Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Check OS status after ransonware attack


  • This topic is locked This topic is locked
23 replies to this topic

#1 merced25

merced25

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 22 December 2017 - 09:19 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-12-2017
Ran by administrator (administrator) on ALFA (22-12-2017 11:07:34)
Running from C:\Users\administrator\Downloads
Loaded Profiles: administrator (Available Profiles: administrator)
Platform: Windows Server 2016 Standard (X64) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Code Sector) C:\Program Files\TeraCopy\TeraCopyService.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\AMS\service\HpAmsStor.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Hewlett Packard Enterprise Development LP) C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\System32\ntfrs.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Ammyy LLC) C:\Users\administrator\Desktop\AA_v3.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastUI.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbService.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
"Path" (%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\ -> %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\) <==== Repaired successfully
HKLM\...\Run: [QLogicSaveSystemInfo] => rundll32.exe qlco10011.dll,QLSaveSystemInfo
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [392072 2012-10-12] (Acronis)
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [8850344 2017-11-29] (Emsisoft Ltd)
HKLM-x32\...\Run: [avast] => C:\Program Files\AVAST Software\Avast Business\avastUI.exe [4770952 2016-10-24] (Avast Software s.r.o.)
HKLM-x32\...\Run: [C:\12090629546\howtodecryptaesfiles.txt] => C:\12090629546\howtodecryptaesfiles.txt
HKLM-x32\...\Run: [Cobian Backup 11 interface] => C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe [4407808 2013-03-07] (Luis Cobian, CobianSoft)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-4017227460-457275624-4033542720-500\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [41061856 2017-11-20] ()
Lsa: [Notification Packages] rassfm scecli
SecurityProviders: pwdssp.dll, credssp.dll
BootExecute: autocheck autochk /q /v * 
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{ca96c418-fb49-4ae9-9db3-75f1eee47840}: [NameServer] 192.168.10.251,127.0.0.1
 
Internet Explorer:
==================
HKU\S-1-5-21-4017227460-457275624-4033542720-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default [2017-12-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-15]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-15]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-15]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2017-07-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-15]
CHR Extension: (Chrome Media Router) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-18]
CHR HKU\S-1-5-21-4017227460-457275624-4033542720-500\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9216648 2017-11-29] (Emsisoft Ltd)
R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [465920 2017-02-08] (Microsoft Corporation)
S2 AmmyyAdmin; C:\Users\administrator\Desktop\AA_v3.exe [773624 2017-05-17] (Ammyy LLC)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe [54344 2016-10-24] (Avast Software s.r.o.)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
R2 CobianBackup11; C:\Program Files (x86)\Cobian Backup 11\cbService.exe [1131008 2013-03-07] (Luis Cobian, CobianSoft) [File not signed]
R2 Dfs; C:\Windows\system32\dfssvc.exe [454144 2017-02-08] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [3887104 2017-03-04] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [2078720 2016-09-15] (Microsoft Corporation)
S3 DsRoleSvc; C:\Windows\system32\dsrolesrv.dll [293376 2017-02-08] (Microsoft Corporation)
R2 HpAmsStor; C:\Program Files\Hewlett-Packard\AMS\service\HpAmsStor.exe [15248 2015-11-10] (Hewlett-Packard Company)
R2 hpqams; C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe [560528 2015-11-10] (Hewlett Packard Enterprise Development LP)
R2 IsmServ; C:\Windows\System32\ismserv.exe [69120 2017-02-08] (Microsoft Corporation)
R2 Kdc; C:\Windows\system32\kdcsvc.dll [564224 2017-03-04] (Microsoft Corporation)
S3 KdsSvc; C:\Windows\system32\KdsSvc.dll [37888 2017-02-08] (Microsoft Corporation)
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [177152 2016-07-16] (Microsoft Corporation)
S3 MaxSyncUpService; C:\Program Files (x86)\MaxSyncUp\msusvc.exe [2340080 2017-05-30] (@MAX Software)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 NTDS; C:\Windows\system32\ntdsa.dll [95744 2016-08-06] (Microsoft Corporation)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [1002496 2017-02-08] (Microsoft Corporation)
R2 ProLiantMonitor; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [259984 2015-02-09] (Hewlett-Packard Company)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [97280 2016-07-16] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83968 2016-07-16] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [16896 2016-07-16] (Microsoft Corporation)
R2 sysdown; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [259984 2015-02-09] (Hewlett-Packard Company)
R2 TeraCopyService; C:\Program Files\TeraCopy\TeraCopyService.exe [110416 2017-05-05] (Code Sector)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [261120 2016-07-16] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-03-04] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90344 2016-10-24] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [80376 2016-10-24] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74680 2016-10-24] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1053392 2016-10-24] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [441944 2016-10-24] (Avast Software s.r.o.)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [78264 2016-10-24] (Avast Software s.r.o.)
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292840 2016-10-24] ()
S0 bfad; C:\Windows\System32\drivers\bfad.sys [1964296 2014-09-29] (QLogic Corporation)
S0 bfadfcoei; C:\Windows\System32\drivers\bfadfcoei.sys [2279264 2016-07-16] (QLogic Corporation)
S0 bfadi; C:\Windows\System32\drivers\bfadi.sys [2279264 2016-07-16] (QLogic Corporation)
S0 bfad_up; C:\Windows\System32\drivers\bfad_up.sys [17160 2014-09-29] (QLogic Corporation)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [205152 2016-07-16] (QLogic Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [536416 2016-07-16] (QLogic Corporation)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [55648 2017-02-08] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [67424 2017-02-08] (Microsoft Corporation)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [758624 2016-07-16] (Emulex)
R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R0 HPpSA; C:\Windows\System32\drivers\HPpSA.sys [32440 2015-11-17] (PMC-Sierra Company)
R3 hpqilo3chif; C:\Windows\system32\DRIVERS\hpqilo3chif.sys [43920 2013-11-23] (Hewlett-Packard Company)
R3 hpqilo3core; C:\Windows\System32\drivers\hpqilo3core.sys [47384 2013-05-22] (Hewlett-Packard Company)
R0 hpqilo3whea; C:\Windows\System32\DRIVERS\hpqilo3whea.sys [18472 2010-02-12] (Hewlett-Packard Company)
S0 HPSA2; C:\Windows\System32\drivers\HPSA2.sys [173456 2015-08-20] (Hewlett-Packard Company)
R0 HPSA3; C:\Windows\System32\drivers\HPSA3.sys [180408 2015-11-17] (PMC-Sierra Company)
S3 IPsecGW; C:\Windows\System32\drivers\ipsecgw.sys [18432 2016-07-16] (Microsoft Corporation)
S1 isiigddb; C:\Windows\system32\drivers\isiigddb.sys [72816 2017-12-16] (Microsoft Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2017-12-16] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\DRIVERS\farflt.sys [110016 2017-12-16] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [46008 2017-12-16] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2017-12-16] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [94144 2017-12-22] (Malwarebytes)
R1 MpKsl5562b123; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7AF27559-8179-444D-8A29-0016325D380D}\MpKsl5562b123.sys [58120 2017-12-20] (Microsoft Corporation)
S3 MsLbfoProvider; C:\Windows\System32\drivers\MsLbfoProvider.sys [121344 2016-07-16] (Microsoft Corporation)
S0 ql2300i; C:\Windows\System32\drivers\ql2300i.sys [1632608 2016-07-16] (QLogic Corporation)
S0 ql40xx2i; C:\Windows\System32\drivers\ql40xx2i.sys [475488 2016-07-16] (QLogic Corporation)
S0 qlfcoe; C:\Windows\System32\drivers\qlfcoe.sys [1357064 2015-03-24] (QLogic Corporation)
S0 qlfcoei; C:\Windows\System32\drivers\qlfcoei.sys [1300320 2016-07-16] (QLogic Corporation)
S3 RasGre; C:\Windows\System32\drivers\rasgre.sys [45056 2016-07-16] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [95072 2016-09-15] (Microsoft Corporation)
S3 smbdirect; C:\Windows\System32\DRIVERS\smbdirect.sys [159232 2016-09-15] (Microsoft Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-12-17] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-12-17] (Zemana Ltd.)
