Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outlook & Adobe only run with Emet 5.5 EAF disabled (Filecoder.cerber Trojan)


  • This topic is locked This topic is locked
10 replies to this topic

#1 With Wings4

With Wings4

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 30 November 2016 - 07:53 PM

Client is Win 8 Pro, x86. Eset 8, and Emet 5.5 installed (max security settings).

 

Eset found 3 instances of Win32/Filecoder.Cerber Trojan:

 

C:\Users\<UserName>\# Decrypt My Files #.vbs, then about 8 minutes later Eset caught the same file, in the same location, and a text file file of the same name:

 

# Decrypt My Files #.vbs

# Decrypt My Files #.txt

 

I thought it was the standard cryptolocker variant possibly through an infected site that was caught (since it was the user's profile directory, and no where else). No files were encrypted. 

 

A full (In Depth) Eset scan, Combofix, TDSS, autoruns came up dry initially.

 

After a couple of weeks IE wouldn't run at all. This was fixed by resetting IE via:

 

Tools > Advanced > Reset

Settings > Manage Addons, disabling shockwave, and the accelerators.

 

It's a bit slow for this machine (multiple seconds to open, but not 'noticeable').

 

About a week later, Outlook, and Adobe would take multiple minutes to open (Few month old install, 2 Gigs RAM, SSD OS drive), everything else is very snappy (sub 1 second open time).

 

Occasionally an odd 0x80000004 error was thrown for either Outlook, or Adobe (Acrord32.exe) with the faulting module listed as ntdll.dll. A forum post I found indicated disabling EAF protections via EMET to keep (in that case iexplore.exe) from crashing. So I'm thinking a kernel mode rootkit?

 

Also "During launch an existing non-responsive instance of Outlook was closed" (Event ID 58) was thrown every time.

 

I've never had EMETs max settings (EAF specifically) cause issues, especially with Outlook / Adobe.

 

The Combofix main log, and add-remove log came up dry (I can vouch for every line). Gmer log is a bit foreign to me, with a fair number of Eset false positives.

 

I zipped up the Combofix Quarantine folder, and pushed it to VIrustotal:

 

https://www.virustotal.com/en/file/43c890230d9d36df2fc012ad867e720c56a5e0ecfede363cb1c9932237448fd6/analysis/1480550908/

 

The quarantine log from ComboFix concerns me though:

 

2016-11-30 23:52:53 . 2016-11-30 23:52:53              161 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BingSvc.reg.dat
2016-11-30 23:52:52 . 2016-11-30 23:52:52              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{37153479-1976-43C3-A1EE-557513977B64}.reg.dat
2016-11-30 23:50:09 . 2016-11-30 23:50:09           10,231 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2016-11-30 23:44:45 . 2016-11-30 23:44:45              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2016-11-30 23:41:12 . 2016-11-30 23:44:47               62 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2016-10-18 19:03:36 . 2016-04-06 19:40:51        6,582,272 ----a-w-  C:\Qoobox\Quarantine\C\Users\<UserName>\{dad5ce3d-fc53-4b83-ba54-aad0cee5da93}.tmp.vir
2014-07-11 17:57:17 . 2012-07-26 07:14:50           79,304 ----a-w-  C:\Qoobox\Quarantine\C\setup.exe.vir
2014-07-11 17:57:17 . 2012-07-26 07:14:50               43 ----a-w-  C:\Qoobox\Quarantine\C\autorun.inf.vir
 
Combofix crashed while running about 30 times, 8 of which were on the 47th part:
"command line standard stream splitter has stopped working"
 
Mtee.3xe 0xc0000005 (memory read: access denied), so I'm supposing it ran afoul of EMET? Eset / Defender were disabled before Combofix ran.
 
catchme.log:
 
 
-------- 2016-11-30 - 18:41:12  -------------
 
error: 31
 
 

 

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:02 PM

Posted 04 December 2016 - 06:57 PM

My name is TsVk!, but you can call me John. I'll be helping you with your issue. :)

 

Just a few ground rules before we get started.

  • Please don't run any malware removal programs unless directed.
  • Please don't make any system changes unless directed.
  • Please backup all essential data now. We are are removing software designed to damage/compromise your system, it's inherently risky business.
  • Please copy and paste all logs in plain text straight into your reply, do not quote or attach logs.

These things are to make it easier for me to help you.

 

i5r8d1.jpg  Download Farbar Recovery Scan Tool.

  • Choose 32bit or 64bit depending on your Windows version. If you are unsure click here.
  • Save the application to your desktop and run it.
  • Click Yes to allow the application
  • Click Scan, wait for the log to appear
  • Copy and paste the results into your next reply.

 

Please be aware that I am still in training and everything that I say needs to be covered in detail with my instructor. This is a bonus for you because you have two sets of eyes on your thread, but you need to be aware this can take some time so my responses may take a day or so.

