Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Petya


  • This topic is locked This topic is locked
12 replies to this topic

#1 thomas1568

thomas1568

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 14 May 2016 - 09:05 AM

 
my pc is infisziert with petya in the input of the data that I have read from the HDD in : https : //petya-pay-no-ransom-mirror1.herokuapp.com/
starts the proceeding but after hours without success occurs an error . please help pointing unable to continue

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:50 AM

Posted 17 May 2016 - 10:55 AM

Greetings thomas1568 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I am not sure I will be able to help you much but let's take a look at some information

Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your Desktop. <<< Important
  • Right click on the FRST icon, select Rename, and rename it to FRSTenglish
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 thomas1568

thomas1568
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 17 May 2016 - 01:27 PM

Hi Gary - my name is Thomas and I'm from Austria !
Thank you in advance for the support that I have the infiszierte HDD connected to a clean PC via USB , because I do not start with this HDD yes - . I then lt Your instructions started the program , the documents I send you out in the Annex .
I hope that this works so , if not ask for info u . THANK YOU

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:16-05-2016
Ran by thomas (administrator) on DESKTOP-P3G2TKR (17-05-2016 20:14:39)
Running from I:\
Loaded Profiles: thomas (Available Profiles: thomas)
Platform: Windows 10 Pro N Version 1511 (X64) Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Reputation\fsorsp.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\fsgk32.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Common\FSHDLL64.EXE
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\fssm32.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Farbar) I:\FRSTenglish.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161728 2015-11-12] (IvoSoft)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.5
Tcpip\..\Interfaces\{0a93f750-dbfa-44e6-946b-13532cf55620}: [DhcpNameServer] 10.0.0.5

Internet Explorer:
==================
BHO: Browsing Protection by F-Secure -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_ie_https\fs_ie_https64.dll [2016-05-12] (F-Secure Corporation)
BHO-x32: Browsing Protection by F-Secure -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_ie_https\fs_ie_https.dll [2016-05-12] (F-Secure Corporation)

