/15/2016 09:05:26 PM) (Source: MsiInstaller) (EventID: 10005) (User: Marina-PC)
Description: Product: EasySync CryptoMonitor -- EasySync CryptoMonitor cannot be installed on systems with .NET Framework version lower than 4.0
 
Error: (03/15/2016 09:04:42 PM) (Source: MsiInstaller) (EventID: 10005) (User: Marina-PC)
Description: Product: EasySync CryptoMonitor -- EasySync CryptoMonitor cannot be installed on systems with .NET Framework version lower than 4.0
 
Error: (03/15/2016 02:26:47 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x80070422).
 
 
System errors:
=============
Error: (03/16/2016 10:42:01 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer NAS-DOREAN-01
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{ECEE11D8-7293-4899-B951-7FFD.
The master browser is stopping or an election is being forced.
 
Error: (03/16/2016 12:59:51 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.
 
Module Path: C:\Windows\System32\IWMSSvc.dll
Error Code: 21
 
Error: (03/15/2016 06:13:54 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (03/15/2016 06:13:54 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (03/15/2016 06:13:53 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (03/15/2016 06:13:53 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (03/15/2016 06:13:52 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (03/15/2016 03:03:03 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.
 
Error: (03/15/2016 03:02:57 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.
 
Error: (03/15/2016 08:02:48 AM) (Source: Microsoft Antimalware) (EventID: 3002) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.
 
Feature: %%835
 
Error Code: 0x80004005
 
Error description: Unspecified error 
 
Reason: %%842
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-3120M CPU @ 2.50GHz
Percentage of memory in use: 73%
Total physical RAM: 3485.82 MB
Available physical RAM: 925.73 MB
Total Virtual: 6969.92 MB
Available Virtual: 3574.6 MB
 
==================== Drives ================================
 
Drive c: (QRPN1170) (Fixed) (Total:465.76 GB) (Free:416.66 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive e: () (Removable) (Total:14.9 GB) (Free:6.07 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: D54316C4)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.9 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#3 WhK_2

WhK_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 16 March 2016 - 06:28 PM

Instructions:

           !!! IMPORTANT INFORMATION !!!!
 
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
    
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
 
If all of this addresses are not available, follow these steps:
    1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
    2. After a successful installation, run the browser and wait for initialization.
    3. Type in the address bar: i3ezlvkoi7fwyood.onion/09C0ECA40504F868
    4. Follow the instructions on the site.
 
!!! Your personal identification ID: 09C0ECA40504F868 !!!