 

John

 



#3 With Wings4

With Wings4
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 04 December 2016 - 08:59 PM

Thanks for the help. This log looks clean:
 
FRST.txt:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-12-2016
Ran by <UserName> (administrator) on <UserPC> (04-12-2016 20:32:59)
Running from C:\Users\<UserName>\Downloads
Loaded Profiles: <UserName> (Available Profiles: <UserName> & <DomainAdmin>)
Platform: Microsoft Windows 8 Pro (X86) Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Esker) C:\Program Files\PCN-TERM\common\ESLCBCST.EXE
(Microsoft Corporation) C:\Program Files\EMET 5.5\EMET_Service.exe
(Symantec Corporation) C:\Program Files\Symantec\VIP Access Client\VIPAppService.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Program Files\EMET 5.5\EMET_Agent.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(AgileBits) C:\Program Files\1Password 4\Agile1pAgent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Agile1pAgent] => C:\Program Files\1Password 4\Agile1pAgent.exe [4914832 2016-10-06] (AgileBits)
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [1795872 2014-08-19] (NVIDIA Corporation)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5089480 2015-07-08] (ESET)
HKLM\...\Run: [Fiserv_EnterpriseSCO_TrustedSites] => C:\Windows\Fiserv_EnterpriseSCO_TrustedSites.cmd [4561 2016-11-23] ()
HKLM\...\Providers\Tun Lpr Services: C:\Windows\system32\wlprppNT.dll [64000 1999-09-08] (ESKER)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.3 192.168.1.4 192.168.3.3
Tcpip\..\Interfaces\{35A8C4A3-0CAD-4C2C-A964-9D2D38695620}: [DhcpNameServer] 192.168.1.3 192.168.1.4 192.168.3.3
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\<User GUID>\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\<User GUID>\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\<User GUID> -> DefaultScope {C0448D8A-8F63-41BF-A04E-3602FD949D1B} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\<User GUID> -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\<User GUID> -> {C0448D8A-8F63-41BF-A04E-3602FD949D1B} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: 1Password -> {037C06D5-3893-49E8-9AC0-41F7524AFBF5} -> C:\Program Files\1Password 4\x86\Agile1pIE4.dll [2016-10-06] (AgileBits)
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://compliancecoach.webex.com/client/WBXclient-31.5.20-58/nbr/ieatgpc1.cab
 
FireFox:
========
FF DefaultProfile: 9lr9r9o3.default
FF ProfilePath: C:\Users\<UserName>\AppData\Roaming\Mozilla\Firefox\Profiles\9lr9r9o3.default [2016-11-30]
FF Homepage: Mozilla\Firefox\Profiles\9lr9r9o3.default -> hxxp://www.google.com/
FF HKLM\...\Firefox\Extensions: [VIP5X@verisign.com] - C:\Program Files\Symantec\VIP Access Client
FF Extension: (No Name) - C:\Program Files\Symantec\VIP Access Client [2014-08-20] [not signed]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2016-10-06] (Google)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin HKU\<User GUID>: @citrixonline.com/appdetectorplugin -> C:\Users\<UserName>\AppData\Local\Citrix\Plugins\104\npappdetector.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Users\<UserName>\AppData\Roaming\mozilla\plugins\npzohoassisthelper.dll [2016-08-09] (Zoho Corporation Private Ltd)
 