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-01-20] (VideoLAN)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1223183.dll [2015-12-22] (Adobe Systems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @vmware.com/vmrc,version=5.5.0.00000 -> C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Firefox\np-vmware-vmrc.dll [2013-08-17] (VMware, Inc.)
FF HKLM\...\Firefox\Extensions: [ols@f-secure.com] - C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi
FF Extension: Browsing Protection by F-Secure - C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi [2016-05-12]
FF HKLM-x32\...\Firefox\Extensions: [ols@f-secure.com] - C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [jmjjnhpacphpjmnnlnccpfmhkcloaade] - C:/Program Files (x86)/F-Secure/Internet Security/apps/CCF_Scanning/bin/browser/install/fs_chrome_https/fs_chrome_https.crx [2016-03-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 fshoster; C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe [187864 2016-03-14] (F-Secure Corporation)
R3 FSMA; C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE [218072 2016-03-14] (F-Secure Corporation)
R2 fsnethoster; C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe [187864 2016-03-14] (F-Secure Corporation)
R2 FSORSPClient; C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Reputation\fsorsp.exe [60456 2016-05-12] (F-Secure Corporation)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 amdkmdan; C:\Windows\system32\DRIVERS\atikmnag.sys [20263960 2016-02-17] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWT6.sys [102912 2015-07-22] (Advanced Micro Devices)
R3 F-Secure Gatekeeper; C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\FSgk.sys [219128 2016-05-12] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\HIPS\drivers\fshs.sys [106696 2016-05-12] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [75448 2016-05-12] ()
R3 fsni; C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\fsni64.sys [110272 2016-05-12] (F-Secure Corporation)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverW8x64.sys [202032 2016-01-19] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-17 20:13 - 2016-05-17 20:14 - 00000000 ____D C:\FRST
2016-05-17 15:48 - 2016-05-17 18:00 - 00000502 _____ C:\Windows\Tasks\ParetoLogic Registration3.job
2016-05-17 15:48 - 2016-05-17 15:48 - 00003436 _____ C:\Windows\System32\Tasks\ParetoLogic Update Version3
2016-05-17 15:48 - 2016-05-17 15:48 - 00003312 _____ C:\Windows\System32\Tasks\ParetoLogic Registration3
2016-05-17 15:48 - 2016-05-17 15:48 - 00003130 _____ C:\Windows\System32\Tasks\ParetoLogic Update Version3 Startup Task
2016-05-17 15:48 - 2016-05-17 15:48 - 00001320 _____ C:\Users\thomas\Desktop\Data Recovery Pro.lnk
2016-05-17 15:48 - 2016-05-17 15:48 - 00000528 _____ C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job
2016-05-17 15:48 - 2016-05-17 15:48 - 00000476 _____ C:\Windows\Tasks\ParetoLogic Update Version3.job
2016-05-17 15:48 - 2016-05-17 15:48 - 00000000 ____D C:\Users\thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ParetoLogic
2016-05-17 15:48 - 2016-05-17 15:48 - 00000000 ____D C:\ProgramData\ParetoLogic
2016-05-17 15:48 - 2016-05-17 15:48 - 00000000 ____D C:\Program Files (x86)\ParetoLogic
2016-05-15 17:38 - 2016-05-15 17:38 - 00001866 _____ C:\ProgramData\Microsoft\Windows\Start Menu\GetDataBack for NTFS.lnk
2016-05-15 17:38 - 2016-05-15 17:38 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-05-15 17:38 - 2016-05-15 17:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runtime Software
2016-05-15 17:38 - 2016-05-15 17:38 - 00000000 ____D C:\Program Files (x86)\Runtime Software
2016-05-12 16:48 - 2016-05-12 17:07 - 00601728 _____ C:\Users\thomas\Desktop\PetyaExtractor_CB-DL-Manager.exe
2016-05-12 16:46 - 2016-05-12 16:49 - 00075448 _____ C:\Windows\system32\Drivers\fsbts.sys
2016-05-12 16:44 - 2016-05-12 16:44 - 00002282 _____ C:\Users\Public\Desktop\F-Secure.lnk
2016-05-12 16:44 - 2016-05-12 16:44 - 00000000 ____D C:\Windows\System32\Tasks\F-Secure
2016-05-12 16:44 - 2016-05-12 16:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\F-Secure
2016-05-12 16:44 - 2016-05-12 16:44 - 00000000 ____D C:\Program Files (x86)\F-Secure
2016-05-12 16:43 - 2016-05-12 16:46 - 00000000 ____D C:\Users\thomas\AppData\Local\F-Secure
2016-05-12 16:43 - 2016-05-12 16:46 - 00000000 ____D C:\ProgramData\F-Secure
2016-05-10 23:40 - 2016-05-06 06:53 - 00095072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\sdport.sys
2016-05-10 23:40 - 2016-05-06 06:03 - 00649216 _____ (Microsoft Corporation) C:\Windows\system32\ngcsvc.dll
2016-05-10 23:40 - 2016-05-06 05:53 - 00351232 _____ (Microsoft Corporation) C:\Windows\system32\NgcCtnr.dll
2016-05-10 23:40 - 2016-05-06 05:49 - 00289792 _____ (Microsoft Corporation) C:\Windows\system32\NgcCtnrSvc.dll
2016-05-10 23:40 - 2016-05-06 05:44 - 00582656 _____ (Microsoft Corporation) C:\Windows\system32\ngccredprov.dll
2016-05-10 23:40 - 2016-05-06 05:23 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\ngcpopkeysrv.dll
2016-05-10 23:40 - 2016-04-30 08:42 - 01387520 _____ (Microsoft Corporation) C:\Windows\system32\win32kbase.sys
2016-05-10 23:40 - 2016-04-30 08:31 - 03591168 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2016-05-10 23:40 - 2016-04-23 08:12 - 01401024 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-05-10 23:40 - 2016-04-23 08:12 - 01184960 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-05-10 23:40 - 2016-04-23 08:12 - 00713920 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-05-10 23:40 - 2016-04-23 08:12 - 00514752 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-05-10 23:40 - 2016-04-23 08:12 - 00294592 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-05-10 23:40 - 2016-04-23 08:12 - 00190144 _____ (Microsoft Corporation) C:\Windows\system32\DeviceCensus.exe
2016-05-10 23:40 - 2016-04-23 08:12 - 00092352 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-05-10 23:40 - 2016-04-23 08:12 - 00046784 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-05-10 23:40 - 2016-04-23 07:28 - 01557768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-05-10 23:40 - 2016-04-23 07:28 - 01542816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-05-10 23:40 - 2016-04-23 07:26 - 00707608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-05-10 23:40 - 2016-04-23 07:24 - 07474528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-05-10 23:40 - 2016-04-23 07:24 - 01997328 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-05-10 23:40 - 2016-04-23 07:24 - 01819208 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-05-10 23:40 - 2016-04-23 07:24 - 00754664 _____ (Microsoft Corporation) C:\Windows\system32\CoreMessaging.dll
2016-05-10 23:40 - 2016-04-23 07:22 - 01161120 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-05-10 23:40 - 2016-04-23 07:13 - 00306832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wlanapi.dll
2016-05-10 23:40 - 2016-04-23 07:12 - 00413536 _____ (Microsoft Corporation) C:\Windows\system32\wifitask.exe
