Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scan with FRST after Cryptohasyou attack


  • Please log in to reply
28 replies to this topic

#1 Gatsu81

Gatsu81

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 11 August 2016 - 04:39 AM

Hi, thanks in advance for the immense help you're giving.

A computer on the network got hit by a cryptolocker and in the aftermath the owner (my gf's father) finally was convinced to do some more accurate scan.

I made him use FRST as adviced here and i suspect the warnings are totally unrelated from the crypto (since it wasn't even the computer affected, just one on the network the infected one could reach).

The only ATTENTION signal are on the addition.txt.

But i'd like to be sure, so i'll post the scan result too.

Thanks in advance.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-08-2016 01
Ran by Administrator (administrator) on PC-SERVER-NEW (11-08-2016 10:50:55)
Running from C:\Users\Administrator\Downloads
Loaded Profiles: Administrator (Available Profiles: ufficio & cassa & tv & enel & wind & Jolly & enri & pal & bell & Asus & batterie & Administrator)
Platform: Microsoft® Windows Server® 2008 Standard  Service Pack 2 (X86) Language: Italiano (Italia)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avp.exe
(CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 10\cbVSCService.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 10\cbService.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avpui.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 10\cbInterface.exe
() C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
(Akamai Technologies, Inc.) C:\Users\Administrator\AppData\Local\Akamai\netsession_win.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Akamai Technologies, Inc.) C:\Users\Administrator\AppData\Local\Akamai\netsession_win.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\tv_w32.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\conime.exe
(Farbar) C:\Users\Administrator\Downloads\FRST (1).exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Cobian Backup 10 Interface] => C:\Program Files\Cobian Backup 10\cbInterface.exe [3154432 2010-09-23] (Luis Cobian, CobianSoft)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [CDAServer] => C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [331264 2010-11-26] ()
HKLM\...\runonceex: [Flags] => 2744
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\...\Run: [Akamai NetSession Interface] => C:\Users\Administrator\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6851288 2016-07-13] (Piriform Ltd)
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\...\MountPoints2: {43a31b29-5112-11df-9d6c-0026b98520d9} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\_.vbs
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\...\MountPoints2: {58122d93-5e78-11e2-a698-0026b98520d9} - G:\RunClubSanDisk.exe
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\...\MountPoints2: {aa842183-5696-11df-8c2f-0026b98520d9} - F:\avira.exe
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\...\MountPoints2: {fa99aad0-69b2-11e0-82e2-0026b98520d9} - G:\start.exe
Lsa: [Notification Packages] scecli RASSFM
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{0FD959D8-3DD2-4CB2-BD43-7F60E68EBCD5}: [NameServer] 192.168.1.100,151.99.125.2
 
Internet Explorer:
==================
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://it.msn.com/?ocid=OIE9HP
HKU\S-1-5-21-3617111606-1223707523-4130045347-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://it.msn.com/?ocid=OIE9HP
BHO: Supporto di collegamento per Adobe PDF Reader -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2015-09-24] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ov6bay10.default-1418288673354
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-02-11] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Presentazioni Google) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-12]
CHR Extension: (Documenti Google) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-12]
CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-22]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-22]
CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-22]
CHR Extension: (Fogli Google) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-12]
CHR Extension: (Google Documenti offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-13]
CHR Extension: (Pagamenti Chrome Web Store) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-13]
CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-11-22]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVP15.0.2; C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avp.exe [194000 2016-04-01] (Kaspersky Lab ZAO)
R2 cbVSCService; C:\Program Files\Cobian Backup 10\cbVSCService.exe [67584 2010-09-23] (CobianSoft, Luis Cobian) [File not signed]
R2 CobianBackup10; C:\Program Files\Cobian Backup 10\cbService.exe [1125376 2010-09-23] (Luis Cobian, CobianSoft) [File not signed]
R2 DHCPServer; C:\Windows\System32\dhcpssvc.dll [492032 2009-04-10] (Microsoft Corporation)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [22016 2008-01-19] (Microsoft Corporation)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [42884448 2010-04-03] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [78336 2009-04-10] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [13312 2008-01-19] (Microsoft Corporation)
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [367456 2010-04-03] (Microsoft Corporation)
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [7183632 2016-07-18] (TeamViewer GmbH)
R2 TermServLicensing; C:\Windows\System32\lserver.dll [468992 2009-04-10] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 bccfg; C:\Windows\System32\DRIVERS\bccfg.sys [16392 2009-10-27] (Dell Inc.)
R0 bcraid; C:\Windows\System32\drivers\bcraid.sys [500744 2009-10-27] (Dell Inc.)
R0 cm_km_w; C:\Windows\System32\DRIVERS\cm_km_w.sys [197864 2016-04-01] (Kaspersky Lab UK Ltd)
S4 ioatdma; C:\Windows\system32\drivers\qd26032.sys [31232 2008-01-19] (Intel Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [155304 2016-04-01] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [54640 2016-04-01] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [128728 2016-04-01] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [53168 2016-08-10] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [704432 2016-08-10] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [44120 2016-08-10] (AO Kaspersky Lab)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [23920 2016-04-01] (Kaspersky Lab ZAO)
R1 kltdf; C:\Windows\System32\DRIVERS\kltdf.sys [68808 2014-11-06] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54328 2016-04-01] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [157240 2016-04-01] (Kaspersky Lab ZAO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-08-11] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
S3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12096 2010-04-26] (UVNC BVBA)
S4 RsFx0150; C:\Windows\System32\DRIVERS\RsFx0150.sys [240608 2010-04-03] (Microsoft Corporation)
S4 s3cap; C:\Windows\system32\drivers\s3cap.sys [15816 2008-01-19] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [88632 2008-01-19] (Microsoft Corporation)
R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2010-10-11] (Samsung Electronics) [File not signed]
R0 storflt; C:\Windows\System32\drivers\storflt.sys [42440 2008-01-19] (Microsoft Corporation)
S3 vncdrv; C:\Windows\System32\DRIVERS\vncdrv.sys [4736 2004-06-26] (RDV Soft) [File not signed]
S4 BTHMODEM; \SystemRoot\system32\drivers\bthmodem.sys [X]
 