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:56 PM

Posted 19 March 2016 - 02:48 PM

Greetings WhK_2 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec678688-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec67868d-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec678692-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
R3 efavdrv; \??\C:\Windows\system32\drivers\efavdrv.sys [X]
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\)vbxbklsjtmjklwkxewdqj.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\!tklsjtmjklwkxebcicklb.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00006200 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\^gizvtklsjtmjklwkxentg.tiff
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Downloads\@qfvmotklsjtmjklwkxetf
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Documents\%nklsjtmjklwkxeqckdqqa
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Desktop\%ndyklsjtmjklwkxepjkay
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\AAODFxklsjtmjklwkxeihvjpvb
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\$xklsjtmjklwkxeihvjpvb
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\#gklsjtmjklwkxeamgopzc
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\!klsjtmjklwkxelddworwq
2016-03-15 08:30 - 2016-03-15 08:30 - 12955981 _____ C:\Users\Marina\Documents\09C0ECA40504F8680AB8B4FBB99244F9.locky
2016-03-15 08:30 - 2016-03-15 08:30 - 02323902 _____ C:\Users\Marina\Downloads\09C0ECA40504F8687E8EDDFC5F7ED55A.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02634447 _____ C:\Users\Marina\Downloads\09C0ECA40504F868BBF15E8899C7A9F9.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02634447 _____ C:\Users\Marina\Downloads\09C0ECA40504F868A9658D1D6A722EB6.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02617219 _____ C:\Users\Marina\Downloads\09C0ECA40504F8680C74D0929AACE643.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F86875E20CFFAE1CA96A.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F8686D8FE875A22968BD.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F8685D94E07901F9B850.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F868173A7DB13FF62206.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02455262 _____ C:\Users\Marina\Downloads\09C0ECA40504F8687B1B97FAF8B8A5EB.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02455262 _____ C:\Users\Marina\Downloads\09C0ECA40504F8683EEED796FC6D4C62.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02423956 _____ C:\Users\Marina\Downloads\09C0ECA40504F868DFC2DEBC40F19771.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02156940 _____ C:\Users\Marina\Downloads\09C0ECA40504F8689B4C5828A227A456.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02182784 _____ C:\Users\Marina\Desktop\09C0ECA40504F868B76E58B9EE5BF3B1.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02182780 _____ C:\Users\Marina\Desktop\09C0ECA40504F8686A3618CD45FBDE76.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02077089 _____ C:\Users\Marina\Desktop\09C0ECA40504F8681F21E47D1D111884.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02038596 _____ C:\Users\Marina\Desktop\09C0ECA40504F868850833754C56096C.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02025193 _____ C:\Users\Marina\Desktop\09C0ECA40504F868AD118AFF8025E0A5.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01823775 _____ C:\Users\Marina\Desktop\09C0ECA40504F86850F6D60CAC584496.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01822020 _____ C:\Users\Marina\Documents\09C0ECA40504F868311938376D1A27FB.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01374532 _____ C:\Users\Marina\Desktop\09C0ECA40504F8687BDF4CEF0454AA4C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00597828 _____ C:\Users\Marina\Desktop\09C0ECA40504F868A0B87DFB055A072D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00140612 _____ C:\Users\Marina\Desktop\09C0ECA40504F868431C810706B27D66.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00140612 _____ C:\Users\Marina\Desktop\09C0ECA40504F86816729440B47119F7.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00074057 _____ C:\Users\Marina\Downloads\09C0ECA40504F8689C80B68EB0D8A9F5.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00055957 _____ C:\Users\Marina\Documents\09C0ECA40504F868CAE2970EEC4E70ED.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00030506 _____ C:\Users\Marina\Documents\09C0ECA40504F8682097F4B041CB7650.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00028468 _____ C:\Users\Marina\Documents\09C0ECA40504F868807CF8B703D3AD81.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00025762 _____ C:\Users\Marina\Documents\09C0ECA40504F868034C9DA018E73A0D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00025420 _____ C:\Users\Marina\Documents\09C0ECA40504F86808BD7FA661676929.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00024429 _____ C:\Users\Marina\Documents\09C0ECA40504F8683F620D5BFDA2A668.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023942 _____ C:\Users\Marina\Documents\09C0ECA40504F8686EEADAFFACAA11F8.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023693 _____ C:\Users\Marina\Documents\09C0ECA40504F868EADC97BB1AAD0585.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023510 _____ C:\Users\Marina\Documents\09C0ECA40504F8687BD3C2014553EAF2.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00022060 _____ C:\Users\Marina\Documents\09C0ECA40504F8686C3F63775B47DEC8.