S3 vwifibus; \SystemRoot\System32\drivers\vwifibus.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-22 11:07 - 2017-12-22 11:08 - 000015715 _____ C:\Users\administrator\Downloads\FRST.txt
2017-12-22 11:07 - 2017-12-22 11:07 - 000000000 ____D C:\FRST
2017-12-22 11:06 - 2017-12-22 11:06 - 002392064 _____ (Farbar) C:\Users\administrator\Downloads\FRST64.exe
2017-12-21 02:21 - 2017-12-21 02:21 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-003
2017-12-21 01:51 - 2017-12-21 01:51 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-001
2017-12-21 01:47 - 2017-12-21 01:47 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-002
2017-12-21 01:44 - 2017-12-21 01:44 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-004
2017-12-21 01:42 - 2017-12-21 01:42 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-006
2017-12-21 01:40 - 2017-12-21 01:40 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-005
2017-12-21 01:39 - 2017-12-21 01:39 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-007
2017-12-21 01:39 - 2017-12-21 01:39 - 000000000 ____D C:\Users\administrator\Downloads\controlsalud-20171220T210156Z-001
2017-12-20 18:17 - 2017-12-20 19:52 - 1387098212 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-001.zip
2017-12-20 18:17 - 2017-12-20 19:50 - 1215464476 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-002.zip
2017-12-20 18:17 - 2017-12-20 19:48 - 1161162502 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-003.zip
2017-12-20 18:17 - 2017-12-20 19:45 - 1098453796 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-004.zip
2017-12-20 18:17 - 2017-12-20 19:36 - 934886682 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-006.zip
2017-12-20 18:17 - 2017-12-20 19:22 - 721786001 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-005.zip
2017-12-20 18:17 - 2017-12-20 18:42 - 251871437 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-007.zip
2017-12-20 18:02 - 2017-12-20 18:03 - 085306491 _____ C:\Users\administrator\Downloads\controlsalud-20171220T210156Z-001.zip
2017-12-19 11:18 - 2017-12-19 11:20 - 000000000 ____D C:\Program Files\Recuva
2017-12-19 11:18 - 2017-12-19 11:18 - 000003938 _____ C:\Windows\System32\Tasks\CCleaner Update
2017-12-19 11:18 - 2017-12-19 11:18 - 000002870 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-12-19 11:18 - 2017-12-19 11:18 - 000001699 _____ C:\Users\Public\Desktop\Recuva.lnk
2017-12-19 11:18 - 2017-12-19 11:18 - 000000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recuva
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\Program Files\CCleaner
2017-12-19 11:16 - 2017-12-19 11:17 - 005562976 _____ (Piriform Ltd) C:\Users\administrator\Downloads\rcsetup153.exe
2017-12-18 15:12 - 2017-12-18 15:12 - 000000000 ____D C:\Users\administrator\AppData\Local\FSDART
2017-12-18 15:11 - 2017-12-18 15:18 - 000000000 ____D C:\ProgramData\F-Secure
2017-12-18 15:11 - 2017-12-18 15:11 - 000524248 _____ (F-Secure Corporation) C:\Users\administrator\Downloads\F-SecureOnlineScanner.exe
2017-12-18 15:11 - 2017-12-18 15:11 - 000000000 ____D C:\Users\administrator\AppData\Local\F-Secure
2017-12-18 15:10 - 2017-12-18 15:11 - 000000459 _____ C:\Windows\wininit.ini
2017-12-18 15:10 - 2017-12-18 15:10 - 000000000 ____D C:\ProgramData\McAfee Security Scan
2017-12-18 15:10 - 2017-12-18 15:10 - 000000000 ____D C:\ProgramData\McAfee
2017-12-18 15:09 - 2017-12-18 15:10 - 011026328 _____ (McAfee, Inc.) C:\Users\administrator\Downloads\SecurityScan_Release.exe
2017-12-18 10:25 - 2017-12-18 10:25 - 000000000 ____D C:\Users\administrator\AppData\Local\ESET
2017-12-18 10:24 - 2017-12-18 10:24 - 006968952 _____ (ESET spol. s r.o.) C:\Users\administrator\Downloads\esetonlinescanner_enu.exe
2017-12-17 10:20 - 2017-12-18 10:21 - 000000000 ____D C:\ProgramData\HitmanPro
2017-12-17 10:20 - 2017-12-17 10:21 - 011584088 _____ (SurfRight B.V.) C:\Users\administrator\Downloads\HitmanPro_x64.exe
2017-12-17 10:19 - 2017-12-17 10:19 - 011024040 _____ (SurfRight B.V.) C:\Users\administrator\Downloads\HitmanPro.exe
2017-12-17 02:25 - 2017-12-17 02:25 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-12-17 02:24 - 2017-12-17 10:18 - 000000000 ____D C:\ProgramData\RogueKiller
2017-12-17 02:24 - 2017-12-17 02:24 - 026867784 _____ (Adlice Software) C:\Users\administrator\Downloads\RogueKiller_portable64.exe
2017-12-17 01:35 - 2017-12-22 11:07 - 008150622 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-12-17 01:35 - 2017-12-22 11:07 - 007767645 _____ C:\Windows\ZAM.krnl.trace
2017-12-17 01:35 - 2017-12-17 01:35 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-12-17 01:35 - 2017-12-17 01:35 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2017-12-17 01:35 - 2017-12-17 01:35 - 000000000 ____D C:\Users\administrator\AppData\Local\Zemana
2017-12-17 01:34 - 2017-12-17 01:35 - 015808656 _____ (Copyright 2017.) C:\Users\administrator\Downloads\Zemana.AntiMalware.Portable (1).exe
2017-12-17 00:23 - 2017-12-17 00:24 - 015808656 _____ (Copyright 2017.) C:\Users\administrator\Downloads\Zemana.AntiMalware.Portable.exe
2017-12-17 00:20 - 2017-12-17 00:20 - 000002205 _____ C:\Users\administrator\Desktop\malwarebytes.txt
2017-12-16 22:43 - 2017-12-22 09:46 - 000094144 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-12-16 22:42 - 2017-12-16 22:42 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2017-12-16 22:42 - 2017-12-16 22:42 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\Program Files\Malwarebytes