========================== Drivers MD5 =======================
 
C:\Windows\System32\drivers\acpi.sys 82B296AE1892FE3DBEE00C9CF92F8AC7
C:\Windows\system32\drivers\adp94xx.sys 04F0FCAC69C7C71A3AC4EB97FAFC8303
C:\Windows\system32\drivers\adpahci.sys 60505E0041F7751BDBB80F88BF45C2CE
C:\Windows\system32\drivers\adpu160m.sys 8A42779B02AEC986EAB64ECFC98F8BD7
C:\Windows\system32\drivers\adpu320.sys 241C9E37F8CE45EF51C3DE27515CA4E5
C:\Windows\system32\drivers\afd.sys F5272A105F59A7B3B345D9D6D87DA7AD
C:\Windows\system32\drivers\agp440.sys 13F9E33747E6B41A3FF305C37DB0D360
C:\Windows\system32\drivers\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys 9EAEF5FC9B8E351AFA7E78A6FAE91F91
C:\Windows\system32\drivers\amdagp.sys C47344BC706E5F0B9DCE369516661578
C:\Windows\system32\drivers\amdide.sys 9B78A39A4C173FDBC1321E0DD659B34C
C:\Windows\system32\drivers\amdk7.sys 18F29B49AD23ECEE3D2A826C725C8D48
C:\Windows\system32\drivers\amdk8.sys 93AE7F7DD54AB986A6F1A1B37BE7442D
C:\Windows\system32\drivers\arc.sys 5D2888182FB46632511ACEE92FDAD522
C:\Windows\system32\drivers\arcsas.sys 5E2A321BD7C8B3624E41FDEC3E244945
C:\Windows\System32\DRIVERS\asyncmac.sys 53B202ABEE6455406254444303E87BE1
C:\Windows\system32\drivers\atapi.sys 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\system32\drivers\bxvbdx.sys 8DAE187D78BE2790FB4995937FD04743
C:\Windows\System32\DRIVERS\b57nd60x.sys 502F1C30BD50B32D00CE4DCAECC3D3C7
C:\Windows\System32\DRIVERS\bccfg.sys 6B015A7DD695DCBEF34DE504A2F013AA
C:\Windows\System32\drivers\bcraid.sys D209CDCFD4901D7347415AB8435B4760
C:\Windows\system32\Drivers\Beep.sys 67E506B75BD5326A3EC7B70BD014DFB6
C:\Windows\system32\drivers\blbdrive.sys D4DF28447741FD3D953526E33A617397
C:\Windows\System32\DRIVERS\bowser.sys 35F376253F687BDE63976CCB3F2108CA
C:\Windows\system32\drivers\brfiltlo.sys ==> MD5 is legit
C:\Windows\system32\drivers\brfiltup.sys ==> MD5 is legit
C:\Windows\system32\drivers\brserid.sys ==> MD5 is legit
C:\Windows\system32\drivers\brserwdm.sys ==> MD5 is legit
C:\Windows\system32\drivers\brusbmdm.sys ==> MD5 is legit
C:\Windows\system32\drivers\brusbser.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys 7ADD03E75BEB9E6DD102C3081D29840A
C:\Windows\System32\DRIVERS\cdrom.sys 6B4BFFB9BECD728097024276430DB314
C:\Windows\system32\drivers\circlass.sys E5D4133F37219DBCFE102BC61072589D
C:\Windows\System32\CLFS.sys D7659D3B5B92C31E84E53C1431F35132
C:\Windows\system32\drivers\cmdide.sys 0CA25E686A4928484E9FDABD168AB629
C:\Windows\System32\DRIVERS\cm_km_w.sys 7B02F50D5BCA75B85C0A83B8E229BD18
C:\Windows\system32\drivers\compbatt.sys 6AFEF0B60FA25DE07C0968983EE4F60A
C:\Windows\System32\drivers\crcdisk.sys 741E9DFF4F42D2D8477D0FC1DC0DF871
C:\Windows\system32\drivers\crusoe.sys 1F07BECDCA750766A96CDA811BA86410
C:\Windows\System32\drivers\csc.sys 9BDB2E89BE8D0EF37B1F25C3D3FC192C
C:\Windows\System32\Drivers\dfsc.sys 622C41A07CA7E6DD91770F50D532CB6C
C:\Windows\System32\drivers\disk.sys 5D4AEFC3386920236A548271F8F1AF6A
C:\Windows\System32\drivers\drmkaud.sys 97FEF831AB90BEE128C9AF390E243F80
C:\Windows\System32\drivers\dxgkrnl.sys 5C2C209CDEFBC51D83D66E8A53B2BE89
C:\Windows\System32\DRIVERS\E1G60I32.sys 5425F74AC0C1DBD96A1E04F17D63F94C
C:\Windows\system32\drivers\elxstor.sys 23B62471681A124889978F6295B3F4C6
C:\Windows\System32\DRIVERS\errdev.sys 3DB974F3935483555D7148663F726C61
C:\Windows\system32\Drivers\exfat.sys 22B408651F9123527BCEE54B4F6C5CAE
C:\Windows\system32\Drivers\fastfat.sys 4E404505B3F62ECFBDBCBBCF0A72DBC5
C:\Windows\System32\DRIVERS\fdc.sys AFE1E8B9782A0DD7FB46BBD88E43F89A
C:\Windows\System32\drivers\fileinfo.sys A8C0139A884861E3AAE9CFE73B208A9F
C:\Windows\System32\drivers\filetrace.sys 0AE429A696AECBC5970E3CF2C62635AE
C:\Windows\System32\DRIVERS\flpydisk.sys 85B7CF99D532820495D68D747FDA9EBD
C:\Windows\System32\drivers\fltmgr.sys 01334F9EA68E6877C4EF05D3EA8ABB05
C:\Windows\system32\Drivers\Fs_Rec.sys B972A66758577E0BFD1DE0F91AAA27B5
C:\Windows\system32\drivers\gagp30kx.sys 34582A6E6573D54A07ECE5FE24A126B5
C:\Windows\system32\drivers\hdaudbus.sys C87B1EE051C0464491C1A7B03FA0BC99
C:\Windows\system32\drivers\hidbth.sys 204C3B1846E9CBAAEF88B8E1F86782F8
C:\Windows\system32\drivers\hidir.sys D8DF3722D5E961BAA1292AA2F12827E2
C:\Windows\System32\DRIVERS\hidusb.sys CCA4B519B17E23A00B826C55716809CC
C:\Windows\system32\drivers\hpcisss.sys 16EE7B23A009E00D835CDB79574A91A6
C:\Windows\System32\drivers\HTTP.sys F870AA3E254628EBEAFE754108D664DE
C:\Windows\system32\drivers\i2omp.sys C6B032D69650985468160FC9937CF5B4
C:\Windows\System32\DRIVERS\i8042prt.sys 22D56C8184586B7A1F6FA60BE5F5A2BD
C:\Windows\system32\drivers\iastorv.sys 54155EA1B0DF185878E0FC9EC3AC3A14
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\system32\drivers\intelide.sys 83AA759F3189E6370C30DE5DC5590718
C:\Windows\System32\DRIVERS\intelppm.sys 224191001E78C89DFA78924C3EA595FF
C:\Windows\system32\drivers\qd26032.sys 1E662DD13BAA2C7AB7412C7DA8294626
C:\Windows\System32\DRIVERS\ipfltdrv.sys 62C265C38769B864CB25B4BCF62DF6C3
C:\Windows\System32\DRIVERS\IPMIDrv.sys 4B9C0F4D4A3ACC535F9771039ECD6365
C:\Windows\System32\drivers\ipnat.sys 8793643A67B42CEC66490B2A0CF92D68
C:\Windows\System32\drivers\irenum.sys 109C0DFB82C3632FBD11949B73AEEAC9
C:\Windows\system32\drivers\isapnp.sys 6C70698A3E5C4376C6AB5C7C17FB0614
C:\Windows\System32\DRIVERS\msiscsi.sys 232FA340531D940AAC623B121A595034
C:\Windows\system32\drivers\iteatapi.sys ==> MD5 is legit
C:\Windows\system32\drivers\iteraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\System32\DRIVERS\kbdhid.sys EDE59EC70E25C24581ADD1FBEC7325F7