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00021395 _____ C:\Users\Marina\Documents\09C0ECA40504F868137F55C6C990C26F.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00021211 _____ C:\Users\Marina\Documents\09C0ECA40504F86892CC449355AB3B04.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020535 _____ C:\Users\Marina\Documents\09C0ECA40504F8688D6FF17A072089AA.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020422 _____ C:\Users\Marina\Documents\09C0ECA40504F8683F1DC8DFCFCA3C22.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020248 _____ C:\Users\Marina\Documents\09C0ECA40504F868D846396FCBDDED07.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019562 _____ C:\Users\Marina\Documents\09C0ECA40504F868C5B08464B32B2CD9.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019267 _____ C:\Users\Marina\Documents\09C0ECA40504F86885A59FC04EDF89DE.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019168 _____ C:\Users\Marina\Documents\09C0ECA40504F86809234B96F7FF7DBA.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019020 _____ C:\Users\Marina\Documents\09C0ECA40504F868FA2CC9B7447F308B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018672 _____ C:\Users\Marina\Documents\09C0ECA40504F868C93D16CBE6E39259.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018083 _____ C:\Users\Marina\Documents\09C0ECA40504F86838A954F4DF828398.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018076 _____ C:\Users\Marina\Documents\09C0ECA40504F868D2B4C962D40674BF.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017894 _____ C:\Users\Marina\Documents\09C0ECA40504F8681D17F0A38E5AB11E.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017823 _____ C:\Users\Marina\Documents\09C0ECA40504F868751A225C8640346B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017561 _____ C:\Users\Marina\Documents\09C0ECA40504F868C2E603DD486A17EB.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017536 _____ C:\Users\Marina\Documents\09C0ECA40504F868C60B8E8C002040E5.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017491 _____ C:\Users\Marina\Documents\09C0ECA40504F86858297976D9FDF49B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017219 _____ C:\Users\Marina\Documents\09C0ECA40504F86885FA0B80A7224160.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016989 _____ C:\Users\Marina\Documents\09C0ECA40504F868E492347C145E2939.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016931 _____ C:\Users\Marina\Documents\09C0ECA40504F868E190E8BC5188CB50.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016896 _____ C:\Users\Marina\Documents\09C0ECA40504F868525B65DD42194314.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016792 _____ C:\Users\Marina\Documents\09C0ECA40504F86824A9039FB87C8C61.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016768 _____ C:\Users\Marina\Documents\09C0ECA40504F8682D8D833F7B7DE3E9.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015571 _____ C:\Users\Marina\Documents\09C0ECA40504F868AFEF8A442406C19C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015350 _____ C:\Users\Marina\Documents\09C0ECA40504F868BFFA5B48D9BD81F3.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015189 _____ C:\Users\Marina\Documents\09C0ECA40504F8682F9372ED76E3F1A4.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015180 _____ C:\Users\Marina\Documents\09C0ECA40504F868AA9E6D2208C4780D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014960 _____ C:\Users\Marina\Documents\09C0ECA40504F86839495D98CDCEEA55.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014723 _____ C:\Users\Marina\Documents\09C0ECA40504F868F3ACB061D243761C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014571 _____ C:\Users\Marina\Documents\09C0ECA40504F868C4096BAB87A8BFB3.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00013558 _____ C:\Users\Marina\Documents\09C0ECA40504F86816A6B04E4CCCBE61.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00005974 _____ C:\Users\Marina\Desktop\09C0ECA40504F86845E4702AE63F9A9D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00004069 _____ C:\Users\Marina\Downloads\09C0ECA40504F868CF105D84997A5E0A.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00001931 _____ C:\09C0ECA40504F86843D36E1E417FD93C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00000860 _____ C:\09C0ECA40504F868473B2430BAA1D49D.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00106820 _____ C:\Users\Marina\Documents\09C0ECA40504F868C042BC31C6DD11DA.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00038212 _____ C:\Users\Marina\Documents\09C0ECA40504F868B87BBA148946E79E.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00035652 _____ C:\Users\Marina\Documents\09C0ECA40504F868DA9B8A9D2FD89DF1.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00014660 _____ C:\Users\Marina\Documents\09C0ECA40504F8688C0F07F860B0F5D2.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00001073 _____ C:\Users\Marina\Documents\_Locky_recover_instructions.txt
C:\Users\Marina\AppData\Local\Temp\_is9840.exe
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp
C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp
Folder: C:\Users\$xklsjtmjklwkxeihvjpvb
Folder: C:\#gklsjtmjklwkxeamgopzc
File: C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • System Summary Information
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 WhK_2

