Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cryptolocker attack Your file are locked!!!!


  • This topic is locked This topic is locked
9 replies to this topic

#1 kolonita

kolonita

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 21 June 2017 - 04:38 PM

My laptop got attacked today with cryptolocker - all files don't open at all- the deadline will 27/6/2017

and had alot of text files named (your files are locked ) 

 

FRST file:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-06-2017 01
Ran by Koki (administrator) on KOLONITA (21-06-2017 23:04:38)
Running from C:\Users\ADMIN\Downloads
Loaded Profiles: Koki (Available Profiles: Koki)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
() C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\afwServ.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Enigma Software Group USA, LLC.) C:\Users\ADMIN\AppData\Local\Temp\esg_uninstall.exe~
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7510232 2014-01-18] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374936 2014-01-14] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [285272 2013-12-31] (Waves Audio Ltd.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2403104 2014-07-25] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-05-31] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe [263232 2017-06-21] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
HKLM-x32\...\Run: [Cobian Backup 10 Interface] => C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe [3154432 2010-09-23] (Luis Cobian, CobianSoft)
HKLM\...\RunOnce: [ASYNCMAC] => rundll32.exe streamci,StreamingDeviceSetup {eeab7790-c514-11d1-b42b-00805fc1270e},asyncmac,{ad498944-762f-11d0-8dcb-00c04fc3358c},C:\Windows\INF\netrasa.inf,Ndis-Mp-AsyncMac
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [133760 2014-01-08] (Qualcomm®Atheros®)
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3581816 2013-04-25] (Tonec Inc.)
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\MountPoints2: {2055d254-2306-11e6-8276-c03896229454} - "D:\HTC_Sync_Manager_PC.exe" 
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\MountPoints2: {c8e03725-55fc-11e5-8258-c03896229454} - "G:\HTC_Sync_Manager_PC.exe" 
IFEO\codectweaktool.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\hitmanpro.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\sh_installer.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\skype.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\spyhunter4.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2012-11-16] (Tonec Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 127.0.0.1                   example.net
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3CD56462-EADB-4355-BA3D-96482889A010}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
Tcpip\..\Interfaces\{9F27EFC7-6E4C-4BDD-9331-8F18BCEE5DAA}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/ar-eg/?ocid=iehp
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2013-04-30] (Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2013-04-30] (Internet Download Manager, Tonec Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-04-19] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-04-19] (Oracle Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default [2017-06-21]
FF Homepage: Mozilla\Firefox\Profiles\6tnzsfu4.default -> hxxps://www.malwarebytes.org/restorebrowser/
FF Extension: (1-Click YouTube Video Downloader) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\Extensions\YoutubeDownloader@PeterOlayev.com.xpi [2016-11-26]
FF Extension: (Video AdBlock) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\Extensions\{068e178c-61a9-4a63-b74f-87404a6f5ea1} [2016-04-02]
FF Extension: (HNetCfg.FwAuthorizedApplication) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\Extensions\{EC9297EA-74A6-B38F-0442-A1D40053D26E} [2017-04-10] [not signed]
FF Extension: (Disable TLS Certificate Transparency) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\features\{2209a633-b581-419e-ac91-21136420328a}\disable-cert-transparency@mozilla.org.xpi [2017-04-22]
FF Extension: (Disable Prefetch) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\features\{2209a633-b581-419e-ac91-21136420328a}\disable-prefetch@mozilla.org.xpi [2017-04-22]
FF HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\ADMIN\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\ADMIN\AppData\Roaming\IDM\idmmzcc5 [2015-08-26] [not signed]
FF HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\ADMIN\AppData\Roaming\IDM\idmmzcc5
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-04-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-04-19] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-06-06] (Adobe Systems Inc.)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_By1OAEeGlWO7-ReH_rA-ussUydmAUGqC5OLxG5rzULnDCGXfYk1-tTxG-X_a0dRys23loIWYG1rDK3Rq8SHkhP8X50iqR5be9VhyxnSrUJ0fi_Ty8ALKLiUYpqulD6W8gWxxtk7_lZaj4IKkN75uHDaXp0-0UsNSeZRL5DoDarO0,
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://feed.wiki-search.me/?st=ds&query={searchTerms}
CHR DefaultSearchKeyword: Default -> Wiki Search.me
CHR Profile: C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default [2017-06-21]
CHR Extension: (Google Slides) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-10]
CHR Extension: (Google Docs) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-10]
CHR Extension: (Google Drive) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-10]
CHR Extension: (YouTube) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-10]
CHR Extension: (Adblock Plus) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-04-12]
CHR Extension: (Video Downloader professional) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2016-11-26]
CHR Extension: (Google Sheets) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-10]
CHR Extension: (Google Docs Offline) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-10]
CHR Extension: (AdBlock) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-06-17]
CHR Extension: (IDM Integration) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm [2015-08-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-20]
CHR Extension: (Gmail) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-10]
CHR Extension: (Chrome Media Router) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-16]
CHR HKLM-x32\...\Chrome\Extension: [jmolcgpienlcieaajfkkdamlngancncm] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2013-05-07]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [318592 2014-01-08] (Windows ® Win 7 DDK provider) [File not signed]
R2 AVG Antivirus; C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe [264432 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 AVG Firewall; C:\Program Files (x86)\AVG\Antivirus\afwServ.exe [311624 2017-06-21] (AVG Technologies CZ, s.r.o.)
R3 avgbIDSAgent; C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [7396872 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1428656 2017-05-31] (AVG Technologies CZ, s.r.o.)
R2 cbVSCService; C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe [67584 2010-09-23] (CobianSoft, Luis Cobian) [File not signed]
S4 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2017-06-21] (SurfRight B.V.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
