Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Windows Product Key for Windows 10


  • This topic is locked This topic is locked
62 replies to this topic

#16 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 03:22 PM

 Okay I have literally tried everything to send this stupid pic on this website, how about you give your email and I send the picture there, to make life just a little bit more easy. And yes when I click on the CMD it does look like that



BC AdBot (Login to Remove)

 


#17 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:07 AM

Posted 22 August 2016 - 03:27 PM

Hi Fangirl515,

 

You can send the picture to sw@emsisoft.com.

 

Please type explorer into the CMD window and hit enter, does anything happen? Can you see your desktop?

 

xXToffeeXx~ 


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#18 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 03:32 PM

I typed in explorer and sadly no, I don't see my desktop. What instead showed up was my files, ill send u a pic of what I mean



#19 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:07 AM

Posted 22 August 2016 - 03:37 PM

Hi Fangirl515,
 
I got the pictures and this hopefully will be quite good for us.

If you download the two FRST files onto the USB from the clean computer and plug the USB into the infected computer you should see a new drive appear which the USB (either the E: drive or F:). Then you can continue with the instructions from here with FRST.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#20 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 03:38 PM

okay thank you, ill update you if I have any trouble, thank you!



#21 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 03:58 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01
Ran by rcharron (administrator) on AWESOMEPC (22-08-2016 16:46:21)
Running from C:\Users\rcharron\Downloads
Loaded Profiles: rcharron (Available Profiles: rcharron)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\Youcam_webcam_camera_video.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7575768 2015-01-01] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe [2249104 2013-09-03] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [151608 2013-08-23] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [151608 2013-08-23] (Hewlett-Packard)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1396592 2015-02-13] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2818800 2015-02-13] (Synaptics Incorporated)
HKLM\...\Run: [MRT] => C:\Windows\system32\MRT.exe [140158008 2015-12-08] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-08-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [77088 2013-07-24] (Hewlett-Packard Company)
HKLM-x32\...\Run: [YouCam Service] => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-08-01] (CyberLink Corp.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537512 2013-09-24] (McAfee, Inc.)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [1045304 2013-07-23] (Hewlett-Packard Development Company, L.P.)
HKU\S-1-5-21-3796764675-2880239708-3889169081-1002\...\Run: [Google Update] => C:\Users\rcharron\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-09-13] (Google Inc.)
HKU\S-1-5-21-3796764675-2880239708-3889169081-1002\...\Run: [MusicManager] => C:\Users\rcharron\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [7643136 2015-11-17] (Google Inc.)
HKU\S-1-5-21-3796764675-2880239708-3889169081-1002\...\Run: [GoogleChromeAutoLaunch_1705EDCB9BC9E73E2FFBC0486A8E3EBC] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [961352 2016-08-02] (Google Inc.)
HKU\S-1-5-21-3796764675-2880239708-3889169081-1002\...\Run: [GUDelayStartup] => C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe [37152 2015-06-08] (Glarysoft Ltd)
HKU\S-1-5-21-3796764675-2880239708-3889169081-1002\...\MountPoints2: {bbfa1a87-2fc8-11e3-8259-806e6f6e6963} - "E:\Autorun.exe"
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
BootExecute: autocheck autochk * 
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5B19AE35-3376-4000-9827-416EFD483E90}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{EAB27E18-D3B4-4A7F-B33A-74B19F243721}: [DhcpNameServer] 40.20.1.201 40.20.1.202