WhK_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 March 2016 - 05:55 PM

Hey Gary

 

I hope all is well, my name is Walter. I appreciate your time and assistance in this matter.

 

Just to confirm:

I did scan with several virus removal programs, before contacting bleepingcomputer, but did not apply any fix, I did also install Cryptomonitor in an attempt to stop the infection spreading.

 

I will try follow you instructions to the letter . :guitar:

 

There is not much of change in behavior of the computer. The personal file are encrypted and it seems that all programs are still working. If I am to save a new document (ex .doc ) it does not become encrypted, which suggest to me that the virus might have uninstalled after locking the files?

 

Please find attached   :thumbup2:

Fixlog.txt

Summary.zip

 

Looking forward to hearing from you.

 

Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by Marina (2016-03-20 00:30:41) Run:1
Running from C:\Users\Marina\Desktop
Loaded Profiles: Marina (Available Profiles: Marina)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec678688-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec67868d-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\...\MountPoints2: {ec678692-21f1-11e4-a9b2-0090f5e71817} - E:\setup_vmb_lite.exe /checkApplicationPresence
R3 efavdrv; \??\C:\Windows\system32\drivers\efavdrv.sys [X]
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\)vbxbklsjtmjklwkxewdqj.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00281926 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\!tklsjtmjklwkxebcicklb.bmp
2016-03-16 05:33 - 2016-03-16 05:33 - 00006200 ____H C:\Users\$xklsjtmjklwkxeihvjpvb\^gizvtklsjtmjklwkxentg.tiff
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Downloads\@qfvmotklsjtmjklwkxetf
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Documents\%nklsjtmjklwkxeqckdqqa
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\Desktop\%ndyklsjtmjklwkxepjkay
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\Marina\AAODFxklsjtmjklwkxeihvjpvb
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\Users\$xklsjtmjklwkxeihvjpvb
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\#gklsjtmjklwkxeamgopzc
2016-03-16 05:33 - 2016-03-16 05:33 - 00000000 ___HD C:\!klsjtmjklwkxelddworwq
2016-03-15 08:30 - 2016-03-15 08:30 - 12955981 _____ C:\Users\Marina\Documents\09C0ECA40504F8680AB8B4FBB99244F9.locky
2016-03-15 08:30 - 2016-03-15 08:30 - 02323902 _____ C:\Users\Marina\Downloads\09C0ECA40504F8687E8EDDFC5F7ED55A.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02634447 _____ C:\Users\Marina\Downloads\09C0ECA40504F868BBF15E8899C7A9F9.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02634447 _____ C:\Users\Marina\Downloads\09C0ECA40504F868A9658D1D6A722EB6.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02617219 _____ C:\Users\Marina\Downloads\09C0ECA40504F8680C74D0929AACE643.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F86875E20CFFAE1CA96A.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F8686D8FE875A22968BD.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F8685D94E07901F9B850.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02457562 _____ C:\Users\Marina\Downloads\09C0ECA40504F868173A7DB13FF62206.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02455262 _____ C:\Users\Marina\Downloads\09C0ECA40504F8687B1B97FAF8B8A5EB.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02455262 _____ C:\Users\Marina\Downloads\09C0ECA40504F8683EEED796FC6D4C62.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02423956 _____ C:\Users\Marina\Downloads\09C0ECA40504F868DFC2DEBC40F19771.locky
2016-03-15 08:28 - 2016-03-15 08:28 - 02156940 _____ C:\Users\Marina\Downloads\09C0ECA40504F8689B4C5828A227A456.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02182784 _____ C:\Users\Marina\Desktop\09C0ECA40504F868B76E58B9EE5BF3B1.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02182780 _____ C:\Users\Marina\Desktop\09C0ECA40504F8686A3618CD45FBDE76.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02077089 _____ C:\Users\Marina\Desktop\09C0ECA40504F8681F21E47D1D111884.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02038596 _____ C:\Users\Marina\Desktop\09C0ECA40504F868850833754C56096C.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 02025193 _____ C:\Users\Marina\Desktop\09C0ECA40504F868AD118AFF8025E0A5.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01823775 _____ C:\Users\Marina\Desktop\09C0ECA40504F86850F6D60CAC584496.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01822020 _____ C:\Users\Marina\Documents\09C0ECA40504F868311938376D1A27FB.locky