S2 locep; C:\ProgramData\\locep\\locep.exe [994304 2017-04-10] () [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1720608 2014-07-25] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [18956064 2014-07-25] (NVIDIA Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [5906704 2017-02-21] (AVG Technologies CZ, s.r.o.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [672208 2017-02-03] (Wacom Technology, Corp.)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3881472 2013-12-12] (Qualcomm Atheros Communications, Inc.)
R1 avgbdisk; C:\Windows\system32\drivers\avgbdiska.sys [166624 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgbidsdriver; C:\Windows\system32\drivers\avgbidsdrivera.sys [314128 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgbidsh; C:\Windows\system32\drivers\avgbidsha.sys [192584 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgblog; C:\Windows\system32\drivers\avgbloga.sys [336896 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgbuniv; C:\Windows\system32\drivers\avgbuniva.sys [51336 2017-06-21] (AVG Technologies CZ, s.r.o.)
S3 avgHwid; C:\Windows\system32\drivers\avgHwid.sys [39424 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 avgMonFlt; C:\Windows\system32\drivers\avgMonFlt.sys [129776 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgNetSec; C:\Windows\system32\drivers\avgNetSec.sys [509056 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgRdr; C:\Windows\system32\drivers\avgRdr2.sys [102280 2017-06-21] (AVG Technologies CZ, s.r.o.)
S0 avgRvrt; C:\Windows\system32\drivers\avgRvrt.sys [76832 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgSnx; C:\Windows\system32\drivers\avgSnx.sys [1008288 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgSP; C:\Windows\system32\drivers\avgSP.sys [570320 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 avgStm; C:\Windows\system32\drivers\avgStm.sys [160008 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgVmm; C:\Windows\system32\drivers\avgVmm.sys [340824 2017-06-21] (AVG Technologies CZ, s.r.o.)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-01-08] (Qualcomm Atheros)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-25] (OSR Open Systems Resources, Inc.)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 HtcVCom32; C:\Windows\system32\DRIVERS\HtcVComV64.sys [121800 2010-03-08] (QUALCOMM Incorporated)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20256 2014-07-25] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [41200 2014-01-15] (Synaptics Incorporated)
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [32304 2017-02-21] (AVG Netherlands B.V.)
S3 WacHidRouterPro; C:\Windows\System32\drivers\wachidrouter.sys [119952 2017-01-25] (Wacom Technology)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
S3 MBAMFarflt; \??\C:\Windows\system32\drivers\farflt.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-21 23:04 - 2017-06-21 23:05 - 00023635 _____ C:\Users\ADMIN\Downloads\FRST.txt
2017-06-21 23:04 - 2017-06-21 23:04 - 00000000 ____D C:\FRST
2017-06-21 23:02 - 2017-06-21 23:03 - 02439680 _____ (Farbar) C:\Users\ADMIN\Downloads\FRST64.exe
2017-06-21 22:54 - 2017-06-21 22:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 10
2017-06-21 22:54 - 2017-06-21 22:54 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 10
2017-06-21 22:13 - 2017-06-21 22:13 - 00003704 _____ C:\Windows\System32\Tasks\Java Platform SE Auto Updater
2017-06-21 22:13 - 2017-06-21 22:13 - 00003694 _____ C:\Windows\System32\Tasks\Adobe Reader and Acrobat Manager
2017-06-21 21:55 - 2017-06-21 21:55 - 00002576 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp.lnk
2017-06-21 21:55 - 2017-02-21 09:29 - 00053008 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\TURegOpt.exe
2017-06-21 17:15 - 2017-06-21 17:15 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\AVG
2017-06-21 17:13 - 2017-06-21 17:13 - 00003920 _____ C:\Windows\System32\Tasks\Antivirus Emergency Update
2017-06-21 17:12 - 2017-06-21 17:13 - 00160008 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgstm.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 01008288 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSnx.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00570320 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSP.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00401584 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2017-06-21 17:12 - 2017-06-21 17:12 - 00340824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgVmm.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00159496 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgstm.sys.149805800231201
2017-06-21 17:12 - 2017-06-21 17:12 - 00129776 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgMonFlt.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00102280 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRdr2.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00076832 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRvrt.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00039424 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgHwid.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00509056 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgNetSec.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00336896 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbloga.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00314128 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsdrivera.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00192584 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsha.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00166624 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbdiska.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00051336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbuniva.sys
2017-06-21 17:00 - 2017-06-21 17:00 - 00001028 _____ C:\Users\Public\Desktop\AVG.lnk
2017-06-21 17:00 - 2017-06-21 17:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2017-06-21 16:56 - 2017-06-21 21:54 - 00000000 ____D C:\Program Files (x86)\AVG
2017-06-21 16:56 - 2017-06-21 21:50 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task
2017-06-21 16:56 - 2017-06-21 16:56 - 00000000 ____D C:\Users\ADMIN\AppData\Local\CEF
2017-06-21 16:53 - 2017-06-21 21:55 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Avg
2017-06-21 16:53 - 2017-06-21 21:54 - 00000000 ____D C:\Users\ADMIN\AppData\Local\AvgSetupLog
2017-06-21 16:53 - 2017-06-21 21:54 - 00000000 ____D C:\ProgramData\Avg
2017-06-21 14:18 - 2017-06-21 14:18 - 00000000 _____ C:\autoexec.bat
2017-06-21 14:17 - 2017-06-21 22:24 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\Enigma Software Group
2017-06-21 14:08 - 2017-06-21 14:08 - 00000000 ____H C:\ProgramData\cm-lock
2017-06-21 13:49 - 2017-06-21 13:50 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-21 13:45 - 2017-06-21 14:07 - 00001072 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2017-06-21 13:45 - 2017-06-21 13:46 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2017-06-21 13:45 - 2017-06-21 13:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2017-06-21 13:45 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2017-06-21 13:45 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-06-21 13:45 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-06-21 13:10 - 2017-06-21 13:10 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\www.shadowexplorer.com