Chrome: 
=======
CHR Profile: C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default [2016-12-04]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-10-18]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-10-18]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-18]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-18]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-10-18]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-10-18]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-10-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-18]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\nogdfjjfhknacchjpiccacoimeelkajb [2016-10-20]
CHR Extension: (No Name) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-10-18]
CHR Extension: (Chrome Media Router) - C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-25]
CHR HKLM\...\Chrome\Extension: [nogdfjjfhknacchjpiccacoimeelkajb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\<User GUID>\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [1353720 2015-07-08] (ESET)
R2 EMET_Service; C:\Program Files\EMET 5.5\EMET_Service.exe [33960 2016-01-29] (Microsoft Corporation)
R2 EskerLicenseControl; C:\Program Files\PCN-TERM\common\ESLCBCST.EXE [286810 2000-07-26] (Esker) [File not signed]
S3 lpds; C:\Program Files\PCN-TERM\tcpw\wlpdsnt.exe [39424 1997-12-02] (Esker) [File not signed]
R2 VIPAppService; C:\Program Files\Symantec\VIP Access Client\VIPAppService.exe [75336 2014-07-14] (Symantec Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14480 2015-07-06] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BCMH43XX; C:\Windows\system32\DRIVERS\bcmwlhigh63.sys [2126000 2013-03-01] (Broadcom Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [202704 2015-07-13] (ESET)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [199608 2015-07-13] (ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [144536 2015-07-13] (ESET)
R2 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [132152 2015-07-13] (ESET)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [38928 2015-07-06] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [244600 2015-07-06] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-25] (Microsoft Corporation)
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
U3 catchme; \??\C:\Users\<UserName>\AppData\Local\Temp\catchme.sys [X]
S4 TunLprNP; no ImagePath
U3 kxddypog; \??\C:\Users\<UserName>\AppData\Local\Temp\kxddypog.sys [X]
U3 mbr; \??\C:\ComboFix\mbr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-04 20:32 - 2016-12-04 20:33 - 00010660 _____ C:\Users\<UserName>\Downloads\FRST.txt
2016-12-04 20:31 - 2016-12-04 20:32 - 01761792 _____ (Farbar) C:\Users\<UserName>\Downloads\FRST.exe
2016-12-04 20:28 - 2016-12-04 20:28 - 00000000 ____D C:\Users\<DomainAdmin>\AppData\Local\CrashDumps
2016-12-02 07:46 - 2016-12-02 07:46 - 00256166 _____ C:\Users\<UserName>\Downloads\20161201-073148-T.pdf
2016-12-01 15:26 - 2016-12-01 15:26 - 00004435 _____ C:\Users\<UserName>\Downloads\20161130-Executive-073148-T.pdf
2016-12-01 08:12 - 2016-12-01 08:12 - 00083353 _____ C:\Users\<UserName>\Downloads\20161130-CHJournal-073148-T.pdf
2016-12-01 08:08 - 2016-12-01 08:08 - 00498053 _____ C:\Users\<UserName>\Downloads\20161130-073148-T.pdf
2016-11-30 19:12 - 2016-12-04 20:32 - 00000000 ____D C:\FRST
2016-11-30 18:41 - 2016-11-30 18:54 - 00000000 ____D C:\Qoobox
2016-11-30 18:41 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2016-11-30 18:41 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2016-11-30 18:41 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-11-30 18:41 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-11-30 18:41 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-11-30 18:41 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\Windows\SWXCACLS.exe
2016-11-30 18:41 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2016-11-30 18:41 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2016-11-30 18:41 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2016-11-30 18:40 - 2016-11-30 18:52 - 00000000 ____D C:\Windows\erdnt
2016-11-30 17:33 - 2016-11-30 17:34 - 00000000 ____D C:\Users\<UserName>\AppData\Roaming\SumatraPDF
2016-11-30 17:33 - 2016-11-30 17:33 - 04860560 _____ (Krzysztof Kowalczyk) C:\Users\<UserName>\Downloads\SumatraPDF-3.1.2-install.exe
2016-11-30 17:33 - 2016-11-30 17:33 - 00001882 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SumatraPDF.lnk
2016-11-30 17:33 - 2016-11-30 17:33 - 00000000 ____D C:\Program Files\SumatraPDF
2016-11-30 17:06 - 2016-12-01 08:24 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-11-30 17:06 - 2016-11-30 17:06 - 00002020 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2016-11-30 17:06 - 2016-11-30 17:06 - 00000000 ____D C:\Program Files\Adobe
2016-11-30 07:58 - 2016-11-30 07:58 - 00171098 _____ C:\Users\<UserName>\Downloads\20161129-073148-T.pdf
2016-11-29 07:36 - 2016-11-29 07:36 - 00201134 _____ C:\Users\<UserName>\Downloads\20161128-073148-T.pdf
2016-11-28 08:28 - 2016-11-28 08:28 - 02509352 _____ C:\Users\<UserName>\Downloads\161127_rpt
2016-11-28 08:20 - 2016-11-28 08:20 - 00184719 _____ C:\Users\<UserName>\Downloads\20161127-073148-T (2).pdf
2016-11-28 08:19 - 2016-11-28 08:19 - 00184719 _____ C:\Users\<UserName>\Downloads\20161127-073148-T (1).pdf
2016-11-28 08:18 - 2016-11-28 08:18 - 00184719 _____ C:\Users\<UserName>\Downloads\20161127-073148-T.pdf
2016-11-23 18:33 - 2016-11-23 18:33 - 00004561 _____ C:\Windows\Fiserv_EnterpriseSCO_TrustedSites.cmd
2016-11-23 18:33 - 2016-11-23 18:33 - 00001804 _____ C:\Users\Public\Desktop\WebCapture Production SCO2.lnk
2016-11-23 18:21 - 2016-11-23 18:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Enhanced Mitigation Experience Toolkit
2016-11-23 18:21 - 2016-11-23 18:21 - 00000000 ____D C:\Program Files\EMET 5.5
2016-11-23 18:19 - 2016-11-23 18:19 - 00001071 _____ C:\Users\<UserName>\Desktop\Internet Explorer.lnk
2016-11-23 18:18 - 2016-11-23 18:18 - 00007986 _____ C:\Users\<UserName>\Downloads\Front (2).tif
2016-11-23 18:18 - 2016-11-23 18:18 - 00007986 _____ C:\Users\<UserName>\Downloads\Front (1).tif
2016-11-23 18:11 - 2016-11-23 18:11 - 00007986 _____ C:\Users\<UserName>\Downloads\Front.tif
2016-11-23 17:42 - 2016-11-23 18:32 - 00001756 _____ C:\Users\Public\Desktop\Fiserv Support Portal.lnk
2016-11-23 17:42 - 2016-11-23 17:42 - 00001788 _____ C:\Users\Public\Desktop\SCO WebCapture.lnk