2016-03-15 08:27 - 2016-03-15 08:27 - 01374532 _____ C:\Users\Marina\Desktop\09C0ECA40504F8687BDF4CEF0454AA4C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00597828 _____ C:\Users\Marina\Desktop\09C0ECA40504F868A0B87DFB055A072D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00140612 _____ C:\Users\Marina\Desktop\09C0ECA40504F868431C810706B27D66.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00140612 _____ C:\Users\Marina\Desktop\09C0ECA40504F86816729440B47119F7.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00074057 _____ C:\Users\Marina\Downloads\09C0ECA40504F8689C80B68EB0D8A9F5.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00055957 _____ C:\Users\Marina\Documents\09C0ECA40504F868CAE2970EEC4E70ED.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00030506 _____ C:\Users\Marina\Documents\09C0ECA40504F8682097F4B041CB7650.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00028468 _____ C:\Users\Marina\Documents\09C0ECA40504F868807CF8B703D3AD81.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00025762 _____ C:\Users\Marina\Documents\09C0ECA40504F868034C9DA018E73A0D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00025420 _____ C:\Users\Marina\Documents\09C0ECA40504F86808BD7FA661676929.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00024429 _____ C:\Users\Marina\Documents\09C0ECA40504F8683F620D5BFDA2A668.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023942 _____ C:\Users\Marina\Documents\09C0ECA40504F8686EEADAFFACAA11F8.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023693 _____ C:\Users\Marina\Documents\09C0ECA40504F868EADC97BB1AAD0585.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00023510 _____ C:\Users\Marina\Documents\09C0ECA40504F8687BD3C2014553EAF2.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00022060 _____ C:\Users\Marina\Documents\09C0ECA40504F8686C3F63775B47DEC8.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00021395 _____ C:\Users\Marina\Documents\09C0ECA40504F868137F55C6C990C26F.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00021211 _____ C:\Users\Marina\Documents\09C0ECA40504F86892CC449355AB3B04.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020535 _____ C:\Users\Marina\Documents\09C0ECA40504F8688D6FF17A072089AA.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020422 _____ C:\Users\Marina\Documents\09C0ECA40504F8683F1DC8DFCFCA3C22.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00020248 _____ C:\Users\Marina\Documents\09C0ECA40504F868D846396FCBDDED07.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019562 _____ C:\Users\Marina\Documents\09C0ECA40504F868C5B08464B32B2CD9.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019267 _____ C:\Users\Marina\Documents\09C0ECA40504F86885A59FC04EDF89DE.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019168 _____ C:\Users\Marina\Documents\09C0ECA40504F86809234B96F7FF7DBA.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00019020 _____ C:\Users\Marina\Documents\09C0ECA40504F868FA2CC9B7447F308B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018672 _____ C:\Users\Marina\Documents\09C0ECA40504F868C93D16CBE6E39259.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018083 _____ C:\Users\Marina\Documents\09C0ECA40504F86838A954F4DF828398.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00018076 _____ C:\Users\Marina\Documents\09C0ECA40504F868D2B4C962D40674BF.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017894 _____ C:\Users\Marina\Documents\09C0ECA40504F8681D17F0A38E5AB11E.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017823 _____ C:\Users\Marina\Documents\09C0ECA40504F868751A225C8640346B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017561 _____ C:\Users\Marina\Documents\09C0ECA40504F868C2E603DD486A17EB.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017536 _____ C:\Users\Marina\Documents\09C0ECA40504F868C60B8E8C002040E5.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017491 _____ C:\Users\Marina\Documents\09C0ECA40504F86858297976D9FDF49B.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00017219 _____ C:\Users\Marina\Documents\09C0ECA40504F86885FA0B80A7224160.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016989 _____ C:\Users\Marina\Documents\09C0ECA40504F868E492347C145E2939.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016931 _____ C:\Users\Marina\Documents\09C0ECA40504F868E190E8BC5188CB50.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016896 _____ C:\Users\Marina\Documents\09C0ECA40504F868525B65DD42194314.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016792 _____ C:\Users\Marina\Documents\09C0ECA40504F86824A9039FB87C8C61.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00016768 _____ C:\Users\Marina\Documents\09C0ECA40504F8682D8D833F7B7DE3E9.