C:\Windows\System32\DRIVERS\kl1.sys B1DE832A8D46E3AB591EFE7BBD343338
C:\Windows\System32\DRIVERS\kldisk.sys A163E42184D474CCF2208ADA94746A37
C:\Windows\System32\DRIVERS\klflt.sys A68696E4973081A57EE93A1CA74FA069
C:\Windows\System32\DRIVERS\klhk.sys 8C641F65085BE228CDB0ACDF49751162
C:\Windows\System32\DRIVERS\klif.sys 767507F482B29B669F412EEB7C3325C0
C:\Windows\System32\DRIVERS\klim6.sys B5E8BADD1B7904C04726EDB5BA32A19D
C:\Windows\System32\DRIVERS\klpd.sys 0F2C2BA832893F65D97AB8B75FCD3CCD
C:\Windows\System32\DRIVERS\kltdf.sys 3DB01AC19A3251ED9416528C3810BDC0
C:\Windows\System32\DRIVERS\kltdi.sys 8E682FBB727A3A3C3B7FAF986FF4EA54
C:\Windows\System32\DRIVERS\kneps.sys 7763289520B9BB8803E2778D332EADEB
C:\Windows\System32\Drivers\ksecdd.sys 5035EDF1F2E72F78BB1EC5BD9B97463F
C:\Windows\System32\DRIVERS\lltdio.sys D1C5883087A0C3F1344D9D55A44901F6
C:\Windows\system32\drivers\lsi_fc.sys C7E15E82879BF3235B559563D4185365
C:\Windows\system32\drivers\lsi_sas.sys EE01EBAE8C9BF0FA072E0FF68718920A
C:\Windows\system32\drivers\lsi_scsi.sys 912A04696E9CA30146A62AFA1463DD5C
C:\Windows\system32\drivers\luafv.sys 8F5C7426567798E62A3B3614965D62CC
C:\Windows\System32\DRIVERS\lvrs.sys 7521C0C58EE91BE90B6CC33E792D10C7
C:\Windows\system32\drivers\mbam.sys A1D52DB330E18B5A7A718D31D950CA87
C:\Windows\system32\drivers\MBAMSwissArmy.sys 5023F594D5448E16F920157174C61358
C:\Windows\system32\drivers\mwac.sys 33991F04AD6486D934BA14564B4CF823
C:\Windows\system32\drivers\megasas.sys 0001CE609D66632FA17B84705F658879
C:\Windows\system32\drivers\megasr.sys C252F32CD9A49DBFC25ECF26EBD51A99
C:\Windows\System32\drivers\modem.sys E13B5EA0F51BA5B1512EC671393D09BA
C:\Windows\System32\DRIVERS\monitor.sys 0A9BB33B56E294F686ABB7C1E4E2D8A8
C:\Windows\System32\DRIVERS\mouclass.sys 5BF6A1326A335C5298477754A506D263
C:\Windows\System32\DRIVERS\mouhid.sys 93B8D4869E12CFBE663915502900876F
C:\Windows\System32\drivers\mountmgr.sys BDAFC88AA6B92F7842416EA6A48E1600
C:\Windows\system32\drivers\mpio.sys 511D011289755DD9F9A7579FB0B064E6
C:\Windows\System32\drivers\mpsdrv.sys 22241FEBA9B2DEFA669C8CB0A8DD7D2E
C:\Windows\system32\drivers\mraid35x.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys 1E94971C4B446AB2290DEB71D01CF0C2
C:\Windows\System32\DRIVERS\mrxsmb10.sys 4FCCB34D793B116423209C0F8B7A3B03
C:\Windows\System32\DRIVERS\mrxsmb20.sys C3CB1B40AD4A0124D617A1199B0B9D7C
C:\Windows\system32\drivers\msahci.sys 28023E86F17001F7CD9B15A5BC9AE07D
C:\Windows\system32\drivers\msdsm.sys 4468B0F385A86ECDDAF8D3CA662EC0E7
C:\Windows\system32\Drivers\Msfs.sys A9927F4A46B816C92F461ACB90CF8515
C:\Windows\System32\drivers\msisadrv.sys 0F400E306F385C56317357D6DEA56F62
C:\Windows\System32\drivers\MSKSSRV.sys D8C63D34D9C9E56C059E24EC7185CC07
C:\Windows\System32\drivers\MSPCLOCK.sys 1D373C90D62DDB641D50E55B9E78D65E
C:\Windows\System32\drivers\MSPQM.sys B572DA05BF4E098D4BBA3A4734FB505B
C:\Windows\system32\Drivers\MsRPC.sys B49456D70555DE905C311BCDA6EC6ADB
C:\Windows\System32\DRIVERS\mssmbios.sys E384487CB84BE41D09711C30CA79646C
C:\Windows\System32\drivers\MSTEE.sys 7199C1EEC1E4993CAF96B8C0A26BD58A
C:\Windows\System32\Drivers\mup.sys 6A57B5733D4CB702C8EA4542E836B96C
C:\Windows\System32\DRIVERS\mv2.sys 4CB5D3A5902A92606408A36865A04D53
C:\Windows\System32\drivers\ndis.sys 1357274D1883F68300AEADD15D7BBB42
C:\Windows\System32\DRIVERS\ndistapi.sys 0E186E90404980569FB449BA7519AE61
C:\Windows\System32\DRIVERS\ndisuio.sys D6973AA34C4D5D76C0430B181C3CD389
C:\Windows\System32\DRIVERS\ndiswan.sys 818F648618AE34F729FDB47EC68345C3
C:\Windows\system32\Drivers\NDProxy.sys 71DAB552B41936358F3B541AE5997FB3
C:\Windows\System32\DRIVERS\netbios.sys BCD093A5A6777CF626434568DC7DBA78
C:\Windows\System32\DRIVERS\netbt.sys ECD64230A59CBD93C85F1CD1CAB9F3F6
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Npfs.sys D36F239D7CCE1931598E8FB90A0DBC26
C:\Windows\System32\drivers\nsiproxy.sys 609773E344A97410CE4EBF74A8914FCF
C:\Windows\system32\Drivers\Ntfs.sys 2C1121F2B87E9A6B12485DF53CD848C7
C:\Windows\system32\drivers\ntrigdigi.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Null.sys C5DBBCDA07D780BDA9B685DF333BB41E
C:\Windows\system32\drivers\nvraid.sys 2EDF9E7751554B42CBB60116DE727101
C:\Windows\system32\drivers\nvstor.sys ABED0C09758D1D97DB0042DBB2688177
C:\Windows\system32\drivers\nv_agp.sys 18BBDF913916B71BD54575BDB6EEAC0B
C:\Windows\system32\drivers\ohci1394.sys 790E27C3DB53410B40FF9EF2FD10A1D9
C:\Windows\system32\drivers\parport.sys 8A79FDF04A73428597E2CAF9D0D67850
C:\Windows\System32\drivers\partmgr.sys B9C2B89F08670E159F7181891E449CD9
C:\Windows\system32\drivers\parvdm.sys 6C580025C81CAF3AE9E3617C22CAD00E
C:\Windows\System32\drivers\pci.sys 941DC1D19E7E8620F40BBC206981EFDB
C:\Windows\system32\drivers\pciide.sys FC175F5DDAB666D7F4D17449A547626F
C:\Windows\system32\drivers\pcmcia.sys B7C5A8769541900F6DFA6FE0C5E4D513
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ECFFFAEC0C1ECD8DBC77F39070EA1DB1
C:\Windows\system32\drivers\processr.sys 2027293619DD0F047C584CF2E7DF4FFD
C:\Windows\System32\DRIVERS\pacer.sys 99514FAA8DF93D34B5589187DB3AA0BA
C:\Windows\system32\drivers\ql2300.sys 0A6DB55AFB7820C99AA1F3A1D270F4F6
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys 147D7F9C556D259924351FEB0DE606C3
C:\Windows\System32\DRIVERS\rasl2tp.sys A214ADBAF4CB47DD2728859EF31F26B0
C:\Windows\System32\DRIVERS\raspppoe.sys 509A98DD18AF4375E1FC40BC175F1DEF
C:\Windows\System32\DRIVERS\rassstp.sys 2005F4A1E05FA09389AC85840F0A9E4D
C:\Windows\System32\DRIVERS\rdbss.sys B14C9D5B9ADD2F84F70570BBBFAA7935