2016-11-23 17:37 - 2016-11-23 17:37 - 00000000 ____D C:\Users\<UserName>\AppData\Roaming\Fiserv
2016-11-23 17:36 - 2016-11-23 17:42 - 00000000 ____D C:\ProgramData\Fiserv
2016-11-23 17:36 - 2016-11-23 17:42 - 00000000 ____D C:\Fiserv
2016-11-23 10:18 - 2016-11-23 18:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Carreker
2016-11-23 10:18 - 2016-11-23 18:32 - 00000000 ____D C:\Program Files\Carreker
2016-11-23 07:42 - 2016-11-23 07:42 - 00183668 _____ C:\Users\<UserName>\Downloads\20161122-073148-T.pdf
2016-11-23 07:41 - 2016-11-23 07:41 - 00006096 _____ C:\Users\<UserName>\Downloads\20161122-073148-VI.pdf
2016-11-22 07:32 - 2016-11-22 07:32 - 00181988 _____ C:\Users\<UserName>\Downloads\20161121-073148-T.pdf
2016-11-21 08:28 - 2016-11-21 08:28 - 00215121 _____ C:\Users\<UserName>\Downloads\20161120-073148-T.pdf
2016-11-21 08:24 - 2016-11-21 08:24 - 00189638 _____ C:\Users\<UserName>\Downloads\20161118-073148-T.pdf
2016-11-21 08:23 - 2016-11-21 08:23 - 00003416 _____ C:\Users\<UserName>\Downloads\20161118-073148-ACQINVMR.pdf
2016-11-18 08:34 - 2016-11-18 08:34 - 06528165 _____ C:\Users\<UserName>\Downloads\161117_rpt
2016-11-18 08:01 - 2016-11-18 08:01 - 00186605 _____ C:\Users\<UserName>\Downloads\20161117-073148-T.pdf
2016-11-17 14:39 - 2016-11-17 14:39 - 00000000 ____D C:\Users\<UserName>\AppData\Local\Microsoft Help
2016-11-17 08:30 - 2016-11-17 08:30 - 00187459 _____ C:\Users\<UserName>\Downloads\20161116-073148-T.pdf
2016-11-17 08:28 - 2016-11-17 08:28 - 00002379 _____ C:\Users\<UserName>\Downloads\20161116-SecurityCodes-073148-T.pdf
2016-11-16 16:01 - 2016-11-17 16:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-11-16 16:00 - 2016-11-23 17:51 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-11-16 14:43 - 2016-11-16 14:43 - 00002869 _____ C:\Users\<UserName>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Install Clean Up.lnk
2016-11-16 14:43 - 2016-11-16 14:43 - 00000000 ____D C:\Program Files\Windows Installer Clean Up
2016-11-16 07:32 - 2016-11-16 07:32 - 00216889 _____ C:\Users\<UserName>\Downloads\20161115-073148-T.pdf
2016-11-15 07:24 - 2016-11-15 07:24 - 03855548 _____ C:\Users\<UserName>\Downloads\20161114-073148-VI.pdf
2016-11-15 07:23 - 2016-11-15 07:23 - 00454806 _____ C:\Users\<UserName>\Downloads\20161114-073148-T.pdf
2016-11-14 15:21 - 2016-11-14 15:21 - 00000450 _____ C:\Users\<UserName>\Downloads\untitled (1).csv
2016-11-14 14:54 - 2016-11-14 14:54 - 00000873 _____ C:\Users\<UserName>\Downloads\untitled.csv
2016-11-14 14:42 - 2016-11-14 14:42 - 00000000 ____D C:\Users\<UserName>\AppData\LocalLow\VeriSign
2016-11-14 14:42 - 2016-11-14 14:42 - 00000000 ____D C:\Users\<UserName>\AppData\LocalLow\Symantec
2016-11-14 07:33 - 2016-11-14 07:33 - 00161711 _____ C:\Users\<UserName>\Downloads\20161111-073148-T.pdf
2016-11-14 07:31 - 2016-11-14 07:31 - 00164764 _____ C:\Users\<UserName>\Downloads\20161110-073148-T.pdf
2016-11-14 07:28 - 2016-11-14 07:28 - 00172701 _____ C:\Users\<UserName>\Downloads\20161113-073148-T.pdf
2016-11-10 09:24 - 2016-11-10 09:24 - 00000000 ____D C:\Users\<UserName>\AppData\LocalLow\Google
2016-11-10 07:37 - 2016-11-10 07:37 - 00189407 _____ C:\Users\<UserName>\Downloads\20161109-073148-T.pdf
2016-11-09 08:01 - 2016-11-09 08:01 - 00201758 _____ C:\Users\<UserName>\Downloads\20161108-073148-T.pdf
2016-11-07 08:19 - 2016-11-07 08:19 - 00211528 _____ C:\Users\<UserName>\Downloads\20161106-073148-T.pdf
2016-11-04 12:18 - 2016-11-04 12:18 - 00003986 _____ C:\Users\<UserName>\Downloads\20163090066100.pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-04 20:31 - 2015-05-18 06:55 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d0916188b696fa.job
2016-12-04 20:31 - 2014-07-11 17:06 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-12-04 20:31 - 2014-07-11 17:06 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-12-04 20:30 - 2016-10-18 14:03 - 00001370 __RSH C:\Users\<UserName>\ntuser.pol
2016-12-04 20:30 - 2016-10-18 14:03 - 00000000 ____D C:\Users\<UserName>
2016-12-04 20:27 - 2014-07-18 19:20 - 00000120 _____ C:\Windows\system32\config\netlogon.ftl
2016-12-04 20:22 - 2015-05-18 06:55 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA1d0916188e0986e.job
2016-12-02 17:25 - 2016-10-18 14:03 - 00000250 ___SH C:\Users\<UserName>\ntuser.ini
2016-12-02 11:22 - 2016-10-25 15:35 - 00000000 ____D C:\Users\<UserName>\AppData\Local\CrashDumps
2016-12-02 07:39 - 2016-10-19 08:57 - 00000600 _____ C:\Users\<UserName>\AppData\Local\PUTTY.RND
2016-11-30 18:52 - 2012-07-25 23:17 - 00000215 _____ C:\Windows\system.ini
2016-11-30 18:11 - 2014-07-11 15:57 - 00807374 _____ C:\Windows\system32\PerfStringBackup.INI
2016-11-30 18:11 - 2012-07-25 23:43 - 00000000 ____D C:\Windows\inf
2016-11-30 18:07 - 2015-04-20 17:26 - 00000000 ____D C:\ProgramData\NVIDIA
2016-11-30 18:07 - 2012-07-26 01:04 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-11-30 17:06 - 2016-10-19 11:24 - 00000000 ____D C:\Users\<UserName>\AppData\Local\Adobe
2016-11-30 17:06 - 2014-07-11 17:04 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-11-30 17:00 - 2014-07-11 17:04 - 00000000 ____D C:\ProgramData\Adobe
2016-11-30 07:49 - 2016-10-18 14:03 - 00000000 ____D C:\Users\<UserName>\AppData\Roaming\FileZilla
2016-11-25 08:33 - 2014-07-11 17:07 - 00001012 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-11-25 08:33 - 2014-07-11 17:07 - 00000000 ____D C:\Program Files\Opera
2016-11-23 18:33 - 2012-07-26 01:43 - 00000000 ____D C:\Windows\CbsTemp
2016-11-23 17:59 - 2012-07-25 23:17 - 00524288 ___SH C:\Windows\system32\config\BBI
2016-11-23 17:42 - 2012-07-26 01:53 - 00000000 ___SD C:\Windows\Downloaded Program Files
2016-11-17 10:05 - 2014-08-01 16:12 - 00000426 _____ C:\Windows\BRWMARK.INI
2016-11-16 14:53 - 2014-08-01 16:13 - 00001218 _____ C:\Windows\ricdb.ini
2016-11-16 14:52 - 2014-07-11 17:06 - 00000000 ____D C:\Program Files\Google
2016-11-16 14:43 - 2015-02-17 08:50 - 00000000 ____D C:\Program Files\MSECache
2016-11-16 14:40 - 2016-10-19 08:49 - 00000000 ____D C:\Program Files\ZohoMeeting
2016-11-16 14:37 - 2016-10-18 14:06 - 00000000 ____D C:\Users\<UserName>\AppData\Local\Google
2016-11-10 14:24 - 2014-07-11 17:06 - 00002144 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-10 14:24 - 2014-07-11 17:06 - 00002132 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-11-08 06:17 - 2012-07-26 01:53 - 00000000 ___HD C:\Program Files\WindowsApps
2016-11-08 06:17 - 2012-07-26 01:53 - 00000000 ____D C:\Windows\AUInstallAgent
 