2016-05-10 23:40 - 2016-04-23 07:11 - 00390496 _____ (Microsoft Corporation) C:\Windows\system32\wlanapi.dll
2016-05-10 23:40 - 2016-04-23 07:10 - 03673424 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-05-10 23:40 - 2016-04-23 07:10 - 02919832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-05-10 23:40 - 2016-04-23 07:10 - 00330072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pci.sys
2016-05-10 23:40 - 2016-04-23 07:09 - 22561256 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-05-10 23:40 - 2016-04-23 07:09 - 21123320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2016-05-10 23:40 - 2016-04-23 07:09 - 05240960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\windows.storage.dll
2016-05-10 23:40 - 2016-04-23 07:09 - 04074160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2016-05-10 23:40 - 2016-04-23 07:09 - 00569744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2016-05-10 23:40 - 2016-04-23 07:09 - 00565600 _____ (Microsoft Corporation) C:\Windows\system32\SettingSyncHost.exe
2016-05-10 23:40 - 2016-04-23 07:09 - 00303216 _____ (Microsoft Corporation) C:\Windows\system32\LockAppHost.exe
2016-05-10 23:40 - 2016-04-23 07:09 - 00255168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LockAppHost.exe
2016-05-10 23:40 - 2016-04-23 07:08 - 06605504 _____ (Microsoft Corporation) C:\Windows\system32\windows.storage.dll
2016-05-10 23:40 - 2016-04-23 07:08 - 04515256 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2016-05-10 23:40 - 2016-04-23 07:08 - 00725776 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2016-05-10 23:40 - 2016-04-23 07:07 - 01848072 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2016-05-10 23:40 - 2016-04-23 07:07 - 01536088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2016-05-10 23:40 - 2016-04-23 07:06 - 00291360 _____ (Microsoft Corporation) C:\Windows\system32\wininit.exe
2016-05-10 23:40 - 2016-04-23 07:02 - 00188256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppxAllUserStore.dll
2016-05-10 23:40 - 2016-04-23 07:01 - 01996640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2016-05-10 23:40 - 2016-04-23 07:01 - 00650304 _____ (Microsoft Corporation) C:\Windows\system32\dxgi.dll
2016-05-10 23:40 - 2016-04-23 07:01 - 00619296 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2016-05-10 23:40 - 2016-04-23 07:01 - 00577368 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms2.sys
2016-05-10 23:40 - 2016-04-23 07:01 - 00522176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2016-05-10 23:40 - 2016-04-23 07:01 - 00513368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2016-05-10 23:40 - 2016-04-23 07:01 - 00393568 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2016-05-10 23:40 - 2016-04-23 07:01 - 00217440 _____ (Microsoft Corporation) C:\Windows\system32\AppxAllUserStore.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 01776768 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 01594920 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 01522152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 01399224 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 01372304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 01337240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 00550656 _____ (Microsoft Corporation) C:\Windows\system32\directmanipulation.dll
2016-05-10 23:40 - 2016-04-23 07:00 - 00453472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\directmanipulation.dll
2016-05-10 23:40 - 2016-04-23 06:56 - 00534872 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBHUB3.SYS
2016-05-10 23:40 - 2016-04-23 06:39 - 00089088 _____ (Microsoft Corporation) C:\Windows\system32\MapsCSP.dll
2016-05-10 23:40 - 2016-04-23 06:35 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\MosHostClient.dll
2016-05-10 23:40 - 2016-04-23 06:32 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\EnterpriseDesktopAppMgmtCSP.dll
2016-05-10 23:40 - 2016-04-23 06:32 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\mapsupdatetask.dll
2016-05-10 23:40 - 2016-04-23 06:31 - 13018112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Xaml.dll
2016-05-10 23:40 - 2016-04-23 06:31 - 00074752 _____ (Microsoft Corporation) C:\Windows\system32\MosStorage.dll
2016-05-10 23:40 - 2016-04-23 06:30 - 22379008 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2016-05-10 23:40 - 2016-04-23 06:30 - 00120320 _____ (Microsoft Corporation) C:\Windows\system32\MapsBtSvc.dll
2016-05-10 23:40 - 2016-04-23 06:30 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MosHostClient.dll
2016-05-10 23:40 - 2016-04-23 06:29 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\MDMAppInstaller.exe
2016-05-10 23:40 - 2016-04-23 06:29 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\moshost.dll
2016-05-10 23:40 - 2016-04-23 06:28 - 16984576 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Xaml.dll
2016-05-10 23:40 - 2016-04-23 06:28 - 00130560 _____ (Microsoft Corporation) C:\Windows\system32\CloudDomainJoinDataModelServer.dll
2016-05-10 23:40 - 2016-04-23 06:26 - 00269824 _____ (Microsoft Corporation) C:\Windows\system32\moshostcore.dll
2016-05-10 23:40 - 2016-04-23 06:26 - 00059904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MosStorage.dll
2016-05-10 23:40 - 2016-04-23 06:25 - 00630784 _____ (Microsoft Corporation) C:\Windows\system32\PhoneProviders.dll
2016-05-10 23:40 - 2016-04-23 06:25 - 00617984 _____ (Microsoft Corporation) C:\Windows\system32\StorSvc.dll
2016-05-10 23:40 - 2016-04-23 06:25 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wcmcsp.dll
2016-05-10 23:40 - 2016-04-23 06:25 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MapsBtSvc.dll
2016-05-10 23:40 - 2016-04-23 06:24 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\ieproxy.dll
2016-05-10 23:40 - 2016-04-23 06:24 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\provengine.dll
2016-05-10 23:40 - 2016-04-23 06:24 - 00287232 _____ (Microsoft Corporation) C:\Windows\system32\provhandlers.dll
2016-05-10 23:40 - 2016-04-23 06:24 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\shacct.dll
2016-05-10 23:40 - 2016-04-23 06:24 - 00166400 _____ (Microsoft Corporation) C:\Windows\system32\SubscriptionMgr.dll
2016-05-10 23:40 - 2016-04-23 06:23 - 11545088 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2016-05-10 23:40 - 2016-04-23 06:22 - 09918976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2016-05-10 23:40 - 2016-04-23 06:22 - 00460800 _____ (Microsoft Corporation) C:\Windows\system32\MapConfiguration.dll
2016-05-10 23:40 - 2016-04-23 06:21 - 00479232 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-05-10 23:40 - 2016-04-23 06:21 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\RDXTaskFactory.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 19344384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 18676224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 00606720 _____ (Microsoft Corporation) C:\Windows\system32\wcmsvc.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\tileobjserver.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 00484352 _____ (Microsoft Corporation) C:\Windows\system32\DataSenseHandlers.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 00356864 _____ (Microsoft Corporation) C:\Windows\system32\ActivationManager.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 00307200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieproxy.dll