C:\Windows\System32\DRIVERS\RDPCDD.sys 89E59BE9A564262A3FB6C4F4F1CD9899
C:\Windows\System32\DRIVERS\rdpdr.sys 943B18305EAE3935598A9B4A3D560B4C
C:\Windows\System32\drivers\rdpencdd.sys 9D91FE5286F748862ECFFA05F8A0710C
C:\Windows\system32\Drivers\RDPWD.sys C127EBD5AFAB31524662C48DFCEB773A
C:\Windows\System32\DRIVERS\RsFx0150.sys A95840A95A9FF74B0009E5D848CDDB39
C:\Windows\System32\DRIVERS\rspndr.sys 9C508F4074A39E8B4B31D27198146FAD
C:\Windows\system32\drivers\s3cap.sys F3FB2F944AB92A791AA66143B1FEC565
C:\Windows\System32\DRIVERS\sacdrv.sys 20C094981B34A20818C17F9576FFF20C
C:\Windows\system32\drivers\sbp2port.sys E0BE42226EF2CC26F3E271AE7B00E211
C:\Windows\system32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys CE9EC966638EF0B10B864DDEDF62A099
C:\Windows\System32\DRIVERS\serial.sys 6D663022DB3E7058907784AE14B69898
C:\Windows\system32\drivers\sermouse.sys 8AF3D28A879BF75DB53A0EE7A4289624
C:\Windows\system32\drivers\sffdisk.sys 3EFA810BDCA87F6ECC24F9832243FE86
C:\Windows\system32\drivers\sffp_mmc.sys E95D451F7EA3E583AEC75F3B3EE42DC5
C:\Windows\system32\drivers\sffp_sd.sys 3D0EA348784B7AC9EA9BD9F317980979
C:\Windows\system32\drivers\sfloppy.sys C33BFBD6E9E41FCD9FFEF9729E9FAED6
C:\Windows\system32\drivers\sisagp.sys 1D76624A09A054F682D746B924E2DBC3
C:\Windows\system32\drivers\sisraid2.sys 43CB7AA756C7DB280D01DA9B676CFDE2
C:\Windows\system32\drivers\sisraid4.sys A99C6C8B0BAA970D8AA59DDC50B57F94
C:\Windows\System32\DRIVERS\smb.sys 7B75299A4D201D6A6533603D6914AB04
C:\Windows\system32\Drivers\spldr.sys 7AEBDEEF071FE28B0EEF2CDD69102BFF
C:\Windows\System32\DRIVERS\srv.sys 41987F9FC0E61ADF54F581E15029AD91
C:\Windows\System32\DRIVERS\srv2.sys FF33AFF99564B1AA534F58868CBE41EF
C:\Windows\System32\DRIVERS\srvnet.sys 7605C0E1D01A08F3ECD743F38B834A44
C:\Windows\system32\Drivers\SSPORT.sys EF3458337D7341A05169CEFC73709264
C:\Windows\System32\drivers\storflt.sys EE0A7849B04511DA0CAAA9A3AA4BC0B2
C:\Windows\system32\drivers\storvsc.sys 0461119FAA3C46A26B559FBA7CD207B0
C:\Windows\System32\DRIVERS\swenum.sys 7BA58ECF0C0A9A69D44B3DCA62BECF56
C:\Windows\system32\drivers\symc8xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\sym_hi.sys ==> MD5 is legit
C:\Windows\system32\drivers\sym_u3.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys C7B0746FCD576D7EEBA6A2530B0B2966
C:\Windows\System32\DRIVERS\tcpip.sys C7B0746FCD576D7EEBA6A2530B0B2966
C:\Windows\System32\drivers\tcpipreg.sys 608C345A255D82A6289C2D468EB41FD7
C:\Windows\System32\drivers\tdpipe.sys 5DCF5E267BE67A1AE926F2DF77FBCC56
C:\Windows\System32\drivers\tdtcp.sys 389C63E32B3CEFED425B61ED92D3F021
C:\Windows\System32\DRIVERS\tdx.sys 76B06EB8A01FC8624D699E7045303E54
C:\Windows\System32\DRIVERS\termdd.sys 3CAD38910468EAB9A6479E2F01DB43C7
C:\Windows\System32\DRIVERS\tssecsrv.sys F4EAA7ECBCB25DE901C9B7F2CDCDA0B3
C:\Windows\System32\DRIVERS\tunmp.sys CAECC0120AC49E3D2F758B9169872D38
C:\Windows\System32\DRIVERS\tunnel.sys 300DB877AC094FEAB0BE7688C3454A9C
C:\Windows\system32\drivers\uagp35.sys 7D33C4DB2CE363C8518D2DFCF533941F
C:\Windows\System32\DRIVERS\udfs.sys D9728AF68C4C7693CB100B8441CBDEC6
C:\Windows\system32\drivers\uliagpkx.sys B0ACFDC9E4AF279E9116C03E014B2B27
C:\Windows\system32\drivers\uliahci.sys 9224BB254F591DE4CA8D572A5F0D635C
C:\Windows\system32\drivers\ulsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\ulsata2.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys 32CFF9F809AE9AED85464492BF3E32D2
C:\Windows\system32\drivers\umpass.sys 88BD96A1BAEED33EE8BDF9499C07A841
C:\Windows\System32\drivers\usbaudio.sys 1114579556DB85E9FAF9590DBC64CD62
C:\Windows\System32\DRIVERS\usbccgp.sys AAB0B5F72D2D726FBFDC895A2902DE1D
C:\Windows\system32\drivers\usbcir.sys 47B9770EA21436DE4AD5AEA7926E0900
C:\Windows\System32\DRIVERS\usbehci.sys 153E8515CB86F8BB5D1A8B478EBF4BB2
C:\Windows\System32\DRIVERS\usbhub.sys 2AE6BCEBD85D31317E433733DAF25888
C:\Windows\system32\drivers\usbohci.sys 7BDB7B0E7D45AC0402D78B90789EF47C
C:\Windows\System32\DRIVERS\usbprint.sys E75C4B5269091D15A2E7DC0B6D35F2F5
C:\Windows\System32\DRIVERS\USBSTOR.SYS BE3DA31C191BC222D9AD503C5224F2AD
C:\Windows\System32\DRIVERS\usbuhci.sys 814D653EFC4D48BE3B04A307ECEFF56F
C:\Windows\System32\Drivers\usbvideo.sys 73FF24E21B690625A58109637DDA0DF7
C:\Windows\System32\DRIVERS\VBoxDrv.sys 349764A4E99BEBAC9883A1631C5A701A
C:\Windows\System32\DRIVERS\VBoxNetAdp.sys 600F67394269A9324652BD138CA7A5F5
C:\Windows\System32\DRIVERS\VBoxNetFlt.sys B115A9121BEE05DEA2C0D15BB82C2F88
C:\Windows\System32\DRIVERS\VBoxUSBMon.sys 38324A15CF27B76E2DF7D3B86D26F8B4
C:\Windows\System32\DRIVERS\vgapnp.sys 87B06E1F30B749A114F74622D013F8D4
C:\Windows\System32\drivers\vga.sys 2E93AC0A1D8C79D019DB6C51F036636C
C:\Windows\system32\drivers\viaagp.sys 5D7159DEF58A800D5781BA3A879627BC
C:\Windows\system32\drivers\viac7.sys C4F3A691B5BAD343E6249BD8C2D45DEE
C:\Windows\system32\drivers\viaide.sys AADF5587A4063F52C2C3FED7887426FC
C:\Windows\system32\drivers\vmbus.sys 617FA7C71B7C53034328DCB98E02288D
C:\Windows\System32\DRIVERS\vncdrv.sys 4EC979B157D1AA075330362ACB5424E5
C:\Windows\System32\drivers\volmgr.sys 69503668AC66C77C6CD7AF86FBDF8C43
C:\Windows\System32\drivers\volmgrx.sys 23E41B834759917BFD6B9A0D625D0C28
C:\Windows\System32\drivers\volsnap.sys 786DB5771F05EF300390399F626BF30A
C:\Windows\system32\drivers\vsmraid.sys 587253E09325E6BF226B299774B728A9
C:\Windows\system32\drivers\wacompen.sys D35E6095AD0EE3B3393E6F3F1ECF168A
C:\Windows\System32\DRIVERS\wanarp.sys 55201897378CCA7AF8B5EFD874374A26
C:\Windows\System32\DRIVERS\wanarp.sys 55201897378CCA7AF8B5EFD874374A26