2017-12-16 22:42 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-12-16 22:40 - 2017-12-16 22:41 - 083316440 _____ (Malwarebytes ) C:\Users\administrator\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe
2017-12-16 18:58 - 2017-12-16 21:26 - 000000000 ____D C:\ProgramData\Emsisoft
2017-12-16 18:57 - 2017-12-16 18:57 - 000000937 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2017-12-16 18:57 - 2017-12-16 18:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2017-12-16 18:56 - 2017-12-22 10:59 - 000000000 ____D C:\Program Files\Emsisoft Anti-Malware
2017-12-16 18:47 - 2017-12-16 18:52 - 253383016 _____ (Emsisoft Ltd. ) C:\Users\administrator\Downloads\EmsisoftAntiMalwareSetup_bc.exe
2017-12-16 13:35 - 2017-12-16 13:35 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\isiigddb.sys
2017-12-14 15:36 - 2017-12-14 15:36 - 000000000 ____D C:\Windows\SysWOW64\XPSViewer
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files\Reference Assemblies
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files\MSBuild
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files (x86)\MSBuild
2017-12-14 15:31 - 2016-05-25 11:03 - 000778936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationNative_v0300.dll
2017-12-14 15:31 - 2016-05-25 11:03 - 000103120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2017-12-14 15:31 - 2016-05-25 11:03 - 000035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2017-12-14 15:30 - 2016-05-25 14:31 - 001166520 _____ (Microsoft Corporation) C:\Windows\system32\PresentationNative_v0300.dll
2017-12-14 15:30 - 2016-05-25 14:31 - 000124624 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2017-12-14 15:30 - 2016-05-25 14:31 - 000035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2017-12-14 15:26 - 2017-12-14 15:26 - 002869264 _____ (Microsoft Corporation) C:\Users\administrator\Downloads\dotNetFx35setup.exe
2017-12-14 15:21 - 2017-12-14 15:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2017-12-14 15:21 - 2017-12-14 15:21 - 000000000 ____D C:\Program Files (x86)\Cobian Backup 11
2017-12-14 15:19 - 2017-12-14 15:19 - 019709440 _____ (Luis Cobian, CobianSoft) C:\Users\administrator\Downloads\cbSetup.exe
2017-12-14 15:19 - 2017-12-14 15:19 - 000000000 ____D C:\Users\administrator\Desktop\Servicios sospechosos
2017-12-14 14:47 - 2017-12-14 15:38 - 000003656 _____ C:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask
2017-12-14 14:36 - 2017-12-21 02:29 - 000000000 ____D C:\Users\administrator\AppData\Roaming\TeraCopy
2017-12-14 14:36 - 2017-12-14 14:36 - 000000000 ___HD C:\Users\administrator\AppData\Roaming\Obsidium
2017-12-14 14:36 - 2017-12-14 14:36 - 000000000 ___HD C:\Users\administrator\.obs32
2017-12-14 14:35 - 2017-12-14 14:35 - 000001725 _____ C:\ProgramData\Microsoft\Windows\Start Menu\TeraCopy.lnk
2017-12-14 14:35 - 2017-12-14 14:35 - 000000000 ____D C:\Program Files\TeraCopy
2017-12-14 14:04 - 2017-12-14 14:05 - 000000000 ____D C:\Share copia encriptada
2017-12-12 12:26 - 2017-12-14 13:06 - 000636278 _____ C:\Windows\ntbtlog.txt
2017-12-09 17:01 - 2017-12-12 12:46 - 000000371 _____ C:\Users\Public\Desktop\RDP PORT CHANGED.txt
2017-12-09 17:01 - 2017-12-12 12:46 - 000000371 _____ C:\RDP PORT CHANGED.txt
2017-12-09 15:55 - 2017-12-09 15:55 - 000000162 _____ C:\Windows\SysWOW64\s3456784.txt
2017-12-09 06:30 - 2017-12-09 06:30 - 000000167 _____ C:\Users\Public\Desktop\OK_SNT.ntuser.dat.crashlog.txt
2017-12-09 06:29 - 2016-04-17 04:01 - 000000082 _____ C:\Windows\SysWOW64\decryptaesfiles.txt
2017-12-09 06:29 - 2016-02-03 18:38 - 000510456 _____ (Alexander Roshal) C:\Windows\SysWOW64\cfwin32.dll
2017-12-09 06:29 - 2013-01-09 07:26 - 000155736 _____ (Sysinternals) C:\Windows\SysWOW64\sdelete.dll
2017-12-06 12:52 - 2017-12-06 12:52 - 000000000 ____D C:\Program Files\Common Files\avast software
2017-12-06 01:10 - 2017-12-06 01:10 - 001322120 _____ (Acronis) C:\Windows\system32\Drivers\tib_mounter.sys
2017-12-06 00:29 - 2017-12-06 00:30 - 000000000 ____D C:\Users\administrator\Downloads\Acronis
2017-12-06 00:23 - 2017-12-06 00:24 - 000000012 ____N C:\Users\administrator\Desktop\Eventos de auditoria.txt
2017-12-05 14:27 - 2017-12-14 16:50 - 000000000 ____D C:\ProgramData\Acronis
2017-12-05 13:48 - 2017-12-05 13:49 - 000000000 ____D C:\Users\administrator\Downloads\Acronis.Backup.And.Recovery.Server.With.Universal.Restore.v11.5.32266.ES.Incl.Serial
2017-12-05 13:47 - 2017-12-05 13:47 - 001381582 _____ (Igor Pavlov) C:\Users\administrator\Downloads\7z1604-x64.exe
2017-12-05 13:47 - 2017-12-05 13:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2017-12-05 13:47 - 2017-12-05 13:47 - 000000000 ____D C:\Program Files\7-Zip
2017-12-05 11:29 - 2017-12-05 11:29 - 000000000 ____D C:\Users\administrator\AppData\Local\Comms
2017-11-29 21:49 - 2017-11-30 02:11 - 943465172 _____ C:\Users\administrator\Downloads\Acronis.Backup.And.Recovery.Server.With.Universal.Restore.v11.5.32266.ES.Incl.Serial.rar
2017-11-29 13:48 - 2017-11-29 13:48 - 000000000 ____D C:\Users\administrator\Downloads\Nueva carpeta
2017-11-22 20:52 - 2017-11-22 20:52 - 000000000 ____D C:\Users\administrator\AppData\LocalLow\Temp
2017-11-22 14:12 - 2017-11-22 14:17 - 000000000 ____D C:\ProgramData\Package Cache
2017-11-22 14:07 - 2017-11-22 14:07 - 001747504 _____ (Microsoft Corporation) C:\Users\administrator\Downloads\adksetup.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-22 11:07 - 2017-01-25 11:42 - 000072424 _____ C:\Windows\system32\driverslist.csv
2017-12-21 20:01 - 2017-02-15 10:27 - 000000000 ____D C:\Windows\NTDS
2017-12-17 03:20 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\rescache