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015571 _____ C:\Users\Marina\Documents\09C0ECA40504F868AFEF8A442406C19C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015350 _____ C:\Users\Marina\Documents\09C0ECA40504F868BFFA5B48D9BD81F3.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015189 _____ C:\Users\Marina\Documents\09C0ECA40504F8682F9372ED76E3F1A4.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00015180 _____ C:\Users\Marina\Documents\09C0ECA40504F868AA9E6D2208C4780D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014960 _____ C:\Users\Marina\Documents\09C0ECA40504F86839495D98CDCEEA55.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014723 _____ C:\Users\Marina\Documents\09C0ECA40504F868F3ACB061D243761C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00014571 _____ C:\Users\Marina\Documents\09C0ECA40504F868C4096BAB87A8BFB3.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00013558 _____ C:\Users\Marina\Documents\09C0ECA40504F86816A6B04E4CCCBE61.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00005974 _____ C:\Users\Marina\Desktop\09C0ECA40504F86845E4702AE63F9A9D.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00004069 _____ C:\Users\Marina\Downloads\09C0ECA40504F868CF105D84997A5E0A.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00001931 _____ C:\09C0ECA40504F86843D36E1E417FD93C.locky
2016-03-15 08:26 - 2016-03-15 08:26 - 00000860 _____ C:\09C0ECA40504F868473B2430BAA1D49D.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00106820 _____ C:\Users\Marina\Documents\09C0ECA40504F868C042BC31C6DD11DA.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00038212 _____ C:\Users\Marina\Documents\09C0ECA40504F868B87BBA148946E79E.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00035652 _____ C:\Users\Marina\Documents\09C0ECA40504F868DA9B8A9D2FD89DF1.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00014660 _____ C:\Users\Marina\Documents\09C0ECA40504F8688C0F07F860B0F5D2.locky
2016-03-15 08:25 - 2016-03-15 08:25 - 00001073 _____ C:\Users\Marina\Documents\_Locky_recover_instructions.txt
C:\Users\Marina\AppData\Local\Temp\_is9840.exe
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp
C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp
Folder: C:\Users\$xklsjtmjklwkxeihvjpvb
Folder: C:\#gklsjtmjklwkxeamgopzc
File: C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec678688-21f1-11e4-a9b2-0090f5e71817}" => key removed successfully.
HKCR\CLSID\{ec678688-21f1-11e4-a9b2-0090f5e71817} => key not found.
"HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec67868d-21f1-11e4-a9b2-0090f5e71817}" => key removed successfully.
HKCR\CLSID\{ec67868d-21f1-11e4-a9b2-0090f5e71817} => key not found.
"HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec678692-21f1-11e4-a9b2-0090f5e71817}" => key removed successfully.
HKCR\CLSID\{ec678692-21f1-11e4-a9b2-0090f5e71817} => key not found.
efavdrv => Unable to stop service.
efavdrv => service removed successfully.
C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp => moved successfully
C:\Users\$xklsjtmjklwkxeihvjpvb\)vbxbklsjtmjklwkxewdqj.bmp => moved successfully
C:\Users\$xklsjtmjklwkxeihvjpvb\!tklsjtmjklwkxebcicklb.bmp => moved successfully
C:\Users\$xklsjtmjklwkxeihvjpvb\^gizvtklsjtmjklwkxentg.tiff => moved successfully
C:\Users\Marina\Downloads\@qfvmotklsjtmjklwkxetf => moved successfully
C:\Users\Marina\Documents\%nklsjtmjklwkxeqckdqqa => moved successfully
"C:\Users\Marina\Desktop\%ndyklsjtmjklwkxepjkay" => not found.
C:\Users\Marina\AAODFxklsjtmjklwkxeihvjpvb => moved successfully
C:\Users\$xklsjtmjklwkxeihvjpvb => moved successfully
C:\#gklsjtmjklwkxeamgopzc => moved successfully
C:\!klsjtmjklwkxelddworwq => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8680AB8B4FBB99244F9.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F8687E8EDDFC5F7ED55A.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F868BBF15E8899C7A9F9.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F868A9658D1D6A722EB6.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F8680C74D0929AACE643.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F86875E20CFFAE1CA96A.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F8686D8FE875A22968BD.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F8685D94E07901F9B850.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F868173A7DB13FF62206.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F8687B1B97FAF8B8A5EB.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F8683EEED796FC6D4C62.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F868DFC2DEBC40F19771.locky => moved successfully
C:\Users\Marina\Downloads\09C0ECA40504F8689B4C5828A227A456.locky => moved successfully