==================== Files in the root of some directories =======
 
2016-10-19 08:57 - 2016-12-02 07:39 - 0000600 _____ () C:\Users\<UserName>\AppData\Local\PUTTY.RND
2016-06-18 11:34 - 2016-06-18 11:34 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-10-28 15:18 - 2015-03-27 16:41 - 0001200 _____ () C:\ProgramData\LexFiles.usr
 
Files to move or delete:
====================
C:\Users\<UserName>\# DECRYPT MY FILES #.vbs
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-04 03:00
 
==================== End of FRST.txt ============================
 
 
This log looks mostly clean. I am uncertain on a couple of them:
 
Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04-12-2016
Ran by <UserName> (04-12-2016 20:33:32)
Running from C:\Users\<UserName>\Downloads
Microsoft Windows 8 Pro (X86) (2014-07-11 20:56:05)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (<Admin GUID> - Administrator - Disabled)
Guest (<Guest GUID> - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: ESET NOD32 Antivirus 8.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ESET NOD32 Antivirus 8.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
1Password 4.6.1.616 (HKLM\...\1Password4_is1) (Version: 4.0 - AgileBits)
2007 Microsoft Office Suite Service Pack 3 (SP3) (HKLM\...\{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.020.20042 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.14 - Piriform)
Citrix Online Launcher (HKLM\...\{E5F6D26D-E180-4547-A865-565EAB61000C}) (Version: 1.0.362 - Citrix)
DynaLog Viewer with Configuration Utility V1.0.0.18 (HKLM\...\DynaLog Viewer with Configuration Utility V1.0.0.18) (Version:  - )
EMET 5.5 (HKLM\...\{E27E74F0-0EAD-4C5D-8F6F-1C9192D24AA5}) (Version: 5.5 - Microsoft Corporation)
ESET NOD32 Antivirus (HKLM\...\{1231238A-E793-4030-A068-0E0A2643B8E3}) (Version: 8.0.319.0 - ESET, spol s r. o.)
FileZilla Client 3.16.1 (HKLM\...\FileZilla Client) (Version: 3.16.1 - Tim Kosse)
Google Chrome (HKLM\...\Google Chrome) (Version: 54.0.2840.99 - Google Inc.)
Google Earth (HKLM\...\{A0C18B96-AB79-46BD-8321-6FA83E6D25B9}) (Version: 7.1.7.2606 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden
HP Deskjet 1000 J110 series Basic Device Software (HKLM\...\{AB4DDFCF-6CCB-4539-920B-74AD7CFB043D}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
Lexmark MS610 Series Uninstaller (HKLM\...\Lexmark MS610 Series) (Version:  - Lexmark International, Inc.)
Lexmark Printer Software Uninstall (HKLM\...\Lexmark Printer Software Uninstall) (Version:  - )
Microsoft Office Basic 2007 (HKLM\...\BASICR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 47.0 (x86 en-US) (HKLM\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 47.0 - Mozilla)
NVIDIA 3D Vision Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 340.52 - NVIDIA Corporation)
NVIDIA Graphics Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 340.52 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
Opera Stable 41.0.2353.69 (HKLM\...\Opera 41.0.2353.69) (Version: 41.0.2353.69 - Opera Software)
Overdraft Advance (HKLM\...\{DDA19A48-DF1F-4F3A-82D5-89B6AA72D9AE}) (Version: 4.0.4.3 - MEA Financial)
PCN-TERM v2 (HKLM\...\TunPLUS) (Version:  - )
StartIsBack (HKLM\...\StartIsBack) (Version: 2.1.2 - startisback.com)
SumatraPDF (HKLM\...\SumatraPDF) (Version: 3.1.2 - Krzysztof Kowalczyk)
Type5000 TWAIN Driver Ver.4 (HKLM\...\{80129847-D1EF-46B7-A57F-EBF207239109}) (Version: 4.27.01 - )
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VIP Access (HKLM\...\{7EB5B9B6-E7BF-4E8F-B478-1266A78CF231}) (Version: 2.2.1.13 - Symantec Corporation)
Windows Installer Clean Up (HKLM\...\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}) (Version: 3.00.00.0000 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0BD90F3B-1E29-4191-B3CF-C65213EE1F9B} - System32\Tasks\GoogleUpdateTaskMachineUA1d0916188e0986e => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {2D1A04C4-0FF3-43AA-8F77-6B59402771C0} - System32\Tasks\{B0670255-9D95-48B3-A67D-55A6DBFC7463} => pcalua.exe -a "\\DOMAIN.local\IT\Software\FiServ\Enterprise Source Capture Solutions\Fiserv_AdminNoScanner_SCO2.exe" -d "\\DOMAIN.local\IT\Software\FiServ\Enterprise Source Capture Solutions"
Task: {3C9A5CA8-1E18-4AE9-AC5F-2FA7DAC27B16} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {49158326-E443-4D11-A5A0-8D5960016813} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-10-21] (Adobe Systems Incorporated)
Task: {59458440-1464-452C-96D9-3126314DAA78} - System32\Tasks\Opera scheduled Autoupdate 1405116423 => C:\Program Files\Opera\launcher.exe [2016-11-21] (Opera Software)
Task: {7D34C650-F5F2-4E9C-BE5E-E8AD4DD5F5CE} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-01-15] (Piriform Ltd)
Task: {7E035E74-1294-4E7D-B59A-13B2DD41931E} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => C:\Windows\system32\EOSNotify.exe [2016-06-25] (Microsoft Corporation)
Task: {9178CBD5-6EFD-46BB-82CB-8C1476E2A09B} - System32\Tasks\GoogleUpdateTaskMachineUA1d041f759d6cffa => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {AA2D8F3B-93AB-4ADB-B6B9-61745B3FF15F} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
Task: {BF140B8C-4994-4469-9C1B-B3AFBBC97FDA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {CF994BE4-1BEC-4D3E-B424-161F08445E94} - System32\Tasks\GoogleUpdateTaskMachineCore1d0916188b696fa => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {D304C2E8-DA6E-4025-826B-9B223D9D3968} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d0916188b696fa.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1d041f759d6cffa.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1d0916188e0986e.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\Public\Desktop\Fiserv Support Portal.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://ipsupport.fiserv.com
 