2017-12-17 03:06 - 2017-01-25 11:44 - 002897042 _____ C:\Windows\system32\PerfStringBackup.INI
2017-12-17 03:06 - 2016-09-12 08:25 - 001238820 _____ C:\Windows\system32\perfh00A.dat
2017-12-17 03:06 - 2016-09-12 08:25 - 000310748 _____ C:\Windows\system32\perfc00A.dat
2017-12-17 03:00 - 2016-09-12 08:44 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-15 05:27 - 2017-01-25 12:57 - 000002230 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-15 05:27 - 2017-01-25 12:57 - 000002218 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-14 15:38 - 2016-07-16 10:02 - 000000000 ____D C:\Windows\CbsTemp
2017-12-14 15:36 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\SysWOW64\MUI
2017-12-14 15:36 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\system32\MUI
2017-12-14 15:35 - 2016-07-16 10:21 - 000000000 ____D C:\Windows\INF
2017-12-14 15:20 - 2017-02-11 19:21 - 000000000 ____D C:\Users\administrator\AppData\Local\ConnectedDevicesPlatform
2017-12-14 15:04 - 2017-04-04 12:43 - 000004298 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2017-12-14 15:03 - 2017-02-15 10:31 - 000003416 _____ C:\Windows\system32\config\netlogon.dnb
2017-12-14 15:03 - 2017-02-15 10:31 - 000002125 _____ C:\Windows\system32\config\netlogon.dns
2017-12-14 15:02 - 2017-02-15 10:26 - 000000000 ____D C:\Windows\system32\dns
2017-12-14 14:59 - 2016-07-16 03:04 - 000065536 _____ C:\Windows\system32\config\BBI
2017-12-14 14:36 - 2017-02-11 19:21 - 000000000 ____D C:\Users\administrator
2017-12-14 14:29 - 2017-08-25 20:54 - 000002664 _____ C:\Windows\System32\Tasks\Finalizar backup
2017-12-14 14:29 - 2017-08-25 20:53 - 000002644 _____ C:\Windows\System32\Tasks\Iniciar backup
2017-12-14 13:13 - 2017-10-06 22:50 - 000000448 __RSH C:\Users\administrator\ntuser.pol
2017-12-14 13:12 - 2017-02-11 19:14 - 000003752 __RSH C:\ProgramData\ntuser.pol
2017-12-09 07:54 - 2017-03-07 23:23 - 000000000 ____D C:\Users\administrator\AppData\Roaming\TeamViewer
2017-12-09 07:53 - 2017-02-15 13:30 - 000000000 ____D C:\ProgramData\MaxSyncUp
2017-12-09 07:53 - 2017-01-25 12:58 - 000000000 ____D C:\Users\Administrador.ALFA\AppData\Roaming\TeamViewer
2017-12-09 07:53 - 2017-01-25 11:40 - 000000000 ____D C:\Users\Administrador.ALFA\AppData\Local\ConnectedDevicesPlatform
2017-12-09 07:53 - 2017-01-25 08:18 - 000000000 ___HD C:\cpqsystem
2017-12-09 07:53 - 2016-09-12 08:45 - 000000000 ____D C:\Users\Administrador\AppData\Local\ConnectedDevicesPlatform
2017-12-09 07:24 - 2017-08-25 22:46 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Backup and Sync from Google
2017-12-09 06:30 - 2017-03-09 10:22 - 000002296 ____N C:\Users\administrator\Documents\Default.rdp
2017-12-07 16:27 - 2017-08-25 22:46 - 000002075 _____ C:\Users\Public\Desktop\Google Slides.lnk
2017-12-06 12:52 - 2017-04-05 12:52 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2017-12-05 14:52 - 2017-07-26 15:39 - 000000000 ____D C:\Windows\system32\appmgmt
2017-12-05 14:27 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\security
2017-11-22 20:36 - 2016-07-16 10:20 - 000713216 _____ (Microsoft Corporation) C:\Windows\system32\blbsrv.dll
2017-11-22 20:36 - 2016-07-16 10:20 - 000284160 _____ (Microsoft Corporation) C:\Windows\system32\wbadmin.exe
2017-11-22 20:36 - 2016-07-16 10:20 - 000274432 _____ (Microsoft Corporation) C:\Windows\system32\spp.dll
2017-11-22 20:36 - 2016-07-16 10:20 - 000078336 _____ (Microsoft Corporation) C:\Windows\system32\sxproxy.dll
2017-11-22 20:36 - 2016-07-16 10:20 - 000019456 _____ (Microsoft Corporation) C:\Windows\system32\srdelayed.exe
2017-11-22 20:36 - 2016-07-16 10:20 - 000015360 _____ (Microsoft Corporation) C:\Windows\system32\wsbapp_ps.dll
 
==================== Files in the root of some directories =======
 
2017-04-04 14:25 - 2017-04-04 14:25 - 000007605 ____N () C:\Users\administrator\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
2017-12-17 02:24 - 2016-11-11 07:13 - 001886344 _____ (Microsoft Corporation) C:\Users\administrator\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-12-14 13:21
 
==================== End of FRST.txt ============================
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-12-2017
Ran by administrator (administrator) on ALFA (22-12-2017 11:07:34)
Running from C:\Users\administrator\Downloads
Loaded Profiles: administrator (Available Profiles: administrator)
Platform: Windows Server 2016 Standard (X64) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Code Sector) C:\Program Files\TeraCopy\TeraCopyService.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\AMS\service\HpAmsStor.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Hewlett Packard Enterprise Development LP) C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\System32\ntfrs.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Ammyy LLC) C:\Users\administrator\Desktop\AA_v3.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastUI.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbService.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
"Path" (%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\ -> %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\) <==== Repaired successfully
HKLM\...\Run: [QLogicSaveSystemInfo] => rundll32.exe qlco10011.dll,QLSaveSystemInfo
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [392072 2012-10-12] (Acronis)
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [8850344 2017-11-29] (Emsisoft Ltd)
HKLM-x32\...\Run: [avast] => C:\Program Files\AVAST Software\Avast Business\avastUI.exe [4770952 2016-10-24] (Avast Software s.r.o.)