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617912&ResetID=130900282524994516&GUID=2BAA0347-CE88-44F8-A6FE-F63D4474F971
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617912&ResetID=130900282525003787&GUID=2BAA0347-CE88-44F8-A6FE-F63D4474F971
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-3796764675-2880239708-3889169081-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-3796764675-2880239708-3889169081-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
SearchScopes: HKLM -> {C9D17547-909C-4CD7-AE8F-030CA443A194} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {C9D17547-909C-4CD7-AE8F-030CA443A194} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
SearchScopes: HKU\S-1-5-21-3796764675-2880239708-3889169081-1002 -> {C9D17547-909C-4CD7-AE8F-030CA443A194} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-3796764675-2880239708-3889169081-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: CoolSaoLLeCoUppon -> {645D2D13-FF6B-474D-8807-DE56EFC7A877} -> C:\Program Files (x86)\CoolSaoLLeCoUppon\XJaPN1tZZp9rEe.x64.dll => No File
BHO: CiooollSaleCoupon -> {C5A584EC-6BE3-43E8-95AF-CFCB146FC13A} -> C:\Program Files (x86)\CiooollSaleCoupon\cSEXy55p9yUWjp.x64.dll => No File
BHO-x32: CoolSaoLLeCoUppon -> {645D2D13-FF6B-474D-8807-DE56EFC7A877} -> C:\Program Files (x86)\CoolSaoLLeCoUppon\XJaPN1tZZp9rEe.dll => No File
BHO-x32: CiooollSaleCoupon -> {C5A584EC-6BE3-43E8-95AF-CFCB146FC13A} -> C:\Program Files (x86)\CiooollSaleCoupon\cSEXy55p9yUWjp.dll => No File
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2013-09-24] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2013-09-24] (McAfee, Inc.)

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2013-09-24] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-05] ( Microsoft Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.3 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1203133.dll [2013-06-26] (Adobe Systems, Inc.)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2013-09-24] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-05] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-06] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-09] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-09] (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.3 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2015-10-12] ()
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin HKU\S-1-5-21-3796764675-2880239708-3889169081-1002: @tools.google.com/Google Update;version=3 -> C:\Users\rcharron\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-09] (Google Inc.)
FF Plugin HKU\S-1-5-21-3796764675-2880239708-3889169081-1002: @tools.google.com/Google Update;version=9 -> C:\Users\rcharron\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-09] (Google Inc.)
FF Plugin HKU\S-1-5-21-3796764675-2880239708-3889169081-1002: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2014-01-20] [not signed]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-06] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google Drive) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-13] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Search Manager) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bahkljhhdeciiaodlkppoonappfnheoi [2016-08-09]
CHR Extension: (YouTube) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-08]
CHR Extension: (cpofbbgoaeoiiagmlfkkipjmggkedgic) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpofbbgoaeoiiagmlfkkipjmggkedgic [2014-12-29] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google Play Movies & TV) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdijeikdkaembjbdobgfkoidjkpbmlkd [2016-05-02]
CHR Extension: (Google Docs Offline) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-02]
CHR Extension: (giccehglhacakcfemddmfhdkahamfcmd) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\giccehglhacakcfemddmfhdkahamfcmd [2015-04-04] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (ESPNCricinfo) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijhlikjoigjegofbedmfmlcfkmhabldh [2015-06-20] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Reverse Page) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfffdlokdkphelkiocidfchphplndlop [2015-06-20] [UpdateUrl: hxxp://wwwreversepageco-a.akamaihd.net/update/chrome] <==== ATTENTION
CHR Extension: (Google Wallet) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-26] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Gmail) - C:\Users\rcharron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-08-19] (Advanced Micro Devices, Inc.) [File not signed]
R2 Cachedrv server; C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe [109568 2013-08-23] () [File not signed]
R2 CyberLink PowerDVD 12 Media Server Monitor Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [77576 2013-08-11] (CyberLink)
R2 CyberLink PowerDVD 12 Media Server Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [298760 2013-08-11] (CyberLink)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [349728 2015-10-12] (WildTangent)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-08-29] (Hewlett-Packard Company) [File not signed]
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [1039160 2013-07-23] (Hewlett-Packard Development Company, L.P.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178048 2013-11-28] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [334608 2013-07-24] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1017016 2013-08-05] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-12-05] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [184800 2013-12-05] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [87552 2013-08-23] (Softex Inc.) [File not signed]
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1997168 2015-06-20] (Electronic Arts)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2015-02-13] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [191728 2015-02-13] (Synaptics Incorporated)
S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-10-28] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [671000 2014-11-04] (Wacom Technology, Corp.)
S2 9b784ed1; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro 3.16\OptProMon.dll",ENT <==== ATTENTION