2016-05-10 23:40 - 2016-04-23 06:20 - 00137728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shacct.dll
2016-05-10 23:40 - 2016-04-23 06:19 - 07977472 _____ (Microsoft Corporation) C:\Windows\system32\mos.dll
2016-05-10 23:40 - 2016-04-23 06:19 - 01056256 _____ (Microsoft Corporation) C:\Windows\system32\JpMapControl.dll
2016-05-10 23:40 - 2016-04-23 06:19 - 00970752 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-05-10 23:40 - 2016-04-23 06:19 - 00853504 _____ (Microsoft Corporation) C:\Windows\system32\MapsStore.dll
2016-05-10 23:40 - 2016-04-23 06:19 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\CredProvDataModel.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 24604672 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00988672 _____ (Microsoft Corporation) C:\Windows\system32\SharedStartModel.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00988160 _____ (Microsoft Corporation) C:\Windows\system32\NMAA.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00939520 _____ (Microsoft Corporation) C:\Windows\system32\MapControlCore.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00870400 _____ (Microsoft Corporation) C:\Windows\system32\modernexecserver.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00804352 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00605184 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00585728 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2016-05-10 23:40 - 2016-04-23 06:18 - 00515072 _____ (Microsoft Corporation) C:\Windows\system32\OneDriveSettingSyncProvider.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00471552 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupShim.dll
2016-05-10 23:40 - 2016-04-23 06:18 - 00349696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MapConfiguration.dll
2016-05-10 23:40 - 2016-04-23 06:17 - 01213440 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2016-05-10 23:40 - 2016-04-23 06:17 - 00529920 _____ (Microsoft Corporation) C:\Windows\system32\LogonController.dll
2016-05-10 23:40 - 2016-04-23 06:17 - 00388608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-05-10 23:40 - 2016-04-23 06:16 - 01319424 _____ (Microsoft Corporation) C:\Windows\system32\wifinetworkmanager.dll
2016-05-10 23:40 - 2016-04-23 06:16 - 00848896 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-05-10 23:40 - 2016-04-23 06:16 - 00800768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JpMapControl.dll
2016-05-10 23:40 - 2016-04-23 06:15 - 01073152 _____ (Microsoft Corporation) C:\Windows\system32\RDXService.dll
2016-05-10 23:40 - 2016-04-23 06:15 - 00865792 _____ (Microsoft Corporation) C:\Windows\system32\AzureSettingSyncProvider.dll
2016-05-10 23:40 - 2016-04-23 06:15 - 00792064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-05-10 23:40 - 2016-04-23 06:15 - 00784896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NMAA.dll
2016-05-10 23:40 - 2016-04-23 06:15 - 00673280 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.dll
2016-05-10 23:40 - 2016-04-23 06:15 - 00400896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\OneDriveSettingSyncProvider.dll
2016-05-10 23:40 - 2016-04-23 06:15 - 00348672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CredProvDataModel.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 13383168 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 00870912 _____ (Microsoft Corporation) C:\Windows\system32\MPSSVC.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 00821760 _____ (Microsoft Corporation) C:\Windows\system32\TokenBroker.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 00711680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MapControlCore.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 00647680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 00354304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupShim.dll
2016-05-10 23:40 - 2016-04-23 06:14 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppXDeploymentClient.dll
2016-05-10 23:40 - 2016-04-23 06:13 - 07200256 _____ (Microsoft Corporation) C:\Windows\system32\BingMaps.dll
2016-05-10 23:40 - 2016-04-23 06:13 - 06295552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mos.dll
2016-05-10 23:40 - 2016-04-23 06:13 - 00705536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-05-10 23:40 - 2016-04-23 06:13 - 00489984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.dll
2016-05-10 23:40 - 2016-04-23 06:13 - 00434688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LogonController.dll
2016-05-10 23:40 - 2016-04-23 06:12 - 00667648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AzureSettingSyncProvider.dll
2016-05-10 23:40 - 2016-04-23 06:10 - 12125696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-05-10 23:40 - 2016-04-23 06:10 - 00639488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TokenBroker.dll
2016-05-10 23:40 - 2016-04-23 06:09 - 03666432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-05-10 23:40 - 2016-04-23 06:08 - 05324288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2016-05-10 23:40 - 2016-04-23 06:07 - 05205504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\BingMaps.dll
2016-05-10 23:40 - 2016-04-23 06:07 - 02598912 _____ (Microsoft Corporation) C:\Windows\system32\NetworkMobileSettings.dll
2016-05-10 23:40 - 2016-04-23 06:07 - 01500160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-05-10 23:40 - 2016-04-23 06:07 - 00848896 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2016-05-10 23:40 - 2016-04-23 06:06 - 06974464 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2016-05-10 23:40 - 2016-04-23 06:05 - 05502976 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2016-05-10 23:40 - 2016-04-23 06:05 - 02166784 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2016-05-10 23:40 - 2016-04-23 06:05 - 02066432 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentExtensions.dll
2016-05-10 23:40 - 2016-04-23 06:05 - 01946112 _____ (Microsoft Corporation) C:\Windows\system32\dwmcore.dll
2016-05-10 23:40 - 2016-04-23 06:05 - 01626624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dwmcore.dll
2016-05-10 23:40 - 2016-04-23 06:05 - 00613376 _____ (Microsoft Corporation) C:\Windows\system32\SettingSync.dll
2016-05-10 23:40 - 2016-04-23 06:04 - 04759040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2016-05-10 23:40 - 2016-04-23 06:04 - 01731072 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-05-10 23:40 - 2016-04-23 06:03 - 05660160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2016-05-10 23:40 - 2016-04-23 06:03 - 04894208 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-05-10 23:40 - 2016-04-23 06:03 - 02280960 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-05-10 23:40 - 2016-04-23 06:03 - 02000896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.appcore.dll