HKLM-x32\...\Run: [C:\12090629546\howtodecryptaesfiles.txt] => C:\12090629546\howtodecryptaesfiles.txt
HKLM-x32\...\Run: [Cobian Backup 11 interface] => C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe [4407808 2013-03-07] (Luis Cobian, CobianSoft)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-4017227460-457275624-4033542720-500\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [41061856 2017-11-20] ()
Lsa: [Notification Packages] rassfm scecli
SecurityProviders: pwdssp.dll, credssp.dll
BootExecute: autocheck autochk /q /v * 
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{ca96c418-fb49-4ae9-9db3-75f1eee47840}: [NameServer] 192.168.10.251,127.0.0.1
 
Internet Explorer:
==================
HKU\S-1-5-21-4017227460-457275624-4033542720-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default [2017-12-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-15]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-15]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-15]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2017-07-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-15]
CHR Extension: (Chrome Media Router) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-18]
CHR HKU\S-1-5-21-4017227460-457275624-4033542720-500\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9216648 2017-11-29] (Emsisoft Ltd)
R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [465920 2017-02-08] (Microsoft Corporation)
S2 AmmyyAdmin; C:\Users\administrator\Desktop\AA_v3.exe [773624 2017-05-17] (Ammyy LLC)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe [54344 2016-10-24] (Avast Software s.r.o.)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
R2 CobianBackup11; C:\Program Files (x86)\Cobian Backup 11\cbService.exe [1131008 2013-03-07] (Luis Cobian, CobianSoft) [File not signed]
R2 Dfs; C:\Windows\system32\dfssvc.exe [454144 2017-02-08] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [3887104 2017-03-04] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [2078720 2016-09-15] (Microsoft Corporation)
S3 DsRoleSvc; C:\Windows\system32\dsrolesrv.dll [293376 2017-02-08] (Microsoft Corporation)
R2 HpAmsStor; C:\Program Files\Hewlett-Packard\AMS\service\HpAmsStor.exe [15248 2015-11-10] (Hewlett-Packard Company)
R2 hpqams; C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe [560528 2015-11-10] (Hewlett Packard Enterprise Development LP)
R2 IsmServ; C:\Windows\System32\ismserv.exe [69120 2017-02-08] (Microsoft Corporation)
R2 Kdc; C:\Windows\system32\kdcsvc.dll [564224 2017-03-04] (Microsoft Corporation)
S3 KdsSvc; C:\Windows\system32\KdsSvc.dll [37888 2017-02-08] (Microsoft Corporation)
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [177152 2016-07-16] (Microsoft Corporation)
S3 MaxSyncUpService; C:\Program Files (x86)\MaxSyncUp\msusvc.exe [2340080 2017-05-30] (@MAX Software)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 NTDS; C:\Windows\system32\ntdsa.dll [95744 2016-08-06] (Microsoft Corporation)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [1002496 2017-02-08] (Microsoft Corporation)
R2 ProLiantMonitor; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [259984 2015-02-09] (Hewlett-Packard Company)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [97280 2016-07-16] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83968 2016-07-16] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [16896 2016-07-16] (Microsoft Corporation)
R2 sysdown; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [259984 2015-02-09] (Hewlett-Packard Company)
R2 TeraCopyService; C:\Program Files\TeraCopy\TeraCopyService.exe [110416 2017-05-05] (Code Sector)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [261120 2016-07-16] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-03-04] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90344 2016-10-24] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [80376 2016-10-24] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74680 2016-10-24] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1053392 2016-10-24] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [441944 2016-10-24] (Avast Software s.r.o.)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [78264 2016-10-24] (Avast Software s.r.o.)
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292840 2016-10-24] ()
S0 bfad; C:\Windows\System32\drivers\bfad.sys [1964296 2014-09-29] (QLogic Corporation)
S0 bfadfcoei; C:\Windows\System32\drivers\bfadfcoei.sys [2279264 2016-07-16] (QLogic Corporation)
S0 bfadi; C:\Windows\System32\drivers\bfadi.sys [2279264 2016-07-16] (QLogic Corporation)
S0 bfad_up; C:\Windows\System32\drivers\bfad_up.sys [17160 2014-09-29] (QLogic Corporation)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [205152 2016-07-16] (QLogic Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [536416 2016-07-16] (QLogic Corporation)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [55648 2017-02-08] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [67424 2017-02-08] (Microsoft Corporation)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [758624 2016-07-16] (Emulex)
R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R0 HPpSA; C:\Windows\System32\drivers\HPpSA.sys [32440 2015-11-17] (PMC-Sierra Company)
R3 hpqilo3chif; C:\Windows\system32\DRIVERS\hpqilo3chif.sys [43920 2013-11-23] (Hewlett-Packard Company)
R3 hpqilo3core; C:\Windows\System32\drivers\hpqilo3core.sys [47384 2013-05-22] (Hewlett-Packard Company)
R0 hpqilo3whea; C:\Windows\System32\DRIVERS\hpqilo3whea.sys [18472 2010-02-12] (Hewlett-Packard Company)
S0 HPSA2; C:\Windows\System32\drivers\HPSA2.sys [173456 2015-08-20] (Hewlett-Packard Company)
R0 HPSA3; C:\Windows\System32\drivers\HPSA3.sys [180408 2015-11-17] (PMC-Sierra Company)
S3 IPsecGW; C:\Windows\System32\drivers\ipsecgw.sys [18432 2016-07-16] (Microsoft Corporation)
S1 isiigddb; C:\Windows\system32\drivers\isiigddb.sys [72816 2017-12-16] (Microsoft Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2017-12-16] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\DRIVERS\farflt.sys [110016 2017-12-16] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [46008 2017-12-16] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2017-12-16] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [94144 2017-12-22] (Malwarebytes)
R1 MpKsl5562b123; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7AF27559-8179-444D-8A29-0016325D380D}\MpKsl5562b123.sys [58120 2017-12-20] (Microsoft Corporation)
S3 MsLbfoProvider; C:\Windows\System32\drivers\MsLbfoProvider.sys [121344 2016-07-16] (Microsoft Corporation)
S0 ql2300i; C:\Windows\System32\drivers\ql2300i.sys [1632608 2016-07-16] (QLogic Corporation)
S0 ql40xx2i; C:\Windows\System32\drivers\ql40xx2i.sys [475488 2016-07-16] (QLogic Corporation)
S0 qlfcoe; C:\Windows\System32\drivers\qlfcoe.sys [1357064 2015-03-24] (QLogic Corporation)
S0 qlfcoei; C:\Windows\System32\drivers\qlfcoei.sys [1300320 2016-07-16] (QLogic Corporation)
S3 RasGre; C:\Windows\System32\drivers\rasgre.sys [45056 2016-07-16] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [95072 2016-09-15] (Microsoft Corporation)
S3 smbdirect; C:\Windows\System32\DRIVERS\smbdirect.sys [159232 2016-09-15] (Microsoft Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-12-17] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-12-17] (Zemana Ltd.)