2017-06-21 12:17 - 2017-06-21 13:02 - 00479680 _____ C:\Windows\ntbtlog.txt
2017-06-21 11:32 - 2017-06-21 11:33 - 00969845 _____ (ShadowExplorer.com ) C:\Users\ADMIN\Downloads\ShadowExplorer-0.9-setup.exe
2017-06-21 11:23 - 2017-06-21 11:41 - 00000370 _____ C:\Windows\system32\.crusader
2017-06-21 11:04 - 2017-06-21 14:07 - 00001925 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-06-21 11:04 - 2017-06-21 11:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2017-06-21 11:04 - 2017-06-21 11:04 - 00000000 ____D C:\Program Files\HitmanPro
2017-06-21 11:03 - 2017-06-21 11:25 - 00000000 ____D C:\ProgramData\HitmanPro
2017-06-21 10:54 - 2017-06-21 10:59 - 11584088 _____ (SurfRight B.V.) C:\Users\ADMIN\Downloads\hitmanpro_x64.exe
2017-06-21 10:50 - 2017-06-21 11:01 - 64232976 _____ (Malwarebytes ) C:\Users\ADMIN\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!!.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!!!.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!!!!.txt
2017-06-16 10:57 - 2017-06-16 10:57 - 00000000 ___RD C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2017-06-13 10:45 - 2017-06-19 22:03 - 00839261 _____ C:\Users\ADMIN\Downloads\Heart vein opening medicine.pdf
2017-06-12 11:47 - 2017-06-20 22:13 - 00000625 _____ C:\Users\ADMIN\Desktop\New Text Document.txt
2017-06-03 12:20 - 2017-06-03 12:25 - 25390480 _____ C:\Users\ADMIN\Downloads\MyFitnessPal-Premium-6.15.apk
2017-06-03 12:14 - 2017-06-03 12:16 - 25674140 _____ C:\Users\ADMIN\Downloads\MyFitnessPal+Premium+v6.16.1.apk
2017-06-03 11:10 - 2017-06-03 11:13 - 25746703 _____ C:\Users\ADMIN\Downloads\com.mod.myfitnesspal-premium-v6-7-2.9495.apk
2017-06-03 10:30 - 2017-06-03 10:40 - 25674140 _____ C:\Users\ADMIN\Downloads\MyFitnessPal-Premium-6.16.1.apk
2017-06-03 10:17 - 2017-06-03 10:19 - 25158697 _____ C:\Users\ADMIN\Downloads\MyFitnessPal 6.2.1_9058-1.apk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-21 22:59 - 2015-08-26 12:35 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3449532359-1381429811-3815724361-1001
2017-06-21 22:23 - 2015-08-30 17:19 - 00000000 ____D C:\ProgramData\Skype
2017-06-21 22:21 - 2017-05-08 16:24 - 00003218 _____ C:\Windows\System32\Tasks\klcp_update
2017-06-21 22:13 - 2017-05-10 21:38 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\MPC-HC
2017-06-21 22:13 - 2015-08-31 20:40 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Microsoft Help
2017-06-21 22:13 - 2015-08-30 17:19 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\Skype
2017-06-21 22:13 - 2015-08-26 13:12 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\IDM
2017-06-21 22:13 - 2015-08-26 13:12 - 00000000 ____D C:\Program Files (x86)\Internet Download Manager
2017-06-21 22:12 - 2017-04-17 12:52 - 00000000 ____D C:\Windows\Minidump
2017-06-21 22:12 - 2015-08-26 22:23 - 00000000 ____D C:\Windows\Panther
2017-06-21 22:12 - 2013-08-22 15:36 - 00000000 ____D C:\Windows\Inf
2017-06-21 22:01 - 2017-02-18 14:50 - 00000000 ____D C:\ProgramData\Package Cache
2017-06-21 17:32 - 2017-04-10 16:17 - 00000000 ____D C:\ProgramData\locep
2017-06-21 14:08 - 2015-08-26 13:12 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\DMCache
2017-06-21 14:08 - 2013-08-22 16:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-21 14:07 - 2015-10-29 12:57 - 00001123 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS6 (64 Bit).lnk
2017-06-21 14:07 - 2015-10-29 12:56 - 00001085 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6 (64bit).lnk
2017-06-21 14:07 - 2015-10-29 12:55 - 00001531 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS6.lnk
2017-06-21 14:07 - 2015-10-29 12:55 - 00001361 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS6.lnk
2017-06-21 14:07 - 2015-10-24 18:41 - 00001482 _____ C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Disk Cleanup.lnk
2017-06-21 14:07 - 2015-10-14 16:47 - 00000859 _____ C:\Users\ADMIN\Desktop\µTorrent.lnk
2017-06-21 14:07 - 2015-10-14 16:47 - 00000839 _____ C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2017-06-21 14:07 - 2015-10-12 21:35 - 00000978 _____ C:\Users\Public\Desktop\Guitar Pro 6.lnk
2017-06-21 14:07 - 2015-08-26 13:17 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-06-21 14:07 - 2015-08-26 13:13 - 00002163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-06-21 14:07 - 2015-08-26 13:08 - 00002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2017-06-21 14:07 - 2015-08-26 13:07 - 00001027 _____ C:\ProgramData\Microsoft\Windows\Start Menu\WinRAR.lnk
2017-06-21 14:07 - 2015-08-26 12:58 - 00000716 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel® HD Graphics Control Panel.lnk
2017-06-21 14:07 - 2015-08-26 12:29 - 00001422 _____ C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-06-21 13:42 - 2017-04-17 11:36 - 00000000 ____D C:\Users\ADMIN\Downloads\Compressed
2017-06-21 13:32 - 2015-10-04 19:01 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-21 13:02 - 2015-08-26 12:29 - 00000000 ____D C:\Users\ADMIN
2017-06-21 11:42 - 2017-05-08 20:08 - 00000000 ____D C:\Users\ADMIN\AppData\Local\8a29bfdc
2017-06-21 11:41 - 2017-04-10 13:33 - 00000000 ____D C:\Program Files\Common Files\volyqrhv
2017-06-19 22:04 - 2017-04-16 22:33 - 76700325 _____ C:\Users\ADMIN\Downloads\osama.pdf
2017-06-19 22:04 - 2017-04-09 08:24 - 00016315 _____ C:\Users\ADMIN\Downloads\Sungha Jung - A Thousand Years v1.gp5
2017-06-19 22:04 - 2017-03-05 12:57 - 128264514 _____ C:\Users\ADMIN\Downloads\videoplayback.mp4
2017-06-19 22:03 - 2017-04-23 13:30 - 00011793 _____ C:\Users\ADMIN\Documents\مصاؤيف.xlsx
2017-06-19 22:03 - 2017-03-05 10:02 - 153804359 _____ C:\Users\ADMIN\Downloads\Day 1  30 Minute at Home Strength Workout  Clutch Life Ashley Conrads 247 Fitness Trainer.mp4
2017-06-19 22:03 - 2017-02-28 22:32 - 102607391 _____ C:\Users\ADMIN\Downloads\At Home Core Workout  Clutch Life Ashley Conrads 247 Fitness Trainer.mp4
2017-06-19 22:03 - 2017-02-14 12:21 - 13153916 _____ C:\Users\ADMIN\Downloads\Drawing on the Funny Side of the Brain - Christopher Hart.pdf
2017-06-19 22:03 - 2016-11-06 09:31 - 00019896 _____ C:\Users\ADMIN\Downloads\1.xlsx
2017-06-19 22:03 - 2016-07-30 20:16 - 01270071 _____ C:\Users\ADMIN\Downloads\Dina Hafez.pdf
2017-06-19 22:03 - 2016-07-27 22:24 - 00578470 _____ C:\Users\ADMIN\Downloads\2.pdf
2017-06-19 22:03 - 2016-01-27 20:58 - 00000165 ____H C:\Users\ADMIN\Documents\~$malikaaa's.xlsx
2017-06-19 21:43 - 2013-08-22 17:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-19 21:43 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\AppReadiness
2017-06-19 21:42 - 2015-08-26 12:29 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Packages
2017-06-17 20:44 - 2015-08-26 12:32 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-17 15:01 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\NDF
2017-06-17 14:59 - 2013-08-22 15:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2017-06-17 14:56 - 2017-01-10 16:49 - 00000000 ____D C:\Users\ADMIN\AppData\LocalLow\Mozilla
2017-06-10 22:53 - 2015-08-27 08:44 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\uTorrent
2017-05-26 23:25 - 2015-08-27 15:28 - 00000000 ____D C:\Users\ADMIN\AppData\Local\CrashDumps
 