"C:\Users\Marina\Desktop\09C0ECA40504F868B76E58B9EE5BF3B1.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F8686A3618CD45FBDE76.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F8681F21E47D1D111884.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F868850833754C56096C.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F868AD118AFF8025E0A5.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F86850F6D60CAC584496.locky" => not found.
C:\Users\Marina\Documents\09C0ECA40504F868311938376D1A27FB.locky => moved successfully
"C:\Users\Marina\Desktop\09C0ECA40504F8687BDF4CEF0454AA4C.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F868A0B87DFB055A072D.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F868431C810706B27D66.locky" => not found.
"C:\Users\Marina\Desktop\09C0ECA40504F86816729440B47119F7.locky" => not found.
C:\Users\Marina\Downloads\09C0ECA40504F8689C80B68EB0D8A9F5.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868CAE2970EEC4E70ED.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8682097F4B041CB7650.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868807CF8B703D3AD81.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868034C9DA018E73A0D.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86808BD7FA661676929.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8683F620D5BFDA2A668.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8686EEADAFFACAA11F8.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868EADC97BB1AAD0585.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8687BD3C2014553EAF2.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8686C3F63775B47DEC8.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868137F55C6C990C26F.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86892CC449355AB3B04.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8688D6FF17A072089AA.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8683F1DC8DFCFCA3C22.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868D846396FCBDDED07.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868C5B08464B32B2CD9.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86885A59FC04EDF89DE.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86809234B96F7FF7DBA.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868FA2CC9B7447F308B.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868C93D16CBE6E39259.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86838A954F4DF828398.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868D2B4C962D40674BF.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8681D17F0A38E5AB11E.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868751A225C8640346B.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868C2E603DD486A17EB.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868C60B8E8C002040E5.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86858297976D9FDF49B.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86885FA0B80A7224160.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868E492347C145E2939.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868E190E8BC5188CB50.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868525B65DD42194314.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86824A9039FB87C8C61.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8682D8D833F7B7DE3E9.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868AFEF8A442406C19C.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868BFFA5B48D9BD81F3.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8682F9372ED76E3F1A4.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868AA9E6D2208C4780D.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86839495D98CDCEEA55.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868F3ACB061D243761C.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868C4096BAB87A8BFB3.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F86816A6B04E4CCCBE61.locky => moved successfully
"C:\Users\Marina\Desktop\09C0ECA40504F86845E4702AE63F9A9D.locky" => not found.
C:\Users\Marina\Downloads\09C0ECA40504F868CF105D84997A5E0A.locky => moved successfully
C:\09C0ECA40504F86843D36E1E417FD93C.locky => moved successfully
C:\09C0ECA40504F868473B2430BAA1D49D.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868C042BC31C6DD11DA.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868B87BBA148946E79E.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F868DA9B8A9D2FD89DF1.locky => moved successfully
C:\Users\Marina\Documents\09C0ECA40504F8688C0F07F860B0F5D2.locky => moved successfully
C:\Users\Marina\Documents\_Locky_recover_instructions.txt => moved successfully
C:\Users\Marina\AppData\Local\Temp\_is9840.exe => moved successfully
HKU\S-1-5-21-3224813657-2164533672-2916792233-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp => Error: No automatic fix found for this entry.
C:\Users\Marina\Desktop\_Locky_recover_instructions.bmp => moved successfully