2016-05-10 23:40 - 2016-04-23 06:03 - 00754176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSyncCore.dll
2016-05-10 23:40 - 2016-04-23 06:03 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSync.dll
2016-05-10 23:40 - 2016-04-23 06:02 - 07832576 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2016-05-10 23:40 - 2016-04-23 06:02 - 02444288 _____ (Microsoft Corporation) C:\Windows\system32\twinui.appcore.dll
2016-05-10 23:40 - 2016-04-23 06:01 - 04775424 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2016-05-10 23:40 - 2016-04-23 06:00 - 01390080 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Shell.dll
2016-05-10 23:40 - 2016-04-23 06:00 - 00984576 _____ (Microsoft Corporation) C:\Windows\system32\SettingSyncCore.dll
2016-05-10 23:40 - 2016-04-23 05:45 - 00461824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CoreMessaging.dll
2016-05-10 23:40 - 2016-04-23 04:10 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2016-05-10 23:39 - 2016-05-06 06:05 - 00241664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptngc.dll
2016-05-10 23:39 - 2016-05-06 05:43 - 00320000 _____ (Microsoft Corporation) C:\Windows\system32\cryptngc.dll
2016-05-10 23:39 - 2016-04-23 07:24 - 00638816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fvevol.sys
2016-05-10 23:39 - 2016-04-23 07:24 - 00335712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fastfat.sys
2016-05-10 23:39 - 2016-04-23 07:24 - 00099680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pdc.sys
2016-05-10 23:39 - 2016-04-23 07:18 - 00026408 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-05-10 23:39 - 2016-04-23 07:13 - 00502104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupEngine.dll
2016-05-10 23:39 - 2016-04-23 07:13 - 00084832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupApi.dll
2016-05-10 23:39 - 2016-04-23 07:11 - 00696672 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupEngine.dll
2016-05-10 23:39 - 2016-04-23 07:11 - 00131424 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ufxsynopsys.sys
2016-05-10 23:39 - 2016-04-23 07:11 - 00115040 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupApi.dll
2016-05-10 23:39 - 2016-04-23 07:09 - 00465760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSyncHost.exe
2016-05-10 23:39 - 2016-04-23 07:07 - 00204048 _____ (Microsoft Corporation) C:\Windows\system32\rsaenh.dll
2016-05-10 23:39 - 2016-04-23 07:07 - 00183904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rsaenh.dll
2016-05-10 23:39 - 2016-04-23 07:00 - 00058208 _____ (Microsoft Corporation) C:\Windows\system32\dwminit.dll
2016-05-10 23:39 - 2016-04-23 06:34 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbser.sys
2016-05-10 23:39 - 2016-04-23 06:34 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\hmkd.dll
2016-05-10 23:39 - 2016-04-23 06:34 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2016-05-10 23:39 - 2016-04-23 06:33 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\NFCProvisioningPlugin.dll
2016-05-10 23:39 - 2016-04-23 06:33 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\wshbth.dll
2016-05-10 23:39 - 2016-04-23 06:33 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\UcmCx.sys
2016-05-10 23:39 - 2016-04-23 06:33 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\ByteCodeGenerator.exe
2016-05-10 23:39 - 2016-04-23 06:32 - 00134656 _____ (Microsoft Corporation) C:\Windows\system32\wificonnapi.dll
2016-05-10 23:39 - 2016-04-23 06:29 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\provisioningcsp.dll
2016-05-10 23:39 - 2016-04-23 06:29 - 00151040 _____ (Microsoft Corporation) C:\Windows\system32\VEStoreEventHandlers.dll
2016-05-10 23:39 - 2016-04-23 06:29 - 00087552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\filecrypt.sys
2016-05-10 23:39 - 2016-04-23 06:29 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\hmkd.dll
2016-05-10 23:39 - 2016-04-23 06:29 - 00031232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ByteCodeGenerator.exe
2016-05-10 23:39 - 2016-04-23 06:29 - 00023552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2016-05-10 23:39 - 2016-04-23 06:28 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\VEDataLayerHelpers.dll
2016-05-10 23:39 - 2016-04-23 06:28 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\BluetoothApis.dll
2016-05-10 23:39 - 2016-04-23 06:28 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\AppCapture.dll
2016-05-10 23:39 - 2016-04-23 06:28 - 00051712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshbth.dll
2016-05-10 23:39 - 2016-04-23 06:27 - 00155136 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2016-05-10 23:39 - 2016-04-23 06:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wfdprov.dll
2016-05-10 23:39 - 2016-04-23 06:25 - 00207360 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupSvc.dll
2016-05-10 23:39 - 2016-04-23 06:24 - 00764928 _____ (Microsoft Corporation) C:\Windows\system32\Chakradiag.dll
2016-05-10 23:39 - 2016-04-23 06:24 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\VEDataLayerHelpers.dll
2016-05-10 23:39 - 2016-04-23 06:23 - 00414720 _____ (Microsoft Corporation) C:\Windows\system32\bcastdvr.exe
2016-05-10 23:39 - 2016-04-23 06:23 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\ListSvc.dll
2016-05-10 23:39 - 2016-04-23 06:23 - 00179712 _____ (Microsoft Corporation) C:\Windows\system32\BrowserSettingSync.dll
2016-05-10 23:39 - 2016-04-23 06:23 - 00080896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\BluetoothApis.dll
2016-05-10 23:39 - 2016-04-23 06:22 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\VEEventDispatcher.dll
2016-05-10 23:39 - 2016-04-23 06:19 - 00395264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wlansec.dll
2016-05-10 23:39 - 2016-04-23 06:19 - 00140800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\BrowserSettingSync.dll
2016-05-10 23:39 - 2016-04-23 06:18 - 00436736 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentClient.dll
2016-05-10 23:39 - 2016-04-23 06:18 - 00219648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\VEEventDispatcher.dll
2016-05-10 23:39 - 2016-04-23 06:17 - 00337920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wlanmsm.dll
2016-05-10 23:39 - 2016-04-23 06:05 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\updatepolicy.dll
2016-05-10 23:39 - 2016-04-23 06:05 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\updatepolicy.dll
2016-05-10 23:39 - 2016-04-23 06:03 - 02193408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll
2016-05-10 23:39 - 2016-04-23 04:10 - 00002186 _____ C:\Windows\system32\AppxProvisioning.xml
2016-05-10 23:39 - 2016-04-19 00:30 - 00002186 _____ C:\Windows\SysWOW64\AppxProvisioning.xml
2016-05-02 21:37 - 2016-05-02 21:38 - 00000000 ____D C:\Users\thomas\Downloads\Fehler Boot Windows 2008R2