S3 vwifibus; \SystemRoot\System32\drivers\vwifibus.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-22 11:07 - 2017-12-22 11:08 - 000015715 _____ C:\Users\administrator\Downloads\FRST.txt
2017-12-22 11:07 - 2017-12-22 11:07 - 000000000 ____D C:\FRST
2017-12-22 11:06 - 2017-12-22 11:06 - 002392064 _____ (Farbar) C:\Users\administrator\Downloads\FRST64.exe
2017-12-21 02:21 - 2017-12-21 02:21 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-003
2017-12-21 01:51 - 2017-12-21 01:51 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-001
2017-12-21 01:47 - 2017-12-21 01:47 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-002
2017-12-21 01:44 - 2017-12-21 01:44 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-004
2017-12-21 01:42 - 2017-12-21 01:42 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-006
2017-12-21 01:40 - 2017-12-21 01:40 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-005
2017-12-21 01:39 - 2017-12-21 01:39 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-007
2017-12-21 01:39 - 2017-12-21 01:39 - 000000000 ____D C:\Users\administrator\Downloads\controlsalud-20171220T210156Z-001
2017-12-20 18:17 - 2017-12-20 19:52 - 1387098212 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-001.zip
2017-12-20 18:17 - 2017-12-20 19:50 - 1215464476 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-002.zip
2017-12-20 18:17 - 2017-12-20 19:48 - 1161162502 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-003.zip
2017-12-20 18:17 - 2017-12-20 19:45 - 1098453796 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-004.zip
2017-12-20 18:17 - 2017-12-20 19:36 - 934886682 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-006.zip
2017-12-20 18:17 - 2017-12-20 19:22 - 721786001 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-005.zip
2017-12-20 18:17 - 2017-12-20 18:42 - 251871437 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-007.zip
2017-12-20 18:02 - 2017-12-20 18:03 - 085306491 _____ C:\Users\administrator\Downloads\controlsalud-20171220T210156Z-001.zip
2017-12-19 11:18 - 2017-12-19 11:20 - 000000000 ____D C:\Program Files\Recuva
2017-12-19 11:18 - 2017-12-19 11:18 - 000003938 _____ C:\Windows\System32\Tasks\CCleaner Update
2017-12-19 11:18 - 2017-12-19 11:18 - 000002870 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-12-19 11:18 - 2017-12-19 11:18 - 000001699 _____ C:\Users\Public\Desktop\Recuva.lnk
2017-12-19 11:18 - 2017-12-19 11:18 - 000000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recuva
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\Program Files\CCleaner
2017-12-19 11:16 - 2017-12-19 11:17 - 005562976 _____ (Piriform Ltd) C:\Users\administrator\Downloads\rcsetup153.exe
2017-12-18 15:12 - 2017-12-18 15:12 - 000000000 ____D C:\Users\administrator\AppData\Local\FSDART
2017-12-18 15:11 - 2017-12-18 15:18 - 000000000 ____D C:\ProgramData\F-Secure
2017-12-18 15:11 - 2017-12-18 15:11 - 000524248 _____ (F-Secure Corporation) C:\Users\administrator\Downloads\F-SecureOnlineScanner.exe
2017-12-18 15:11 - 2017-12-18 15:11 - 000000000 ____D C:\Users\administrator\AppData\Local\F-Secure
2017-12-18 15:10 - 2017-12-18 15:11 - 000000459 _____ C:\Windows\wininit.ini
2017-12-18 15:10 - 2017-12-18 15:10 - 000000000 ____D C:\ProgramData\McAfee Security Scan
2017-12-18 15:10 - 2017-12-18 15:10 - 000000000 ____D C:\ProgramData\McAfee
2017-12-18 15:09 - 2017-12-18 15:10 - 011026328 _____ (McAfee, Inc.) C:\Users\administrator\Downloads\SecurityScan_Release.exe
2017-12-18 10:25 - 2017-12-18 10:25 - 000000000 ____D C:\Users\administrator\AppData\Local\ESET
2017-12-18 10:24 - 2017-12-18 10:24 - 006968952 _____ (ESET spol. s r.o.) C:\Users\administrator\Downloads\esetonlinescanner_enu.exe
2017-12-17 10:20 - 2017-12-18 10:21 - 000000000 ____D C:\ProgramData\HitmanPro
2017-12-17 10:20 - 2017-12-17 10:21 - 011584088 _____ (SurfRight B.V.) C:\Users\administrator\Downloads\HitmanPro_x64.exe
2017-12-17 10:19 - 2017-12-17 10:19 - 011024040 _____ (SurfRight B.V.) C:\Users\administrator\Downloads\HitmanPro.exe
2017-12-17 02:25 - 2017-12-17 02:25 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-12-17 02:24 - 2017-12-17 10:18 - 000000000 ____D C:\ProgramData\RogueKiller
2017-12-17 02:24 - 2017-12-17 02:24 - 026867784 _____ (Adlice Software) C:\Users\administrator\Downloads\RogueKiller_portable64.exe
2017-12-17 01:35 - 2017-12-22 11:07 - 008150622 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-12-17 01:35 - 2017-12-22 11:07 - 007767645 _____ C:\Windows\ZAM.krnl.trace
2017-12-17 01:35 - 2017-12-17 01:35 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-12-17 01:35 - 2017-12-17 01:35 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2017-12-17 01:35 - 2017-12-17 01:35 - 000000000 ____D C:\Users\administrator\AppData\Local\Zemana
2017-12-17 01:34 - 2017-12-17 01:35 - 015808656 _____ (Copyright 2017.) C:\Users\administrator\Downloads\Zemana.AntiMalware.Portable (1).exe
2017-12-17 00:23 - 2017-12-17 00:24 - 015808656 _____ (Copyright 2017.) C:\Users\administrator\Downloads\Zemana.AntiMalware.Portable.exe