C:\Windows\system32\drivers\wd.sys 78FE9542363F297B18C027B2D7E7C07F
C:\Windows\System32\drivers\Wdf01000.sys 25944D2CC49E0A6C581D02A74B7D6645
C:\Windows\system32\drivers\wmiacpi.sys 2E7255D172DF0B8283CDFB7B433B864E
C:\Windows\system32\drivers\ws2ifsl.sys E3A3CB253C0EC2494D4A61F5E43A389C
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== Three Months Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-11 10:14 - 2016-08-11 10:14 - 00043567 _____ C:\Users\Administrator\Downloads\FRST3.txt
2016-08-11 10:13 - 2016-08-11 10:13 - 00030389 _____ C:\Users\Administrator\Desktop\Addition3.txt
2016-08-11 09:00 - 2016-08-11 09:00 - 01744384 _____ (Farbar) C:\Users\Administrator\Downloads\FRST (1).exe
2016-08-11 08:59 - 2016-08-11 10:38 - 00000000 ____D C:\Users\Administrator\Desktop\farbar
2016-08-11 08:54 - 2016-08-11 08:54 - 00120303 _____ C:\Users\Administrator\Downloads\Shortcut2.txt
2016-08-11 08:54 - 2016-08-11 08:54 - 00030188 _____ C:\Users\Administrator\Downloads\Addition2.txt
2016-08-11 08:53 - 2016-08-11 08:53 - 00042657 _____ C:\Users\Administrator\Desktop\FRST2.txt
2016-08-11 08:52 - 2016-08-11 08:52 - 00042657 _____ C:\Users\Administrator\Desktop\FRST.txt
2016-08-11 08:48 - 2016-08-11 10:31 - 00120303 _____ C:\Users\Administrator\Downloads\Shortcut.txt
2016-08-11 08:47 - 2016-08-11 10:31 - 00030389 _____ C:\Users\Administrator\Downloads\Addition.txt
2016-08-11 08:46 - 2016-08-11 10:50 - 00030341 _____ C:\Users\Administrator\Downloads\FRST.txt
2016-08-11 08:46 - 2016-08-11 10:50 - 00000000 ____D C:\FRST
2016-08-11 08:45 - 2016-08-11 08:45 - 01744384 _____ (Farbar) C:\Users\Administrator\Downloads\FRST.exe
2016-08-11 07:58 - 2016-08-11 10:51 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\1
2016-08-10 19:03 - 2016-08-11 07:59 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-10 19:03 - 2016-08-10 19:03 - 00000801 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-08-10 19:03 - 2016-08-10 19:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-10 19:03 - 2016-08-10 19:03 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-10 19:03 - 2016-08-10 19:03 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-08-10 19:03 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-08-10 19:03 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-08-10 19:03 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-08-10 19:01 - 2016-08-10 19:03 - 22851472 _____ (Malwarebytes ) C:\Users\Administrator\Downloads\mbam-setup-bc.1878-2.2.1.1043.exe
2016-08-10 11:19 - 2016-08-10 11:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung Printers
2016-08-10 11:19 - 2016-08-10 11:19 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Samsung
2016-08-10 11:19 - 2016-08-10 11:19 - 00000000 ____D C:\Program Files\SamsungPrinterLiveUpdateInstaller
2016-08-10 11:19 - 2016-08-10 11:19 - 00000000 ____D C:\Program Files\SamsungPrinterLiveUpdate
2016-08-10 11:19 - 2016-08-10 11:19 - 00000000 ____D C:\Program Files\Common Files\Common Desktop Agent
2016-08-10 11:18 - 2010-09-14 04:32 - 00151552 _____ (SS) C:\Windows\system32\ssi1mci.exe
2016-08-10 11:18 - 2010-09-14 04:32 - 00065536 _____ (SS) C:\Windows\system32\ssi1mci.dll
2016-08-10 11:18 - 2010-09-14 04:32 - 00026624 _____ () C:\Windows\system32\ssi1mlm.dll
2016-08-10 11:18 - 2010-09-14 04:32 - 00000361 _____ C:\Windows\system32\ssi1mlm.smt
2016-08-10 08:06 - 2016-08-10 08:06 - 00000719 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-08-10 08:06 - 2016-08-10 08:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-08-10 08:06 - 2016-08-10 08:06 - 00000000 ____D C:\Program Files\CCleaner
2016-08-10 08:05 - 2016-08-10 08:05 - 08136664 _____ (Piriform Ltd) C:\Users\Administrator\Downloads\ccsetup520.exe
2016-08-10 07:58 - 2016-08-10 07:58 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\IsolatedStorage
2016-08-10 07:58 - 2016-08-10 07:58 - 00000000 ____D C:\ProgramData\IsolatedStorage
2016-08-10 07:57 - 2016-08-10 08:02 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Solvusoft
2016-08-10 07:57 - 2016-08-10 07:57 - 00000000 ____D C:\Spacekace
2016-08-10 07:57 - 2016-08-10 07:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Small Office Security
2016-08-10 07:57 - 2016-08-10 07:56 - 00001921 _____ C:\Users\Public\Desktop\Kaspersky Small Office Security.lnk
2016-08-10 07:56 - 2016-08-11 10:15 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-08-10 07:56 - 2016-08-10 08:17 - 00704432 _____ (Kaspersky Lab ZAO) C:\Windows\system32\Drivers\klif.sys
2016-08-10 07:56 - 2016-08-10 07:56 - 00000000 ____D C:\Program Files\Kaspersky Lab
2016-08-10 07:56 - 2016-04-01 16:56 - 00128728 _____ (Kaspersky Lab ZAO) C:\Windows\system32\Drivers\klflt.sys
2016-08-10 07:54 - 2016-08-10 07:54 - 02173104 _____ C:\Users\Administrator\Downloads\Setup_FileViewPro_2016.exe
2016-08-10 07:47 - 2016-08-10 07:54 - 156450808 _____ (Kaspersky Lab) C:\Users\Administrator\Downloads\ksos15.0.2.361it-it.exe
2016-08-09 22:02 - 2016-08-09 22:02 - 00000381 _____ C:\Users\Administrator\AppData\Local\Temp\error029360_01.xml
2016-08-09 22:02 - 2016-08-09 22:02 - 00000000 _____ C:\Users\Administrator\AppData\Local\Temp\CVRFBDE.tmp.cvr
2016-08-09 21:23 - 2016-08-09 21:23 - 00000000 _____ C:\Users\Administrator\AppData\Local\Temp\tmp94D1.tmp
2016-08-04 16:01 - 2016-08-04 16:01 - 00000131 _____ C:\Users\Administrator\AppData\Local\Temp\E6408BC9.TMP
2016-07-18 09:14 - 2016-08-10 11:20 - 00000000 ____D C:\ProgramData\Samsung
2016-07-18 09:14 - 2016-08-10 11:17 - 00000000 ____D C:\Program Files\Samsung
 