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-17 17:48 - 2016-02-29 18:50 - 01799166 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-17 17:48 - 2015-10-30 21:20 - 00775524 _____ C:\Windows\system32\perfh007.dat
2016-05-17 17:48 - 2015-10-30 21:20 - 00155338 _____ C:\Windows\system32\perfc007.dat
2016-05-17 17:48 - 2015-10-30 09:19 - 00000000 ____D C:\Windows\INF
2016-05-17 17:16 - 2016-03-11 15:15 - 00004172 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{56F75FA2-6DB9-4E52-9235-7EF50D8C5EFA}
2016-05-17 16:50 - 2015-10-30 09:21 - 00000000 ____D C:\Windows\AppReadiness
2016-05-17 16:45 - 2015-10-30 09:21 - 00000000 ___HD C:\Program Files\WindowsApps
2016-05-17 15:47 - 2016-02-29 19:20 - 00000000 ____D C:\Users\thomas\AppData\Local\ClassicShell
2016-05-16 16:37 - 2016-02-29 18:43 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-16 16:36 - 2015-10-30 08:28 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-05-15 17:40 - 2016-02-29 18:47 - 00000000 ____D C:\Users\thomas\AppData\Local\VirtualStore
2016-05-14 18:16 - 2015-10-30 09:11 - 00000000 ____D C:\Windows\CbsTemp
2016-05-14 18:08 - 2016-03-06 16:19 - 00000000 ____D C:\Users\thomas\AppData\Roaming\VMware
2016-05-13 21:32 - 2015-10-30 09:21 - 00000000 ____D C:\Windows\rescache
2016-05-13 20:57 - 2016-02-29 18:47 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-05-13 03:30 - 2016-02-29 18:47 - 00000000 ____D C:\Users\thomas
2016-05-13 03:30 - 2015-10-30 21:23 - 00000000 ____D C:\Program Files\Windows Journal
2016-05-13 03:30 - 2015-10-30 09:21 - 00000000 ____D C:\Windows\system32\oobe
2016-05-13 03:30 - 2015-10-30 09:21 - 00000000 ____D C:\Windows\system32\appraiser
2016-05-13 03:30 - 2015-10-30 09:21 - 00000000 ____D C:\Windows\Provisioning
2016-05-13 03:30 - 2015-10-30 09:21 - 00000000 ____D C:\Windows\bcastdvr
2016-05-12 17:16 - 2015-10-30 09:21 - 00015703 _____ C:\Windows\system32\OEMDefaultAssociations.xml
2016-05-12 17:15 - 2016-02-29 19:08 - 00000000 ____D C:\Windows\system32\MRT
2016-05-12 17:13 - 2016-02-29 19:08 - 139319312 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-05-11 21:57 - 2015-10-30 09:23 - 00829944 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-05-11 21:57 - 2015-10-30 09:23 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-05-02 20:36 - 2016-02-29 18:47 - 00000000 ____D C:\Users\thomas\AppData\Local\Packages
2016-04-26 10:23 - 2016-02-29 18:49 - 00002386 _____ C:\Users\thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-04-26 10:23 - 2016-02-29 18:49 - 00000000 ___RD C:\Users\thomas\OneDrive
2016-04-22 09:57 - 2016-02-29 19:09 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2016-04-12 21:17 - 2016-04-12 21:17 - 0000600 _____ () C:\Users\thomas\AppData\Local\PUTTY.RND