========================= Folder: C:\Users\$xklsjtmjklwkxeihvjpvb ========================

not found.

====== End of Folder: ======


========================= Folder: C:\#gklsjtmjklwkxeamgopzc ========================

not found.

====== End of Folder: ======


========================= File: C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp ========================

"C:\Users\$xklsjtmjklwkxeihvjpvb\@toyklsjtmjklwkxenifwz.bmp" => not found.
====== End of File: ======



The system needed a reboot.

==== End of Fixlog 00:30:55 ====

Attached Files


Edited by Oh My!, 19 March 2016 - 06:13 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:56 PM

Posted 19 March 2016 - 06:16 PM

Hi Walter, nice to meet you.

 

Typically the infected file stays on your computer until removed. The encryption information is removed so that we don't have access to it.

 

Do you have the logs from the previous scans you performed?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 WhK_2

WhK_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 March 2016 - 06:26 PM

Thanks Gary

 

I can send you Malwarebytes .xml file log if that could help you.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:56 PM

Posted 19 March 2016 - 06:54 PM

There should be a logs button when you launch Malwarebytes that will allow you to get to a text file version of the report.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 WhK_2

WhK_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 March 2016 - 08:35 PM

Plaese see various reports attached

Attached Files



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:56 PM

Posted 19 March 2016 - 08:41 PM

Very good, thanks.

Please run these.

===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program, this may take some time
  • Click on 2. Scan
  • Click Yes to detecting Potentially Unwanted Programs
  • Click Malware Scan
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Copy and paste or attach the report to your reply
  • Close the program then click Close
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon then click Run
  • Press any key to launch the program
  • Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Emsisoft report
  • Security Check log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 WhK_2

WhK_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 March 2016 - 09:04 PM

Gary...

 

I copied th  Emsisoft emergency kit program to the desktop, then I right click and run it as administrator, would this be a problem as it is not to the letter as with your description.

 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:56 PM

Posted 19 March 2016 - 09:10 PM

Yes it is safe. They may have changed the User Interface.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:56 PM

Posted 19 March 2016 - 09:29 PM

If you want to wait I am reworking the instructions which are quite a bit different from what they used to be. Should be done shortly. Sorry for the confusion.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:56 PM

Posted 19 March 2016 - 09:40 PM

Here are the new Emsisoft instructions.

===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click icon then click Install
  • A Window should open highlighting Start Emergency Kit Scanner
  • Double click that icon and allow the program to load
  • Click Yes to run an online update
  • Once the update is completed select Settings under Scan
  • Uncheck Join the Emsisoft Anti-Malware Network
  • Click Scan at the top
  • Click Yes to detect Potentially Unwanted Programs
  • Click Malware Scan
  • Once completed click View Report
  • Save the file to your Desktop using the default file name
  • Click Quarantine selected (all should be selected by default)
  • Copy and paste the report in your reply

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 WhK_2

WhK_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 20 March 2016 - 12:00 AM

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Flash Player 10 Flash Player out of Date! 
  Adobe Flash Player 10.3.181.14 Flash Player out of Date!  
 Adobe Reader 10.0.1 Adobe Reader out of Date!  
 Google Chrome (49.0.2623.87) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials msseces.exe 
 Windows Defender MSMpEng.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Microsoft Security Client Antimalware MsMpEng.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Microsoft Security Client Antimalware NisSrv.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 
 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users