==================== Three Months Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-11 10:11 - 2014-07-08 12:53 - 00455780 _____ C:\Windows\system32\perfh011.dat
2016-08-11 10:11 - 2014-07-08 12:53 - 00139346 _____ C:\Windows\system32\perfc011.dat
2016-08-11 10:11 - 2008-01-20 01:26 - 02344920 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-11 10:11 - 2008-01-20 01:25 - 00763580 _____ C:\Windows\system32\perfh010.dat
2016-08-11 10:11 - 2008-01-20 01:25 - 00162144 _____ C:\Windows\system32\perfc010.dat
2016-08-11 10:11 - 2008-01-19 11:40 - 00000000 ____D C:\Windows\inf
2016-08-11 09:59 - 2015-02-12 10:05 - 00001138 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-11 09:57 - 2010-03-31 12:39 - 00000000 ____D C:\Windows\system32\dhcp
2016-08-11 09:57 - 2008-01-19 13:35 - 00004176 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-11 09:57 - 2008-01-19 13:35 - 00004176 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-11 08:10 - 2015-01-19 15:56 - 00232028 _____ C:\Users\Administrator\AppData\Local\Temp\ArmUI.ini
2016-08-11 07:58 - 2015-02-12 10:05 - 00001134 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-11 07:58 - 2010-05-03 10:08 - 00000000 ____D C:\Windows\system32\lserver
2016-08-11 07:57 - 2008-01-19 13:47 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-10 19:59 - 2008-01-19 13:47 - 00032530 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-08-10 19:53 - 2010-03-31 11:44 - 00031832 _____ C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp
2016-08-10 19:53 - 2010-03-31 11:44 - 00000000 ____D C:\Users\Administrator
2016-08-10 17:57 - 2016-04-13 09:20 - 00000000 ____D C:\Program Files\TeamViewer
2016-08-10 11:19 - 2008-01-19 11:40 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-08-10 09:51 - 2016-02-02 18:56 - 00000000 ____D C:\ShopViewDI
2016-08-10 09:51 - 2013-02-08 13:06 - 00000000 ____D C:\scanner
2016-08-10 09:51 - 2011-02-22 10:17 - 00000000 ____D C:\ShopViewSQL
2016-08-10 09:51 - 2010-03-29 14:20 - 00000000 ____D C:\Pubblica
2016-08-10 08:17 - 2016-04-01 16:56 - 00044120 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klim6.sys
2016-08-10 08:12 - 2012-12-11 19:09 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FileZilla
2016-08-10 08:12 - 2010-03-31 12:35 - 00000000 ____D C:\Windows\Panther
2016-08-10 08:03 - 2016-04-01 16:56 - 00053168 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys
2016-08-09 17:46 - 2010-03-26 16:16 - 00000000 ____D C:\ShopView
2016-08-09 06:35 - 2016-04-13 09:41 - 00000000 ____D C:\Users\ufficio\AppData\Local\Temp\TeamViewer
2016-08-05 12:00 - 2016-04-13 09:21 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\TeamViewer
2016-08-01 09:13 - 2016-04-13 18:46 - 00000000 ____D C:\Users\Asus\AppData\Local\Temp\TeamViewer
2016-08-01 09:12 - 2016-04-13 09:58 - 00000000 ____D C:\Users\enel\AppData\Local\Temp\TeamViewer
2016-07-25 06:51 - 2016-04-13 09:20 - 00000751 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk
2016-07-25 06:51 - 2016-04-13 09:20 - 00000739 _____ C:\Users\Public\Desktop\TeamViewer 11.lnk
2016-07-17 00:21 - 2016-04-13 09:40 - 00000000 ____D C:\Users\cassa\AppData\Local\Temp\TeamViewer
 