2017-12-17 00:20 - 2017-12-17 00:20 - 000002205 _____ C:\Users\administrator\Desktop\malwarebytes.txt
2017-12-16 22:43 - 2017-12-22 09:46 - 000094144 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-12-16 22:42 - 2017-12-16 22:42 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2017-12-16 22:42 - 2017-12-16 22:42 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\Program Files\Malwarebytes
2017-12-16 22:42 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-12-16 22:40 - 2017-12-16 22:41 - 083316440 _____ (Malwarebytes ) C:\Users\administrator\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe
2017-12-16 18:58 - 2017-12-16 21:26 - 000000000 ____D C:\ProgramData\Emsisoft
2017-12-16 18:57 - 2017-12-16 18:57 - 000000937 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2017-12-16 18:57 - 2017-12-16 18:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2017-12-16 18:56 - 2017-12-22 10:59 - 000000000 ____D C:\Program Files\Emsisoft Anti-Malware
2017-12-16 18:47 - 2017-12-16 18:52 - 253383016 _____ (Emsisoft Ltd. ) C:\Users\administrator\Downloads\EmsisoftAntiMalwareSetup_bc.exe
2017-12-16 13:35 - 2017-12-16 13:35 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\isiigddb.sys
2017-12-14 15:36 - 2017-12-14 15:36 - 000000000 ____D C:\Windows\SysWOW64\XPSViewer
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files\Reference Assemblies
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files\MSBuild
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files (x86)\MSBuild
2017-12-14 15:31 - 2016-05-25 11:03 - 000778936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationNative_v0300.dll
2017-12-14 15:31 - 2016-05-25 11:03 - 000103120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2017-12-14 15:31 - 2016-05-25 11:03 - 000035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2017-12-14 15:30 - 2016-05-25 14:31 - 001166520 _____ (Microsoft Corporation) C:\Windows\system32\PresentationNative_v0300.dll
2017-12-14 15:30 - 2016-05-25 14:31 - 000124624 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2017-12-14 15:30 - 2016-05-25 14:31 - 000035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2017-12-14 15:26 - 2017-12-14 15:26 - 002869264 _____ (Microsoft Corporation) C:\Users\administrator\Downloads\dotNetFx35setup.exe
2017-12-14 15:21 - 2017-12-14 15:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2017-12-14 15:21 - 2017-12-14 15:21 - 000000000 ____D C:\Program Files (x86)\Cobian Backup 11
2017-12-14 15:19 - 2017-12-14 15:19 - 019709440 _____ (Luis Cobian, CobianSoft) C:\Users\administrator\Downloads\cbSetup.exe
2017-12-14 15:19 - 2017-12-14 15:19 - 000000000 ____D C:\Users\administrator\Desktop\Servicios sospechosos
2017-12-14 14:47 - 2017-12-14 15:38 - 000003656 _____ C:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask
2017-12-14 14:36 - 2017-12-21 02:29 - 000000000 ____D C:\Users\administrator\AppData\Roaming\TeraCopy
2017-12-14 14:36 - 2017-12-14 14:36 - 000000000 ___HD C:\Users\administrator\AppData\Roaming\Obsidium
2017-12-14 14:36 - 2017-12-14 14:36 - 000000000 ___HD C:\Users\administrator\.obs32
2017-12-14 14:35 - 2017-12-14 14:35 - 000001725 _____ C:\ProgramData\Microsoft\Windows\Start Menu\TeraCopy.lnk
2017-12-14 14:35 - 2017-12-14 14:35 - 000000000 ____D C:\Program Files\TeraCopy
2017-12-14 14:04 - 2017-12-14 14:05 - 000000000 ____D C:\Share copia encriptada
2017-12-12 12:26 - 2017-12-14 13:06 - 000636278 _____ C:\Windows\ntbtlog.txt
2017-12-09 17:01 - 2017-12-12 12:46 - 000000371 _____ C:\Users\Public\Desktop\RDP PORT CHANGED.txt
2017-12-09 17:01 - 2017-12-12 12:46 - 000000371 _____ C:\RDP PORT CHANGED.txt
2017-12-09 15:55 - 2017-12-09 15:55 - 000000162 _____ C:\Windows\SysWOW64\s3456784.txt
2017-12-09 06:30 - 2017-12-09 06:30 - 000000167 _____ C:\Users\Public\Desktop\OK_SNT.ntuser.dat.crashlog.txt
2017-12-09 06:29 - 2016-04-17 04:01 - 000000082 _____ C:\Windows\SysWOW64\decryptaesfiles.txt
2017-12-09 06:29 - 2016-02-03 18:38 - 000510456 _____ (Alexander Roshal) C:\Windows\SysWOW64\cfwin32.dll
2017-12-09 06:29 - 2013-01-09 07:26 - 000155736 _____ (Sysinternals) C:\Windows\SysWOW64\sdelete.dll
2017-12-06 12:52 - 2017-12-06 12:52 - 000000000 ____D C:\Program Files\Common Files\avast software
2017-12-06 01:10 - 2017-12-06 01:10 - 001322120 _____ (Acronis) C:\Windows\system32\Drivers\tib_mounter.sys
2017-12-06 00:29 - 2017-12-06 00:30 - 000000000 ____D C:\Users\administrator\Downloads\Acronis
2017-12-06 00:23 - 2017-12-06 00:24 - 000000012 ____N C:\Users\administrator\Desktop\Eventos de auditoria.txt
2017-12-05 14:27 - 2017-12-14 16:50 - 000000000 ____D C:\ProgramData\Acronis
2017-12-05 13:48 - 2017-12-05 13:49 - 000000000 ____D C:\Users\administrator\Downloads\Acronis.Backup.And.Recovery.Server.With.Universal.Restore.v11.5.32266.ES.Incl.Serial
2017-12-05 13:47 - 2017-12-05 13:47 - 001381582 _____ (Igor Pavlov) C:\Users\administrator\Downloads\7z1604-x64.exe