==================== Files in the root of some directories =======
 
2017-05-07 14:29 - 2017-05-07 14:29 - 3667071 _____ () C:\Program Files\Common Files\lchw3kzv.exe
2017-05-06 11:55 - 2017-05-06 11:55 - 3666228 _____ () C:\Program Files\Common Files\na1l5gcd.exe
2017-05-05 11:08 - 2017-05-05 11:08 - 3666198 _____ () C:\Program Files\Common Files\ra2m2hp5.exe
2017-06-19 22:03 - 2017-06-19 22:03 - 4960380 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\en_files.txt
2017-06-19 22:03 - 2017-06-20 22:14 - 4750814 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\en_gfiles.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 4320054 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\wp.jpg
2017-06-16 11:00 - 2017-06-16 10:59 - 0593477 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\wpodll.exe
2017-06-21 14:08 - 2017-06-21 14:08 - 0000000 ____H () C:\ProgramData\cm-lock
2015-08-26 12:44 - 2015-08-26 12:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2017-04-09 12:07 - 2017-04-09 12:07 - 0000016 _____ () C:\ProgramData\mntemp
2017-04-11 13:31 - 2017-04-11 13:31 - 0012655 _____ () C:\ProgramData\mxnhytee.feu
 
Some files in TEMP:
====================
2017-06-21 22:54 - 2017-06-21 22:54 - 14451712 _____ (Luis Cobian, CobianSoft) C:\Users\ADMIN\AppData\Local\Temp\cbSetupE.exe
2017-06-21 22:01 - 2017-06-21 22:01 - 14456872 _____ (Microsoft Corporation) C:\Users\ADMIN\AppData\Local\Temp\vc_redist.x86.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-15 12:02
 
==================== End of FRST.txt ============================
 
Attached File  Addition.txt   24.93KB   3 downloads

Edited by Orange Blossom, 22 June 2017 - 01:00 AM.
Made attachment appear


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:44 AM

Posted 22 June 2017 - 08:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

To expedite this matter I suggest you navigate to this topic.

https://www.bleepingcomputer.com/forums/t/633669/criptolocker-with-your-files-are-locked-syscopexe-en-filestxt/

Follow the links from that topic.

I hope you can get you files back but I would not expect to much from it.

Good luck.

#3 kolonita

kolonita
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 24 June 2017 - 04:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

To expedite this matter I suggest you navigate to this topic.

https://www.bleepingcomputer.com/forums/t/633669/criptolocker-with-your-files-are-locked-syscopexe-en-filestxt/

Follow the links from that topic.

I hope you can get you files back but I would not expect to much from it.

Good luck.

first of all , I appreciated ur help ( thank you ) 

I already did read this topic 

i tried some steps and I don't know if the malware has gone or still hidden in my laptop ( i tried to scan with ESET online scan ) and there are no infected files it showed that my laptop is clean 

 

about the files some photos are recoverd but not all of it and no videos unfortunately but I moved the files to external hard hope that someday i can recover all of it

 

 

.... I want to ask u if I do a whole format to the laptop and install a new version of windows is that will solve the malware problem ?  and how to prevent that to happened again 

 

thanks in advance



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:44 AM

Posted 24 June 2017 - 07:50 AM

No trace is normally left by the scumbag.