==================== Files in the root of some directories =======
 
2010-03-31 11:44 - 2016-08-11 10:08 - 0000680 _____ () C:\Users\Administrator\AppData\Local\d3d9caps.dat
2010-05-25 12:52 - 2010-05-25 12:52 - 0000101 _____ () C:\Users\Administrator\AppData\Local\fusioncache.dat
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== BCD ================================
 
Windows Boot Manager
--------------------
identificatore          {bootmgr}
device                  partition=D:
description             Windows Boot Manager
locale                  it-IT
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
resume                  No
 
Caricatore di avvio di Windows
-------------------
identificatore          {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Microsoft Windows Server 2008
locale                  it-IT
inherit                 {bootloadersettings}
osdevice                partition=C:
systemroot              \Windows
resumeobject            {0beb7b1c-3cb1-11df-93dc-8f77272c4bf0}
nx                      OptOut
 
Ripresa da modalit… di ibernazione
---------------------
identificatore          {0beb7b1c-3cb1-11df-93dc-8f77272c4bf0}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  it-IT
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No
 
Tester memoria di Windows
---------------------
identificatore          {memdiag}
device                  partition=D:
path                    \boot\memtest.exe
description             Diagnostica memoria Windows
locale                  it-IT
inherit                 {globalsettings}
badmemoryaccess         Yes
 
Caricatore sistema operativo legacy di Windows
------------------------
identificatore          {ntldr}
device                  partition=D:
path                    \ntldr
description             Versione precedente di Windows
 
Impostazioni Servizi di gestione emergenze
------------
identificatore          {emssettings}
bootems                 Yes
 
Impostazioni debugger
-----------------
identificatore          {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
Problemi RAM
-----------
identificatore          {badmemory}
 
Impostazioni globali
---------------
identificatore          {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Impostazioni caricatore di avvio
-------------------
identificatore          {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Impostazioni hypervisor
-------------------
identificatore          {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Impostazioni Resume Loader
----------------------
identificatore          {resumeloadersettings}
inherit                 {globalsettings}
 
 
 
LastRegBack: 2016-08-11 08:03
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Gatsu81

Gatsu81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 11 August 2016 - 02:02 PM

I'm sorry i just noticed that the Addition.txt i mentioned before never got attached (i suppose it was because of the timeout i received).