==================== Loaded Modules (Whitelisted) ==============
 
2012-11-09 10:36 - 2012-11-09 14:36 - 00043342 _____ () C:\Windows\System32\GIE6AM.DLL
2016-03-16 05:20 - 2016-03-16 05:20 - 00048816 _____ () C:\Program Files\FileZilla FTP Client\fzshellext.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\<User GUID>\...\americanshare.com -> americanshare.com
IE trusted site: HKU\<User GUID>\...\capitalone.com -> capitalone.com
IE trusted site: HKU\<User GUID>\...\client-central.com -> hxxps://reports.client-central.com
IE trusted site: HKU\<User GUID>\...\concordefs.com -> concordefs.com
IE trusted site: HKU\<User GUID>\...\consumercardaccess.com -> consumercardaccess.com
IE trusted site: HKU\<User GUID>\...\corporateone.coop -> corporateone.coop
IE trusted site: HKU\<User GUID>\...\cuac.net -> cuac.net
IE trusted site: HKU\<User GUID>\...\elanfinancialservices.com -> elanfinancialservices.com
IE trusted site: HKU\<User GUID>\...\estarstation.com -> hxxps://www.estarstation.com
IE trusted site: HKU\<User GUID>\...\federalreserve.gov -> federalreserve.gov
IE trusted site: HKU\<User GUID>\...\financial-net.com -> financial-net.com
IE trusted site: HKU\<User GUID>\...\fiserv.com -> fiserv.com
IE trusted site: HKU\<User GUID>\...\fiservsco.com -> fiservsco.com
IE trusted site: HKU\<User GUID>\...\fisglobal.com -> fisglobal.com
IE trusted site: HKU\<User GUID>\...\fnis.com -> clientlink.fnis.com
IE trusted site: HKU\<User GUID>\...\gotimeforce2.com -> gotimeforce2.com
IE trusted site: HKU\<User GUID>\...\lilliecpa.com -> lilliecpa.com
IE trusted site: HKU\<User GUID>\...\mastercard.com -> mastercard.com
IE trusted site: HKU\<User GUID>\...\msn.com -> hxxp://www.msn.com
IE trusted site: HKU\<User GUID>\...\mycuserviceslogin.com -> mycuserviceslogin.com
 
There are 5 more sites.
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2012-07-25 23:17 - 2016-11-30 18:52 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\<User GUID>\Control Panel\Desktop\\Wallpaper -> \\DOMAIN.local\USERS\<UserName>\My Pictures\Matt and Hannah.jpg
DNS Servers: 192.168.1.3 - 192.168.1.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => LPort=139
FirewallRules: [TCP Query User{62CC4899-FAD4-4C70-8301-6942F5B5B77F}C:\program files\microsoft office\office12\winword.exe] => C:\program files\microsoft office\office12\winword.exe
FirewallRules: [UDP Query User{3AD03210-CB55-437B-BBE7-89F639455EB3}C:\program files\microsoft office\office12\winword.exe] => C:\program files\microsoft office\office12\winword.exe
FirewallRules: [{42D3CB6C-E1D5-4E99-AF68-87D24B0E467B}] => \\DOMAIN.local\IT\Printers\Lexmark MS610\Install\x86\installgui.exe
FirewallRules: [{C1B0E62D-1FA8-46F3-9EE8-959D7B761751}] => \\DOMAIN.local\IT\Printers\Lexmark MS610\Install\x86\installgui.exe
FirewallRules: [TCP Query User{6045F2AA-34B1-4388-BEB5-4A49B961D878}\\db\oa\oa.exe] => \\db\oa\oa.exe
FirewallRules: [UDP Query User{9C9D4371-4651-421B-A737-3B370F0D503B}\\db\oa\oa.exe] => \\db\oa\oa.exe
FirewallRules: [{CFEAEC6D-EB9D-41A3-9981-A20C416BB0C6}] => C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\USBSetup.exe
FirewallRules: [TCP Query User{1F0C523D-9E9C-46F5-BA91-A9160393CA7B}C:\users\<UserName>\appdata\local\temp\joidf16.tmp\join.me.exe] => C:\users\<UserName>\appdata\local\temp\joidf16.tmp\join.me.exe
FirewallRules: [UDP Query User{0D10DF48-AD63-42C2-9BB2-D73A02289403}C:\users\<UserName>\appdata\local\temp\joidf16.tmp\join.me.exe] => C:\users\<UserName>\appdata\local\temp\joidf16.tmp\join.me.exe
FirewallRules: [{4D7AB84B-D746-471F-87ED-A3E4B71DFEF4}] => C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{FCA7C955-91BC-44B9-8228-6280C9C84B0A}] => C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{42E08C49-F6DE-45AC-B553-AA6B9DECAE19}] => C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/04/2016 08:30:56 PM) (Source: Group Policy Shortcuts) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'Drive Mappings {7CBE62ED-223E-4E83-BBFE-AABBFC018DCB}' because it failed with error code '0x80070003 The system cannot find the path specified.'%apply00790275
 