Run this scan and post both logs for my review.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

To prevent future attacks I suggest this tool.
CryptoPrevent Malware Prevention
https://www.foolishit.com/cryptoprevent-malware-prevention/

#5 kolonita

kolonita
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 29 June 2017 - 02:48 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-06-2017
Ran by Koki (administrator) on KOLONITA (29-06-2017 21:43:12)
Running from C:\Users\ADMIN\Downloads
Loaded Profiles: Koki (Available Profiles: Koki)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\afwServ.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
() C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(MDL) C:\Windows\AutoKMS_VL_ALL\AutoKMS_VL_ALL.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7510232 2014-01-18] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374936 2014-01-14] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [285272 2013-12-31] (Waves Audio Ltd.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2403104 2014-07-25] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-05-31] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe [263232 2017-06-21] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [133760 2014-01-08] (Qualcomm®Atheros®)
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3581816 2013-04-25] (Tonec Inc.)
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\MountPoints2: {2055d254-2306-11e6-8276-c03896229454} - "D:\HTC_Sync_Manager_PC.exe" 
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\MountPoints2: {c8e03725-55fc-11e5-8258-c03896229454} - "G:\HTC_Sync_Manager_PC.exe" 
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2012-11-16] (Tonec Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 127.0.0.1                   example.net
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3CD56462-EADB-4355-BA3D-96482889A010}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
Tcpip\..\Interfaces\{9F27EFC7-6E4C-4BDD-9331-8F18BCEE5DAA}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/ar-eg/?ocid=iehp
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2013-04-30] (Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2013-04-30] (Internet Download Manager, Tonec Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-04-19] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-04-19] (Oracle Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default [2017-06-29]
FF Homepage: Mozilla\Firefox\Profiles\6tnzsfu4.default -> hxxps://www.malwarebytes.org/restorebrowser/
FF Extension: (1-Click YouTube Video Downloader) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\Extensions\YoutubeDownloader@PeterOlayev.com.xpi [2016-11-26]
FF Extension: (Video AdBlock) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\Extensions\{068e178c-61a9-4a63-b74f-87404a6f5ea1} [2016-04-02]
FF Extension: (HNetCfg.FwAuthorizedApplication) - C:\Users\ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\6tnzsfu4.default\Extensions\{EC9297EA-74A6-B38F-0442-A1D40053D26E} [2017-04-10] [not signed]
FF HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\ADMIN\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\ADMIN\AppData\Roaming\IDM\idmmzcc5 [2015-08-26] [not signed]
FF HKU\S-1-5-21-3449532359-1381429811-3815724361-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\ADMIN\AppData\Roaming\IDM\idmmzcc5
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-04-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-04-19] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-05-01] (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-06-06] (Adobe Systems Inc.)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_By1OAEeGlWO7-ReH_rA-ussUydmAUGqC5OLxG5rzULnDCGXfYk1-tTxG-X_a0dRys23loIWYG1rDK3Rq8SHkhP8X50iqR5be9VhyxnSrUJ0fi_Ty8ALKLiUYpqulD6W8gWxxtk7_lZaj4IKkN75uHDaXp0-0UsNSeZRL5DoDarO0,
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://feed.wiki-search.me/?st=ds&query={searchTerms}
CHR DefaultSearchKeyword: Default -> Wiki Search.me
CHR Profile: C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default [2017-06-29]
CHR Extension: (Google Slides) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-10]
CHR Extension: (Google Docs) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-10]
CHR Extension: (Google Drive) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-10]
CHR Extension: (YouTube) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-10]
CHR Extension: (Adblock Plus) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-04-12]
CHR Extension: (Video Downloader professional) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2016-11-26]
CHR Extension: (Google Sheets) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-10]
CHR Extension: (Google Docs Offline) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-10]
CHR Extension: (AdBlock) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-06-29]
CHR Extension: (IDM Integration) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm [2015-08-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-20]
CHR Extension: (Gmail) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-10]
CHR Extension: (Chrome Media Router) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-16]
CHR HKLM-x32\...\Chrome\Extension: [jmolcgpienlcieaajfkkdamlngancncm] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2013-05-07]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [318592 2014-01-08] (Windows ® Win 7 DDK provider) [File not signed]
R2 AVG Antivirus; C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe [264432 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 AVG Firewall; C:\Program Files (x86)\AVG\Antivirus\afwServ.exe [311624 2017-06-21] (AVG Technologies CZ, s.r.o.)
R3 avgbIDSAgent; C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [7396872 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1428656 2017-05-31] (AVG Technologies CZ, s.r.o.)
S3 cfbackd; C:\Program Files (x86)\CleverFiles\Pandora Recovery\cfbackd.w32.exe [211520 2015-09-25] (CleverFiles)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
S2 locep; C:\ProgramData\\locep\\locep.exe [994304 2017-04-10] () [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1720608 2014-07-25] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [18956064 2014-07-25] (NVIDIA Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R4 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [5906704 2017-02-21] (AVG Technologies CZ, s.r.o.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [672208 2017-02-03] (Wacom Technology, Corp.)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3881472 2013-12-12] (Qualcomm Atheros Communications, Inc.)