I just added it now.

Thanks again and sorry for the issue.

Attached Files



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 PM

Posted 16 August 2016 - 04:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/623037 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Gatsu81

Gatsu81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 16 August 2016 - 09:56 AM

Hi, i'm still wandering what the "Attention" warning are.

A pc in the network got hit by a Cryptolocker and scans were performed.

Kaspersky and Malwarebytes found nothing more, but FRST produced these 3 warnings in the addition files.

I think i figured out the one regarding autopico (there's a task scheduled to start if i'm not mistaken, but there's no file there, probably an antivirus sweep removed it, since the path is not the usual one), but the one about the registry key leaves me puzzled.

Thanks

Attached Files



#5 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 16 August 2016 - 05:20 PM

Ciao Gatsu81,

 

I have checked the logs you provided. The only suspect things are this:

 

HKU\S-1-5-21-3617111606-1223707523-4130045347-500\...\MountPoints2: {43a31b29-5112-11df-9d6c-0026b98520d9} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\_.vbs

 

A .vbs script running from, perhaps, a flash drive. Always suspect. And maybe this:

 

HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION

 

I admit with all the security software the logs show, and your own comments, it seems unlikely anything got past.

 

 

Disable all of your security software. If you need help doing this, ask, and I will find links to assist you.

 

 

Click here and download the installer for Gmer to your desktop, then right-click that file, Run as administrator, to run Gmer.


Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).  

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document.  Once the file is created, open it and rightclick again and choose Paste.  Copy the information and post it here please.
 


Edited by Jintan, 16 August 2016 - 05:20 PM.

Ad eundum quo no duck ante iit

#6 Gatsu81

Gatsu81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 17 August 2016 - 01:47 AM

Hi,thanks a lot for the help! I've got just a quick question: when gmer is running the antivirus can stay active in the background or should i stop it at all? (In that case i think it would be better to disconnect it from the internet, right?)



#7 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 17 August 2016 - 08:03 AM

Prefer you stay online when running Gmer. Here's a link for disabling Kaspersky, if it helps.

 

http://support.kaspersky.com/us/11243


Ad eundum quo no duck ante iit

#8 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 17 August 2016 - 08:39 AM

Also open FRST again. In the "Search" box type *.vbs

Then click Search Files. Once it is done, click OK, and a log will open. Post it in your reply as an attachment please.


Ad eundum quo no duck ante iit

#9 Gatsu81

Gatsu81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 17 August 2016 - 11:46 AM

Hi, this is the search result.

Gmer took longer than expected with the scan (longer than 3 hours) and the pc was needed.

I think to let it run this night with kaspersky disabled.

Is it normal such an amount of time?

Attached Files



#10 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 17 August 2016 - 03:46 PM

Nothing in the vbs file search. but kinda didn't expect much - had to check though. Gmer usually runs within a half hour or less, but on systems that are busy with security software (or malware) it can take a while. I don't see this system as infected, but I assume you agree with me checking is a good idea.


Ad eundum quo no duck ante iit

#11 Gatsu81

Gatsu81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 18 August 2016 - 02:43 AM

Of course that's a good idea, thanks.

A strange happening: Gmer was launched yesterday at about 7.15PM, with Kaspersky disabled.

This morning around 9 AM the pc was found with a black screen with only the mouse pointer visibile.

The mouse pointer was movable, but nothing else appeared (ctrl alt canc held no result).

The computer was shut off through the power button and then restarted (it all went well, but obviously the scan couldn't be performed).

They told me that from a couple of days kaspersky was not updating correctly the database: the database was obsolete when the infection happened, was updated correctly immediately after.

 

 

Update: after the restart Kaspersky updated correctly once; subsequent update attempts brought up the update window stuck at 0% progress. I don't think this is related: since the update was disabled before probably the same issue was happening without the users noticing.

For this one i'm having them post on the Kaspersky forum, since i don't think it's some malware's doing.


Edited by Gatsu81, 18 August 2016 - 03:55 AM.


#12 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 18 August 2016 - 04:40 PM

Not real sure the system has any infection. But please reboot into Safe Mode (at startup tap the F8 key and select Safe Mode), and run Gmer then. Safe Mode with Networking if you want to upload the Gmer log without rebooting.


Ad eundum quo no duck ante iit

#13 Gatsu81

Gatsu81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 20 August 2016 - 05:24 AM

Hi, here's the Gmer log in safe mode.

It's really big!

 

Attached Files



#14 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 20 August 2016 - 03:47 PM

Curious, and yes, large log, but I suspect most it shows are ok. Do you use Chrome on this system as your primary browser?

 

Disable Chrome from running apps, even when it is closed.

 

Open up Google Chrome and click the menu icon (three bars) in the upper right corner of the window.

Go to the bottom of the screen and click Show advanced settings...

Under System, uncheck the box next to "Continue running background apps when Google Chrome is closed".

 

Then reboot.

 

-----------

 

Download RogueKiller from here to your desktop.

    Close all open programs
    Remember to right click -> run as administrator, and click the downloaded file.

Agree to the language prompt, and place a check next to:

Install 32 and 64 bits versions (Recommended for Technicians).

Then click Next until you get to the Finish button, and click it. RogueKiller will then open.

Click the Start Scan button, then again the Start Scan button.

When the scan finishes click the Open Report button. Then click the Open TXT button. Save that report to your desktop, and post it back here please. For now just close RogueKiller.


Ad eundum quo no duck ante iit

#15 Gatsu81

Gatsu81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 22 August 2016 - 01:59 AM

Thanks, this weekend i was unable to reach the server.

This morning they should be able to send me back the scan log.

Thanks for your patience.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users