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2015-01-01] (Advanced Micro Devices)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-12-05] (McAfee, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [20160 2015-06-20] (Glarysoft Ltd)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179792 2013-12-05] (McAfee, Inc.)
R2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311120 2013-12-05] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69344 2013-12-05] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519576 2013-12-05] (McAfee, Inc.)
R2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782616 2013-12-05] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [377040 2013-07-09] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [95984 2013-07-09] (McAfee, Inc.)
R2 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343696 2013-12-05] (McAfee, Inc.)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [294104 2015-02-13] (Realtek Semiconductor Corp.)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3759320 2015-02-13] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-22 16:46 - 2016-08-22 16:47 - 00023673 _____ C:\Users\rcharron\Downloads\FRST.txt
2016-08-22 16:44 - 2016-08-22 16:46 - 00000000 ____D C:\FRST
2016-08-22 16:42 - 2016-08-22 16:43 - 02396672 _____ (Farbar) C:\Users\rcharron\Downloads\FRST64.exe
2016-08-22 16:41 - 2016-08-22 16:44 - 01746432 _____ (Farbar) C:\Users\rcharron\Downloads\FRST.exe
2016-08-22 14:35 - 2016-08-22 14:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-08-22 14:00 - 2016-08-22 14:00 - 00000000 ____H C:\Users\rcharron\AppData\Local\BIT6A97.tmp
2016-08-22 14:00 - 2016-08-22 14:00 - 00000000 _____ C:\Users\rcharron\AppData\Local\{989F3BA4-F7AC-463A-B55B-CBE920748A41}

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-22 16:45 - 2013-08-26 02:09 - 00956476 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-22 16:45 - 2013-08-22 09:36 - 00000000 ____D C:\Windows\Inf
2016-08-22 16:15 - 2013-12-25 18:33 - 00000000 ____D C:\Users\rcharron\Documents\Youcam
2016-08-22 16:12 - 2013-12-25 18:59 - 00000926 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-22 15:26 - 2013-12-25 18:35 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3796764675-2880239708-3889169081-1002
2016-08-22 15:18 - 2014-01-29 20:22 - 00000940 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3796764675-2880239708-3889169081-1002UA.job
2016-08-22 14:35 - 2014-01-20 11:58 - 00001867 _____ C:\Users\Public\Desktop\McAfee LiveSafe - Internet Security.lnk
2016-08-22 14:14 - 2014-01-04 12:15 - 00002065 _____ C:\Users\Public\Desktop\Google Slides.lnk
2016-08-22 14:14 - 2014-01-04 12:15 - 00002063 _____ C:\Users\Public\Desktop\Google Sheets.lnk
2016-08-22 14:14 - 2014-01-04 12:15 - 00002053 _____ C:\Users\Public\Desktop\Google Docs.lnk
2016-08-22 14:14 - 2014-01-04 12:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2016-08-22 14:04 - 2013-12-25 18:30 - 00003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{36834723-8DF9-44E5-84AE-380EFEC27FE2}
2016-08-22 14:02 - 2015-06-20 18:34 - 00000000 ____D C:\Program Files (x86)\Glary Utilities 5
2016-08-22 14:00 - 2015-05-27 16:13 - 00000024 _____ C:\Users\rcharron\AppData\Roaming\appdataFr25.bin
2016-08-22 14:00 - 2014-01-04 12:41 - 00000000 __RDO C:\Users\rcharron\SkyDrive
2016-08-22 14:00 - 2013-12-25 18:59 - 00000922 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-22 13:59 - 2013-12-25 18:29 - 00000000 ____D C:\Users\rcharron
2016-08-22 13:59 - 2013-08-22 09:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2016-08-22 13:58 - 2013-08-22 10:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-09 17:18 - 2015-06-20 17:51 - 00002222 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-09 17:18 - 2015-06-20 17:51 - 00002210 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-08-09 17:18 - 2014-01-29 20:22 - 00000888 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3796764675-2880239708-3889169081-1002Core.job
2016-08-09 17:13 - 2014-01-29 20:22 - 00003892 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3796764675-2880239708-3889169081-1002UA
2016-08-09 17:13 - 2014-01-29 20:22 - 00003512 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3796764675-2880239708-3889169081-1002Core
2016-08-09 17:07 - 2013-12-25 18:59 - 00003898 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-08-09 17:07 - 2013-12-25 18:59 - 00003662 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