Some files in TEMP:
====================
C:\Users\thomas\AppData\Local\Temp\F-SecureNetworkInstaller.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-12 17:13

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:16-05-2016
Ran by thomas (2016-05-17 20:14:58)
Running from I:\
Windows 10 Pro N Version 1511 (X64) (2016-02-29 16:45:13)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1292974356-937073139-3431121634-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1292974356-937073139-3431121634-503 - Limited - Disabled)
Gast (S-1-5-21-1292974356-937073139-3431121634-501 - Limited - Disabled)
thomas (S-1-5-21-1292974356-937073139-3431121634-1001 - Administrator - Enabled) => C:\Users\thomas

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Antivirus by F-Secure (Enabled - Up to date) {0F70A6C4-76E4-6A3B-2695-519F428B1C20}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Antivirus by F-Secure (Enabled - Up to date) {B4114720-50DE-65B5-1C25-6AED390C569D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.14 (x64) (HKLM\...\7-Zip) (Version: 15.14 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 20.0.0.260 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.3.183 - Adobe Systems, Inc.)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Citrix XenCenter (HKLM-x32\...\{0C660E05-CE93-4703-9275-FF5A2C8D5BE8}) (Version: 6.5.1 - Citrix Systems, Inc.)
Classic Shell (HKLM\...\{D4B3454F-7529-4F5F-851D-2C36933F7D64}) (Version: 4.2.5 - IvoSoft)
Computer Security 14.160.100.0 (release) (x32 Version: 14.160.100.0 - F-Secure Corporation) Hidden
Data Recovery Pro (HKLM-x32\...\{B1C2398C-6FAB-46D1-806C-5942F0829994}) (Version: 2.1.0.0 - ParetoLogic, Inc.)
F-Secure (HKLM-x32\...\F-Secure ServiceEnabler 666) (Version: 2.60.207.0 - F-Secure Corporation)
F-Secure (x32 Version: 2.60.207.0 - F-Secure Corporation) Hidden
F-Secure CCF Reputation (x32 Version: 2.0.1337.0 - F-Secure) Hidden
F-Secure CCF Scanning 1.72.177.864 (release) (x32 Version: 1.72.177.864 - F-Secure Corporation) Hidden
F-Secure Network CCF 1.04.124 (x32 Version: 1.04.124 - F-Secure Corporation) Hidden
F-Secure SafeSearch 1.07.117.0 (release) (x32 Version: 1.07.117.0 - F-Secure Corporation) Hidden
GetDataBack for NTFS (HKLM-x32\...\{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}) (Version: 2.31.006 - Runtime Software)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.41 - Irfan Skiljan)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package - SE (x64) (HKLM\...\Microsoft Visual J# 2.0 Redistributable Package - SE (x64)) (Version: - Microsoft Corporation)
Online Safety 2.160.3975.2632 (x32 Version: 2.160.3975.2632 - F-Secure Corporation) Hidden
PDFCreator (HKLM\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 2.2.2 - pdfforge)
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.47484 - TeamViewer)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.2 - VideoLAN)
VMware vSphere Client 5.5 (HKLM-x32\...\{4CFB0494-2E96-4631-8364-538E2AA91324}) (Version: 5.5.0.3165 - VMware, Inc.)
WinRAR 5.31 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1292974356-937073139-3431121634-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\thomas\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\FileCoAuth.exe (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0C22354B-5087-4E4D-AE36-6455C589D47F} - System32\Tasks\ParetoLogic Registration3 => Rundll32.exe "C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\UUS3.dll" RunUns
Task: {195001AC-61BF-4320-AC45-9C4829D302D3} - System32\Tasks\ParetoLogic Update Version3 Startup Task => C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2013-06-18] ()
Task: {1FF942FE-8EB5-4E4E-84A1-6A6555217372} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {2687C3F2-BE84-4FEA-A076-CED8F43A0325} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2016-05-12] (Microsoft Corporation)
Task: {59AB547F-F8EC-4319-BCA5-EC42C22EEA8C} - System32\Tasks\ParetoLogic Update Version3 => C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2013-06-18] ()
Task: {A05AF173-7D73-4942-9548-4114777752F2} - System32\Tasks\F-Secure\F-Secure GUI => C:\Program Files (x86)\F-Secure\Internet Security\FsGuiStarter.exe [2016-03-14] (F-Secure Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\ParetoLogic Registration3.job => C:\Windows\system32\rundll32.exeGC:\Program Files (x86)\Common Files\ParetoLogic\UUS3\UUS3.dll
Task: C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe
Task: C:\Windows\Tasks\ParetoLogic Update Version3.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-10-30 09:16 - 2015-10-30 09:16 - 00185856 _____ () C:\Windows\SYSTEM32\ism32k.dll
2016-04-13 00:40 - 2016-03-29 12:20 - 02656952 _____ () C:\Windows\system32\CoreUIComponents.dll
2016-04-13 00:40 - 2016-03-29 12:20 - 02656952 _____ () C:\Windows\System32\CoreUIComponents.dll
2016-04-26 10:23 - 2016-04-26 10:23 - 00959176 _____ () C:\Users\thomas\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\amd64\ClientTelemetry.dll
2016-02-29 19:06 - 2015-12-07 06:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-05-10 23:39 - 2016-04-23 06:25 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-05-10 23:40 - 2016-04-23 06:02 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-05-10 23:40 - 2016-04-23 05:58 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-05-10 23:40 - 2016-04-23 05:58 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-05-10 23:40 - 2016-04-23 06:01 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-03-14 12:26 - 2016-03-14 12:26 - 00254936 _____ () C:\Program Files (x86)\F-Secure\Internet Security\daas2.dll
2016-05-12 16:46 - 2016-03-14 14:20 - 00074712 _____ () C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\FSAVHRES.eng
2016-05-12 16:49 - 2016-05-12 16:49 - 00093152 _____ () C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\hashlib_x86.dll
2016-05-12 16:46 - 2016-05-12 16:49 - 00293344 _____ () C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Gemini\fsgem.dll
2016-05-12 16:46 - 2016-05-12 16:49 - 00213984 _____ () C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Spam Control\fsas.dll
2016-04-26 10:23 - 2016-04-26 10:23 - 00679624 _____ () C:\Users\thomas\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\ClientTelemetry.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-10-30 09:21 - 2015-10-30 09:19 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1292974356-937073139-3431121634-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 10.0.0.5
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{CD3EA32C-745C-47AC-8C40-B107647ABA01}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [{01EF2896-88BC-4DCE-B9BC-8333B66AEB62}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{74DE912B-5CAA-4739-862E-83630DF1B3CD}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{4A46E179-3978-4D6A-80A9-384CAED85913}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{351A1C38-692D-4B43-BA7D-B0B1EFDB53A8}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (05/17/2016 04:03:35 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/15/2016 06:02:49 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/13/2016 09:05:42 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/12/2016 05:13:23 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (05/12/2016 05:03:51 PM) (Source: FSecure-FSecure-F-Secure DeepGuard) (EventID: 103) (User: )
Description: 2 2016-05-12 17:03:51+02:00 SYSTEM F-Secure DeepGuard
Application was blocked. This was determined to be a high-risk application by system control heuristics.
Application path: \\?\c:\users\thomas\desktop\petyaextractor_cb-dl-manager.exe
File hash: f5aedaafe15a9af9da320f5790d43a68924cb461