R1 avgbdisk; C:\Windows\system32\drivers\avgbdiska.sys [166624 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgbidsdriver; C:\Windows\system32\drivers\avgbidsdrivera.sys [314128 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgbidsh; C:\Windows\system32\drivers\avgbidsha.sys [192584 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgblog; C:\Windows\system32\drivers\avgbloga.sys [336896 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgbuniv; C:\Windows\system32\drivers\avgbuniva.sys [51336 2017-06-21] (AVG Technologies CZ, s.r.o.)
S3 avgHwid; C:\Windows\system32\drivers\avgHwid.sys [39424 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 avgMonFlt; C:\Windows\system32\drivers\avgMonFlt.sys [129776 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgNetSec; C:\Windows\system32\drivers\avgNetSec.sys [509056 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgRdr; C:\Windows\system32\drivers\avgRdr2.sys [102280 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgRvrt; C:\Windows\system32\drivers\avgRvrt.sys [76832 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgSnx; C:\Windows\system32\drivers\avgSnx.sys [1008288 2017-06-21] (AVG Technologies CZ, s.r.o.)
R1 avgSP; C:\Windows\system32\drivers\avgSP.sys [570320 2017-06-21] (AVG Technologies CZ, s.r.o.)
R2 avgStm; C:\Windows\system32\drivers\avgStm.sys [160008 2017-06-21] (AVG Technologies CZ, s.r.o.)
R0 avgVmm; C:\Windows\system32\drivers\avgVmm.sys [340824 2017-06-21] (AVG Technologies CZ, s.r.o.)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-01-08] (Qualcomm Atheros)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-25] (OSR Open Systems Resources, Inc.)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 HtcVCom32; C:\Windows\system32\DRIVERS\HtcVComV64.sys [121800 2010-03-08] (QUALCOMM Incorporated)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20256 2014-07-25] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [41200 2014-01-15] (Synaptics Incorporated)
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [32304 2017-02-21] (AVG Netherlands B.V.)
S3 WacHidRouterPro; C:\Windows\System32\drivers\wachidrouter.sys [119952 2017-01-25] (Wacom Technology)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
S3 MBAMFarflt; \??\C:\Windows\system32\drivers\farflt.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-29 21:43 - 2017-06-29 21:43 - 00021864 _____ C:\Users\ADMIN\Downloads\FRST.txt
2017-06-29 21:42 - 2017-06-29 21:42 - 00000000 ____D C:\Users\ADMIN\Downloads\FRST-OlderVersion
2017-06-29 21:12 - 2017-06-29 21:12 - 00002760 _____ C:\Windows\System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance
2017-06-24 12:05 - 2017-06-24 12:33 - 00000045 _____ C:\Windows\ddconfig.ini
2017-06-24 12:05 - 2017-06-24 12:05 - 00000000 ____D C:\Users\ADMIN\Documents\Video
2017-06-24 11:52 - 2017-06-24 12:08 - 00000000 ____D C:\ProgramData\ParetoLogic
2017-06-24 11:52 - 2017-06-24 12:08 - 00000000 ____D C:\Program Files (x86)\ParetoLogic
2017-06-24 11:47 - 2017-06-24 11:47 - 00000996 _____ C:\Users\ADMIN\Desktop\ListCrilock.txt
2017-06-24 11:43 - 2017-06-24 11:43 - 00000000 ____D C:\Users\ADMIN\AppData\Local\CrashRpt
2017-06-24 11:42 - 2017-06-24 12:20 - 00000000 ____D C:\Users\ADMIN\AppData\Local\DiskDrill
2017-06-24 11:42 - 2017-06-24 11:42 - 00002635 _____ C:\Users\Public\Desktop\Pandora Recovery.lnk
2017-06-24 11:42 - 2017-06-24 11:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pandora Recovery
2017-06-24 11:42 - 2017-06-24 11:42 - 00000000 ____D C:\Program Files (x86)\CleverFiles
2017-06-22 12:11 - 2017-06-22 12:11 - 00000000 ____D C:\Users\ADMIN\AppData\Local\ESET
2017-06-22 12:09 - 2017-06-22 12:10 - 06754944 _____ (ESET spol. s r.o.) C:\Users\ADMIN\Downloads\esetonlinescanner_enu.exe
2017-06-22 12:04 - 2017-06-22 12:04 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\R-TT
2017-06-22 12:02 - 2017-06-22 14:34 - 00000000 ____D C:\Program Files (x86)\R-Studio
2017-06-22 12:02 - 2017-06-22 12:04 - 00000000 ____D C:\Users\ADMIN\Documents\R-TT
2017-06-22 12:02 - 2017-06-22 12:03 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\R-Studio
2017-06-22 11:45 - 2017-06-22 11:45 - 00000000 ____D C:\Users\ADMIN\Downloads\R-St_7.7
2017-06-22 11:41 - 2017-06-22 11:44 - 41684128 _____ C:\Users\ADMIN\Downloads\R-St_7.7.rar
2017-06-22 11:27 - 2017-06-22 14:29 - 00000000 ____D C:\Users\ADMIN\Downloads\Compressed
2017-06-22 11:21 - 2017-06-22 11:23 - 00000000 ____D C:\Users\ADMIN\Downloads\StupidDecrypter
2017-06-22 11:21 - 2017-06-22 11:21 - 00107164 _____ C:\Users\ADMIN\Downloads\StupidDecrypter.zip
2017-06-22 10:57 - 2017-06-24 12:09 - 00000000 ____D C:\Program Files (x86)\ShadowExplorer
2017-06-22 09:09 - 2017-06-22 09:09 - 00000000 ____H C:\ProgramData\cm-lock
2017-06-21 23:05 - 2017-06-21 23:16 - 00025532 _____ C:\Users\ADMIN\Downloads\Addition.txt
2017-06-21 23:04 - 2017-06-29 21:43 - 00000000 ____D C:\FRST
2017-06-21 23:02 - 2017-06-29 21:42 - 02440704 _____ (Farbar) C:\Users\ADMIN\Downloads\FRST64.exe
2017-06-21 22:54 - 2017-06-24 12:09 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 10
2017-06-21 22:13 - 2017-06-21 22:13 - 00003704 _____ C:\Windows\System32\Tasks\Java Platform SE Auto Updater
2017-06-21 22:13 - 2017-06-21 22:13 - 00003694 _____ C:\Windows\System32\Tasks\Adobe Reader and Acrobat Manager
2017-06-21 21:55 - 2017-06-21 21:55 - 00002576 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp.lnk
2017-06-21 21:55 - 2017-02-21 09:29 - 00053008 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\TURegOpt.exe
2017-06-21 17:15 - 2017-06-21 17:15 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\AVG
2017-06-21 17:13 - 2017-06-22 09:18 - 00004178 _____ C:\Windows\System32\Tasks\Antivirus Emergency Update
2017-06-21 17:12 - 2017-06-21 17:13 - 00160008 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgstm.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 01008288 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSnx.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00570320 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSP.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00401584 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2017-06-21 17:12 - 2017-06-21 17:12 - 00340824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgVmm.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00129776 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgMonFlt.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00102280 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRdr2.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00076832 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRvrt.sys
2017-06-21 17:12 - 2017-06-21 17:12 - 00039424 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgHwid.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00509056 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgNetSec.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00336896 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbloga.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00314128 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsdrivera.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00192584 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsha.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00166624 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbdiska.sys