==================== Files in the root of some directories =======

2015-05-27 16:13 - 2016-08-22 14:00 - 0000024 _____ () C:\Users\rcharron\AppData\Roaming\appdataFr25.bin
2015-02-13 18:35 - 2015-06-20 17:35 - 0000020 _____ () C:\Users\rcharron\AppData\Roaming\appdataFr3.bin
2015-03-31 04:14 - 2015-03-31 04:14 - 0005655 _____ () C:\Users\rcharron\AppData\Roaming\fqAunz3r9poFCCXsTNPDyue
2014-12-25 17:50 - 2014-12-25 17:50 - 1952744 _____ () C:\Users\rcharron\AppData\Roaming\GVWEGM.exe
2016-08-22 14:00 - 2016-08-22 14:00 - 0000000 ____H () C:\Users\rcharron\AppData\Local\BIT6A97.tmp
2015-06-20 17:46 - 2015-06-20 17:46 - 0000386 _____ () C:\Users\rcharron\AppData\Local\Temp-log.txt
2015-06-20 17:46 - 2015-06-20 17:46 - 0000000 _____ () C:\Users\rcharron\AppData\Local\Temp.dat
2016-08-22 14:00 - 2016-08-22 14:00 - 0000000 _____ () C:\Users\rcharron\AppData\Local\{989F3BA4-F7AC-463A-B55B-CBE920748A41}

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-05-02 20:55

==================== End of FRST.txt ============================

Here's the first log.



#22 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 03:59 PM

Quick question, will all that automatically go into my USB, cause I put my USB in right when I started downloading all this



#23 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:07 AM

Posted 22 August 2016 - 04:04 PM

Hi Fangirl515,

 

No, you have to copy it to the USB. You can see here on how to transfer the file to the USB (it is located in your downloads folder). Then you will need to insert it into the infected system, and it should appear in the window with the files there.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#24 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 04:06 PM

okie dokie, thank you



#25 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 04:20 PM

okay im gonna put the USB in the infected computer now, lets hope this works



#26 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 August 2016 - 04:24 PM

okay the USB is in and found it with the two files in my PC Folder, do I just run both now?



#27 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:07 AM

Posted 22 August 2016 - 04:42 PM

Hi,

Yes, only one will run properly and then do as you did before. The file will be created on the USB so you will need to plug the USB into the clean computer. Then you can open it and open the contents here and post it.

I'm going to head off for the night, but I will check in tomorrow morning again.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#28 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:07 AM

Posted 23 August 2016 - 07:15 AM

Hi Fangirl515,

 

Just to let you know, I am back online now :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#29 Fangirl515

Fangirl515
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 23 August 2016 - 12:03 PM

Okay awesome! So anyhow, im gonna post the additional log thing here. Also, since the FRST is on my USB which is in my infected computer right now, can I run the program now to clean my computer?



#30 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:07 AM

Posted 23 August 2016 - 12:12 PM

Did you run FRST on the infected computer? It will give me two logs so I can make a specific fix to clean your computer, which you will need to post here :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users