Error: (05/12/2016 05:03:34 PM) (Source: FSecure-FSecure-F-Secure Anti-Virus) (EventID: 103) (User: )
Description: 1 2016-05-12 17:03:34+02:00 DESKTOP-P3G2TKR\thomas F-Secure Anti-Virus
Spyware detected:
Type: riskware
Family:
Name: Gen:Variant.Application.Bundler
Object: C:\Users\thomas\Desktop\PetyaExtractor_CB-DL-Manager.exe

Error: (04/28/2016 02:24:40 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (04/20/2016 10:35:59 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (04/12/2016 09:41:21 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (03/21/2016 07:59:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: vmware-vmrc.exe, Version: 9.0.0.28537, Zeitstempel: 0x520fabbf
Name des fehlerhaften Moduls: vmwarecui.dll, Version: 9.0.0.28537, Zeitstempel: 0x520faac8
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0023d685
ID des fehlerhaften Prozesses: 0x86c
Startzeit der fehlerhaften Anwendung: 0xvmware-vmrc.exe0
Pfad der fehlerhaften Anwendung: vmware-vmrc.exe1
Pfad des fehlerhaften Moduls: vmware-vmrc.exe2
Berichtskennung: vmware-vmrc.exe3
Vollständiger Name des fehlerhaften Pakets: vmware-vmrc.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: vmware-vmrc.exe5


System errors:
=============
Error: (05/17/2016 04:10:36 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 04:05:46 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 04:05:43 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 04:03:41 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 04:03:35 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 03:56:33 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 03:56:32 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 03:56:31 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 03:56:31 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.

Error: (05/17/2016 03:56:31 PM) (Source: Ntfs) (EventID: 55) (User: NT-AUTORITÄT)
Description: In der Dateisystemstruktur auf Volume "H:" wurde eine Beschädigung erkannt.

Die genaue Art der Beschädigung ist unbekannt. Die Dateisystemstrukturen müssen online überprüft werden.


CodeIntegrity:
===================================
Date: 2016-05-15 03:52:07.535
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-05-14 04:46:24.623
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-05-13 03:31:26.983
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-05-12 21:33:56.727
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-05-12 17:08:04.569
Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2016-05-12 17:08:04.558
Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2016-05-12 17:07:53.493
Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2016-05-12 17:07:53.486
Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2016-05-12 17:07:53.474
Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2016-05-12 17:07:42.801
Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel® Xeon® CPU E5-1620 v3 @ 3.50GHz
Percentage of memory in use: 9%
Total physical RAM: 16277.66 MB
Available physical RAM: 14733.84 MB
Total Virtual: 18709.66 MB
Available Virtual: 17195.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:118.69 GB) (Free:95.59 GB) NTFS
Drive d: (Daten) (Fixed) (Total:465.76 GB) (Free:461.33 GB) NTFS
Drive i: (STORE N GO) (Removable) (Total:14.41 GB) (Free:14.39 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: A62A491E)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 119.2 GB) (Disk ID: 608D8F5E)

Partition: GPT.

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 14.4 GB) (Disk ID: FCA0F850)
Partition 1: (Not Active) - (Size=14.4 GB) - (Type=0C)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 17 May 2016 - 03:39 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:50 AM

Posted 17 May 2016 - 04:03 PM

Hi Thomas,

Are you able to read and understand instructions in English?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 thomas1568

thomas1568
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 17 May 2016 - 04:05 PM

Hi Gary,

 

Yes why not ?



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:50 AM

Posted 17 May 2016 - 04:09 PM

I just want to make sure and not assume it. I think the easiest thing to do is have you follow the instructions in the BleepingComputer Tutorial on Petya Ransomware.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 thomas1568

thomas1568
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 17 May 2016 - 04:17 PM

Hi Gary,

 

I have the green Petya,

 

 
I have read the two values ​​of the infiziereten disk and entered on the website , after hours of waiting without success came a timeout !
 
My score in the : pety-pay-no-ransom... was never under 80 !


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:50 AM

Posted 17 May 2016 - 08:08 PM

I am sorry to inform you currently there is no way to decrypt your hard drive.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 thomas1568

thomas1568
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 18 May 2016 - 11:33 AM

Absolut no way ??? 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:50 AM

Posted 18 May 2016 - 08:04 PM

Assuming you have Stage 2 green, that is correct. See here.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 thomas1568

thomas1568
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 19 May 2016 - 12:27 AM

Thank you !



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:50 AM

Posted 19 May 2016 - 08:28 AM

My pleasure sorry to deliver the bad news.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:50 AM

Posted 19 May 2016 - 08:28 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users