2017-06-21 17:12 - 2017-06-21 17:11 - 00051336 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbuniva.sys
2017-06-21 17:00 - 2017-06-21 17:00 - 00001028 _____ C:\Users\Public\Desktop\AVG.lnk
2017-06-21 17:00 - 2017-06-21 17:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2017-06-21 16:56 - 2017-06-24 11:52 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task
2017-06-21 16:56 - 2017-06-21 21:54 - 00000000 ____D C:\Program Files (x86)\AVG
2017-06-21 16:56 - 2017-06-21 16:56 - 00000000 ____D C:\Users\ADMIN\AppData\Local\CEF
2017-06-21 16:53 - 2017-06-21 21:55 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Avg
2017-06-21 16:53 - 2017-06-21 21:54 - 00000000 ____D C:\Users\ADMIN\AppData\Local\AvgSetupLog
2017-06-21 16:53 - 2017-06-21 21:54 - 00000000 ____D C:\ProgramData\Avg
2017-06-21 14:18 - 2017-06-21 14:18 - 00000000 _____ C:\autoexec.bat
2017-06-21 13:49 - 2017-06-22 11:09 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-21 13:45 - 2017-06-21 14:07 - 00001072 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2017-06-21 13:45 - 2017-06-21 13:46 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2017-06-21 13:45 - 2017-06-21 13:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2017-06-21 13:45 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2017-06-21 13:45 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-06-21 13:45 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-06-21 13:10 - 2017-06-21 13:10 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\www.shadowexplorer.com
2017-06-21 12:17 - 2017-06-21 13:02 - 00479680 _____ C:\Windows\ntbtlog.txt
2017-06-21 11:23 - 2017-06-21 11:41 - 00000370 _____ C:\Windows\system32\.crusader
2017-06-21 11:03 - 2017-06-21 11:25 - 00000000 ____D C:\ProgramData\HitmanPro
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!!.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!!!.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 00002766 _____ C:\Users\ADMIN\Desktop\Your files are locked !!!!!.txt
2017-06-16 10:57 - 2017-06-16 10:57 - 00000000 ___RD C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2017-06-12 11:47 - 2017-06-20 22:13 - 00000625 _____ C:\Users\ADMIN\Desktop\New Text Document.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-29 21:33 - 2015-08-26 12:35 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3449532359-1381429811-3815724361-1001
2017-06-29 21:27 - 2015-08-26 13:13 - 00002175 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-06-29 21:10 - 2015-08-26 12:32 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-29 21:10 - 2013-08-22 15:36 - 00000000 ____D C:\Windows\Inf
2017-06-24 11:54 - 2015-08-27 15:28 - 00000000 ____D C:\Users\ADMIN\AppData\Local\CrashDumps
2017-06-24 11:27 - 2016-04-24 00:12 - 00000000 ____D C:\Users\ADMIN\Desktop\dina
2017-06-24 11:27 - 2015-08-26 12:29 - 00000000 ____D C:\Users\ADMIN
2017-06-24 11:08 - 2017-05-08 16:24 - 00003216 _____ C:\Windows\System32\Tasks\klcp_update
2017-06-22 11:27 - 2015-08-26 13:12 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\IDM
2017-06-22 09:09 - 2013-08-22 16:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-22 09:07 - 2015-08-26 13:12 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\DMCache
2017-06-22 09:07 - 2013-08-22 15:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2017-06-21 22:23 - 2015-08-30 17:19 - 00000000 ____D C:\ProgramData\Skype
2017-06-21 22:13 - 2017-05-10 21:38 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\MPC-HC
2017-06-21 22:13 - 2015-08-31 20:40 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Microsoft Help
2017-06-21 22:13 - 2015-08-30 17:19 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\Skype
2017-06-21 22:13 - 2015-08-26 13:12 - 00000000 ____D C:\Program Files (x86)\Internet Download Manager
2017-06-21 22:12 - 2017-04-17 12:52 - 00000000 ____D C:\Windows\Minidump
2017-06-21 22:12 - 2015-08-26 22:23 - 00000000 ____D C:\Windows\Panther
2017-06-21 22:01 - 2017-02-18 14:50 - 00000000 ____D C:\ProgramData\Package Cache
2017-06-21 17:32 - 2017-04-10 16:17 - 00000000 ____D C:\ProgramData\locep
2017-06-21 14:07 - 2015-10-29 12:57 - 00001123 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS6 (64 Bit).lnk
2017-06-21 14:07 - 2015-10-29 12:56 - 00001085 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6 (64bit).lnk
2017-06-21 14:07 - 2015-10-29 12:55 - 00001531 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS6.lnk
2017-06-21 14:07 - 2015-10-29 12:55 - 00001361 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS6.lnk
2017-06-21 14:07 - 2015-10-24 18:41 - 00001482 _____ C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Disk Cleanup.lnk
2017-06-21 14:07 - 2015-10-14 16:47 - 00000859 _____ C:\Users\ADMIN\Desktop\µTorrent.lnk
2017-06-21 14:07 - 2015-10-14 16:47 - 00000839 _____ C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2017-06-21 14:07 - 2015-10-12 21:35 - 00000978 _____ C:\Users\Public\Desktop\Guitar Pro 6.lnk
2017-06-21 14:07 - 2015-08-26 13:17 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-06-21 14:07 - 2015-08-26 13:08 - 00002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2017-06-21 14:07 - 2015-08-26 13:07 - 00001027 _____ C:\ProgramData\Microsoft\Windows\Start Menu\WinRAR.lnk
2017-06-21 14:07 - 2015-08-26 12:58 - 00000716 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel® HD Graphics Control Panel.lnk
2017-06-21 14:07 - 2015-08-26 12:29 - 00001422 _____ C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-06-21 13:32 - 2015-10-04 19:01 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-21 11:42 - 2017-05-08 20:08 - 00000000 ____D C:\Users\ADMIN\AppData\Local\8a29bfdc
2017-06-21 11:41 - 2017-04-10 13:33 - 00000000 ____D C:\Program Files\Common Files\volyqrhv
2017-06-19 22:03 - 2016-11-06 09:31 - 00019896 _____ C:\Users\ADMIN\Downloads\1.xlsx
2017-06-19 22:03 - 2016-07-27 22:24 - 00578470 _____ C:\Users\ADMIN\Downloads\2.pdf
2017-06-19 22:03 - 2016-01-27 20:58 - 00000165 ____H C:\Users\ADMIN\Documents\~$malikaaa's.xlsx
2017-06-19 21:43 - 2013-08-22 17:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-19 21:43 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\AppReadiness
2017-06-19 21:42 - 2015-08-26 12:29 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Packages
2017-06-17 15:01 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\NDF
2017-06-17 14:56 - 2017-01-10 16:49 - 00000000 ____D C:\Users\ADMIN\AppData\LocalLow\Mozilla
2017-06-10 22:53 - 2015-08-27 08:44 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\uTorrent
 