Error: (12/04/2016 08:30:31 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: egui.exe, version: 8.0.319.0, time stamp: 0x559d22c2
Faulting module name: ToastNotify.dll, version: 8.0.319.0, time stamp: 0x559d238f
Exception code: 0xc0000005
Fault offset: 0x00002f67
Faulting process id: 0x950
Faulting application start time: 0x01d24e96c6c3400f
Faulting application path: C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
Faulting module path: C:\Program Files\ESET\ESET NOD32 Antivirus\ToastNotify.dll
Report Id: 68c3c481-ba8a-11e6-afd7-00219b142243
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (12/04/2016 08:28:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 10.0.9200.17568, time stamp: 0x563d87d5
Faulting module name: ntdll.dll, version: 6.2.9200.17581, time stamp: 0x5644f10e
Exception code: 0x80000004
Fault offset: 0x0000389f
Faulting process id: 0x350
Faulting application start time: 0x01d24e96dfd9719a
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 1ee3e5f3-ba8a-11e6-afd7-00219b142243
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (12/04/2016 08:27:40 PM) (Source: Group Policy Shortcuts) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'Drive Mappings {7CBE62ED-223E-4E83-BBFE-AABBFC018DCB}' because it failed with error code '0x80070003 The system cannot find the path specified.'%apply00790275
 
Error: (12/02/2016 05:24:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: egui.exe, version: 8.0.319.0, time stamp: 0x559d22c2
Faulting module name: ToastNotify.dll, version: 8.0.319.0, time stamp: 0x559d238f
Exception code: 0xc0000005
Fault offset: 0x00002f67
Faulting process id: 0x1e8
Faulting application start time: 0x01d24cb516de0687
Faulting application path: C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
Faulting module path: C:\Program Files\ESET\ESET NOD32 Antivirus\ToastNotify.dll
Report Id: 27a52cbf-b8de-11e6-afd7-00219b142243
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (12/02/2016 04:20:39 PM) (Source: Group Policy Shortcuts) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'Drive Mappings {7CBE62ED-223E-4E83-BBFE-AABBFC018DCB}' because it failed with error code '0x80070003 The system cannot find the path specified.'%apply00790275
 
Error: (12/02/2016 02:33:37 PM) (Source: Group Policy Shortcuts) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'Drive Mappings {7CBE62ED-223E-4E83-BBFE-AABBFC018DCB}' because it failed with error code '0x80070003 The system cannot find the path specified.'%apply00790275
 
Error: (12/02/2016 12:46:36 PM) (Source: Group Policy Shortcuts) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'Drive Mappings {7CBE62ED-223E-4E83-BBFE-AABBFC018DCB}' because it failed with error code '0x80070003 The system cannot find the path specified.'%apply00790275
 
Error: (12/02/2016 11:22:42 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WINWORD.EXE, version: 12.0.6754.5000, time stamp: 0x579078f8
Faulting module name: ntdll.dll, version: 6.2.9200.17581, time stamp: 0x5644f10e
Exception code: 0x80000004
Fault offset: 0x00001389
Faulting process id: 0xda0
Faulting application start time: 0x01d24cb84b8a05fa
Faulting application path: C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 8c8053ae-b8ab-11e6-afd7-00219b142243
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (12/02/2016 10:59:57 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 10.0.9200.17568, time stamp: 0x563d87d5
Faulting module name: ntdll.dll, version: 6.2.9200.17581, time stamp: 0x5644f10e
Exception code: 0x80000004
Fault offset: 0x00001389
Faulting process id: 0x1190
Faulting application start time: 0x01d24cb520864b14
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 5eec6ef3-b8a8-11e6-afd7-00219b142243
Faulting package full name: 
Faulting package-relative application ID:
 
 
System errors:
=============
Error: (11/30/2016 07:15:25 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 07:14:55 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 07:14:25 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 07:13:55 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 06:59:03 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 06:58:33 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 06:58:03 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 06:57:33 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 06:57:02 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
Error: (11/30/2016 06:56:32 PM) (Source: DCOM) (EventID: 10010) (User: DOMAIN)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.
 