==================== Files in the root of some directories =======
 
2017-05-07 14:29 - 2017-05-07 14:29 - 3667071 _____ () C:\Program Files\Common Files\lchw3kzv.exe
2017-05-06 11:55 - 2017-05-06 11:55 - 3666228 _____ () C:\Program Files\Common Files\na1l5gcd.exe
2017-05-05 11:08 - 2017-05-05 11:08 - 3666198 _____ () C:\Program Files\Common Files\ra2m2hp5.exe
2017-06-19 22:03 - 2017-06-19 22:03 - 4960380 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\en_files.txt
2017-06-19 22:03 - 2017-06-20 22:14 - 4750814 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\en_gfiles.txt
2017-06-20 22:19 - 2017-06-20 22:19 - 4320054 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\wp.jpg
2017-06-16 11:00 - 2017-06-16 10:59 - 0593477 _____ () C:\Users\ADMIN\AppData\Roaming\Microsoft\wpodll.exe
2017-06-22 09:09 - 2017-06-22 09:09 - 0000000 ____H () C:\ProgramData\cm-lock
2015-08-26 12:44 - 2015-08-26 12:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2017-04-09 12:07 - 2017-04-09 12:07 - 0000016 _____ () C:\ProgramData\mntemp
2017-04-11 13:31 - 2017-04-11 13:31 - 0012655 _____ () C:\ProgramData\mxnhytee.feu
 
Some files in TEMP:
====================
2017-06-21 22:54 - 2017-06-21 22:54 - 14451712 _____ (Luis Cobian, CobianSoft) C:\Users\ADMIN\AppData\Local\Temp\cbSetupE.exe
2017-06-24 12:09 - 2017-06-21 10:59 - 11584088 _____ (SurfRight B.V.) C:\Users\ADMIN\AppData\Local\Temp\HitmanPro.exe
2017-06-21 22:01 - 2017-06-21 22:01 - 14456872 _____ (Microsoft Corporation) C:\Users\ADMIN\AppData\Local\Temp\vc_redist.x86.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-29 21:28
 
==================== End of FRST.txt ============================


#6 kolonita

kolonita
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 29 June 2017 - 02:50 PM

sorry for being late



#7 kolonita

kolonita
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 30 June 2017 - 04:56 AM

hope this might help



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:44 AM

Posted 30 June 2017 - 08:51 AM

Hi,



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR HomePage: Default -> hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_By1OAEeGlWO7-ReH_rA-ussUydmAUGqC5OLxG5rzULnDCGXfYk1-tTxG-X_a0dRys23loIWYG1rDK3Rq8SHkhP8X50iqR5be9VhyxnSrUJ0fi_Ty8ALKLiUYpqulD6W8gWxxtk7_lZaj4IKkN75uHDaXp0-0UsNSeZRL5DoDarO0,
CHR Extension: (Chrome Web Store Payments) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-20]
CHR Extension: (Chrome Media Router) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-16]
S2 locep; C:\ProgramData\\locep\\locep.exe [994304 2017-04-10] () [File not signed]
S3 MBAMFarflt; \??\C:\Windows\system32\drivers\farflt.sys [X]
C:\ProgramData\\locep\\locep.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

Please post the log and include the Addition.txt file created by the Farbar tool for my review.

#9 kolonita

kolonita
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 02 July 2017 - 04:55 AM

 


Please post the log and include the Addition.txt file created by the Farbar tool for my review.

 

there is no addition text created !!

 

 

and here is the fixlog

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2017
Ran by Koki (02-07-2017 11:44:34) Run:1
Running from C:\Users\ADMIN\Downloads
Loaded Profiles: Koki (Available Profiles: Koki)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR HomePage: Default -> hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_By1OAEeGlWO7-ReH_rA-ussUydmAUGqC5OLxG5rzULnDCGXfYk1-tTxG-X_a0dRys23loIWYG1rDK3Rq8SHkhP8X50iqR5be9VhyxnSrUJ0fi_Ty8ALKLiUYpqulD6W8gWxxtk7_lZaj4IKkN75uHDaXp0-0UsNSeZRL5DoDarO0,
CHR Extension: (Chrome Web Store Payments) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-20]
CHR Extension: (Chrome Media Router) - C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-16]
S2 locep; C:\ProgramData\\locep\\locep.exe [994304 2017-04-10] () [File not signed]
S3 MBAMFarflt; \??\C:\Windows\system32\drivers\farflt.sys [X]
C:\ProgramData\\locep\\locep.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => key removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => key removed successfully
Chrome HomePage => removed successfully
C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\ADMIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\locep => key removed successfully
locep => service removed successfully
HKLM\System\CurrentControlSet\Services\MBAMFarflt => key removed successfully
MBAMFarflt => service removed successfully
C:\ProgramData\\locep\\locep.exe => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15992002 B
Java, Flash, Steam htmlcache => 709 B
Windows/system/drivers => -13568475 B
Edge => 0 B
Chrome => 916641787 B
Firefox => 45169372 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 857377 B
NetworkService => 3715454 B
ADMIN => 1304014876 B
 
RecycleBin => 25980 B
EmptyTemp: => 2.1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 11:46:56 ====


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:44 AM

Posted 02 July 2017 - 07:50 AM

If you have issues with the computer you can create an Addition.txt log by running the Farbar tool one more time.
Make sure that the box to create an Addition.txt file is checked and post it for my review.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users