 
CodeIntegrity:
===================================
  Date: 2016-12-04 20:29:50.779
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 19:10:30.916
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 18:55:34.296
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 18:35:37.783
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 17:58:27.003
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 17:31:11.272
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 17:08:07.926
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 17:02:24.100
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 16:55:48.305
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-11-30 16:45:18.468
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® Dual CPU E2200 @ 2.20GHz
Percentage of memory in use: 52%
Total physical RAM: 2046.17 MB
Available physical RAM: 965.83 MB
Total Virtual: 4123.06 MB
Available Virtual: 2794.29 MB
 
==================== Drives ================================
 
Drive c: (Sys) (Fixed) (Total:111.79 GB) (Free:76.11 GB) NTFS ==>[drive with boot components (obtained from BCD)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: B1290E69)
Partition 1: (Active) - (Size=111.8 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Edited by With Wings4, 04 December 2016 - 09:01 PM.


#4 With Wings4

With Wings4
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 06 December 2016 - 10:17 AM

I can remove Eset to limit the Gmer false positives, but I don't know of any good source of info regarding Gmer.

 

Also I would like to help troubleshoot Combofix vis a vis 64 bit editions of Windows, or Emet, if you guys need any help with that.



#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:02 PM

Posted 09 December 2016 - 03:24 AM

Hi With Wings4,

 

Apologies for the delay.

 

Let's remove a couple of things and get some more information on your system.

 

i5r8d1.jpg  Please create a new text file located in the same directory as FRST.exe, copy these lines into it and then save it.

FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF Plugin HKU\<User GUID>: @citrixonline.com/appdetectorplugin -> C:\Users\<UserName>\AppData\Local\Citrix\Plugins\104\npappdetector.dll [No File]
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S4 TunLprNP; no ImagePath
U3 kxddypog; \??\C:\Users\<UserName>\AppData\Local\Temp\kxddypog.sys [X]
Task: {3C9A5CA8-1E18-4AE9-AC5F-2FA7DAC27B16} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {AA2D8F3B-93AB-4ADB-B6B9-61745B3FF15F} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
Zip: C:\Users\<UserName>\# DECRYPT MY FILES #.vbs
  • If you have removed your username and replaced it with <UserName> please edit the last line of the list and save again,
  • Now name that file fixlist.txt
  • Please run FRST
  • Click the "fix" button.
  • Please copy and paste the removal log in your reply.
  • Please upload the Upload.zip that appears on your desktop to this site and provide the download link.

2eeagd2.jpg  Please download RogueKiller and run it

  • Click Scan and then Scan again to start the application
  • Please be patient the scan can take quite some time
  • When it completes close the browser pop up.
  • click Open Report then Open TXT
  • Copy and paste the output into your reply.

t7gadx.jpg  Please enable System Restore on the machine.

 

t7gadx.jpg  Do you have a shared directory \\db\oa? Do you recognise the executable \\db\oa\oa.exe?

 

Please include in your reply

  • FRST log
  • Upload.zip link
  • RogueKiller report
  • Were you able to enable system restore?
  • Do you recognise the directory path/file?

John



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:02 PM

Posted 12 December 2016 - 07:46 PM

Hi With Wings4,

 

It's been 4 days since my reply. Do you still require assistance?

 

John



#7 With Wings4

With Wings4
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 13 December 2016 - 12:56 AM

I didn't see the reply. I should be able to check on this again in a couple of days. Off the top of my head, none of those lines are harmful:

 

FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found

Thunderbird Eset Antivirus plugin (Thunderbird used to be installed)

 

FF Plugin HKU\<User GUID>: @citrixonline.com/appdetectorplugin -> C:\Users\<UserName>\AppData\Local\Citrix\Plugins\104\npappdetector.dll [No File]
Gremlin from gotomeeting

 

S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]

Broadcom driver

S4 TunLprNP; no ImagePath

A Vendor specific app (very old)

U3 kxddypog; \??\C:\Users\<UserName>\AppData\Local\Temp\kxddypog.sys [X]

Gmer

Task: {3C9A5CA8-1E18-4AE9-AC5F-2FA7DAC27B16} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {AA2D8F3B-93AB-4ADB-B6B9-61745B3FF15F} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}

Group Policy Scheduled Tasks

Zip: C:\Users\<UserName>\# DECRYPT MY FILES #.vbs

Gremlin from Cryptolocker that was caught by Eset



#8 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:02 PM

Posted 15 December 2016 - 05:52 PM

I've been away for some days, I will respond as soon as possible.

 

John



#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:02 PM

Posted 16 December 2016 - 03:43 PM

Hi WithWings4,

 

Let me break the lines up for you.

FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF Plugin HKU\<User GUID>: @citrixonline.com/appdetectorplugin -> C:\Users\<UserName>\AppData\Local\Citrix\Plugins\104\npappdetector.dll [No File]
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S4 TunLprNP; no ImagePath
U3 kxddypog; \??\C:\Users\<UserName>\AppData\Local\Temp\kxddypog.sys [X]

Are all associated with files or services that no longer exist on your machine.

Task: {3C9A5CA8-1E18-4AE9-AC5F-2FA7DAC27B16} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {AA2D8F3B-93AB-4ADB-B6B9-61745B3FF15F} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}

Are indeed associated with hidden group policy, they are commonly targeted but as you said they are not malicious. My error.

Zip: C:\Users\<UserName>\# DECRYPT MY FILES #.vbs

I would like to have a look at this, though it is not essential to the cleaning of your machine.

 

Please follow my instructions in post #5, feel free to leave out the group policy lines and zip if so inclined. We can then progress with removing the infection from your machine.

 

Regards

 

John



#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:02 PM

Posted 20 December 2016 - 03:24 AM

Hi,

 

It's been a few days, do you still need assistance?

 

John



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:02 AM

Posted 23 December 2016 - 03:21 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users