2017-12-05 13:47 - 2017-12-05 13:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2017-12-05 13:47 - 2017-12-05 13:47 - 000000000 ____D C:\Program Files\7-Zip
2017-12-05 11:29 - 2017-12-05 11:29 - 000000000 ____D C:\Users\administrator\AppData\Local\Comms
2017-11-29 21:49 - 2017-11-30 02:11 - 943465172 _____ C:\Users\administrator\Downloads\Acronis.Backup.And.Recovery.Server.With.Universal.Restore.v11.5.32266.ES.Incl.Serial.rar
2017-11-29 13:48 - 2017-11-29 13:48 - 000000000 ____D C:\Users\administrator\Downloads\Nueva carpeta
2017-11-22 20:52 - 2017-11-22 20:52 - 000000000 ____D C:\Users\administrator\AppData\LocalLow\Temp
2017-11-22 14:12 - 2017-11-22 14:17 - 000000000 ____D C:\ProgramData\Package Cache
2017-11-22 14:07 - 2017-11-22 14:07 - 001747504 _____ (Microsoft Corporation) C:\Users\administrator\Downloads\adksetup.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-22 11:07 - 2017-01-25 11:42 - 000072424 _____ C:\Windows\system32\driverslist.csv
2017-12-21 20:01 - 2017-02-15 10:27 - 000000000 ____D C:\Windows\NTDS
2017-12-17 03:20 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\rescache
2017-12-17 03:06 - 2017-01-25 11:44 - 002897042 _____ C:\Windows\system32\PerfStringBackup.INI
2017-12-17 03:06 - 2016-09-12 08:25 - 001238820 _____ C:\Windows\system32\perfh00A.dat
2017-12-17 03:06 - 2016-09-12 08:25 - 000310748 _____ C:\Windows\system32\perfc00A.dat
2017-12-17 03:00 - 2016-09-12 08:44 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-15 05:27 - 2017-01-25 12:57 - 000002230 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-15 05:27 - 2017-01-25 12:57 - 000002218 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-14 15:38 - 2016-07-16 10:02 - 000000000 ____D C:\Windows\CbsTemp
2017-12-14 15:36 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\SysWOW64\MUI
2017-12-14 15:36 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\system32\MUI
2017-12-14 15:35 - 2016-07-16 10:21 - 000000000 ____D C:\Windows\INF
2017-12-14 15:20 - 2017-02-11 19:21 - 000000000 ____D C:\Users\administrator\AppData\Local\ConnectedDevicesPlatform
2017-12-14 15:04 - 2017-04-04 12:43 - 000004298 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2017-12-14 15:03 - 2017-02-15 10:31 - 000003416 _____ C:\Windows\system32\config\netlogon.dnb
2017-12-14 15:03 - 2017-02-15 10:31 - 000002125 _____ C:\Windows\system32\config\netlogon.dns
2017-12-14 15:02 - 2017-02-15 10:26 - 000000000 ____D C:\Windows\system32\dns
2017-12-14 14:59 - 2016-07-16 03:04 - 000065536 _____ C:\Windows\system32\config\BBI
2017-12-14 14:36 - 2017-02-11 19:21 - 000000000 ____D C:\Users\administrator
2017-12-14 14:29 - 2017-08-25 20:54 - 000002664 _____ C:\Windows\System32\Tasks\Finalizar backup
2017-12-14 14:29 - 2017-08-25 20:53 - 000002644 _____ C:\Windows\System32\Tasks\Iniciar backup
2017-12-14 13:13 - 2017-10-06 22:50 - 000000448 __RSH C:\Users\administrator\ntuser.pol
2017-12-14 13:12 - 2017-02-11 19:14 - 000003752 __RSH C:\ProgramData\ntuser.pol
2017-12-09 07:54 - 2017-03-07 23:23 - 000000000 ____D C:\Users\administrator\AppData\Roaming\TeamViewer
2017-12-09 07:53 - 2017-02-15 13:30 - 000000000 ____D C:\ProgramData\MaxSyncUp
2017-12-09 07:53 - 2017-01-25 12:58 - 000000000 ____D C:\Users\Administrador.ALFA\AppData\Roaming\TeamViewer
2017-12-09 07:53 - 2017-01-25 11:40 - 000000000 ____D C:\Users\Administrador.ALFA\AppData\Local\ConnectedDevicesPlatform
2017-12-09 07:53 - 2017-01-25 08:18 - 000000000 ___HD C:\cpqsystem
2017-12-09 07:53 - 2016-09-12 08:45 - 000000000 ____D C:\Users\Administrador\AppData\Local\ConnectedDevicesPlatform
2017-12-09 07:24 - 2017-08-25 22:46 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Backup and Sync from Google
2017-12-09 06:30 - 2017-03-09 10:22 - 000002296 ____N C:\Users\administrator\Documents\Default.rdp
2017-12-07 16:27 - 2017-08-25 22:46 - 000002075 _____ C:\Users\Public\Desktop\Google Slides.lnk
2017-12-06 12:52 - 2017-04-05 12:52 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2017-12-05 14:52 - 2017-07-26 15:39 - 000000000 ____D C:\Windows\system32\appmgmt
2017-12-05 14:27 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\security
2017-11-22 20:36 - 2016-07-16 10:20 - 000713216 _____ (Microsoft Corporation) C:\Windows\system32\blbsrv.dll
2017-11-22 20:36 - 2016-07-16 10:20 - 000284160 _____ (Microsoft Corporation) C:\Windows\system32\wbadmin.exe
2017-11-22 20:36 - 2016-07-16 10:20 - 000274432 _____ (Microsoft Corporation) C:\Windows\system32\spp.dll
2017-11-22 20:36 - 2016-07-16 10:20 - 000078336 _____ (Microsoft Corporation) C:\Windows\system32\sxproxy.dll
2017-11-22 20:36 - 2016-07-16 10:20 - 000019456 _____ (Microsoft Corporation) C:\Windows\system32\srdelayed.exe
2017-11-22 20:36 - 2016-07-16 10:20 - 000015360 _____ (Microsoft Corporation) C:\Windows\system32\wsbapp_ps.dll
 
==================== Files in the root of some directories =======
 
2017-04-04 14:25 - 2017-04-04 14:25 - 000007605 ____N () C:\Users\administrator\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
2017-12-17 02:24 - 2016-11-11 07:13 - 001886344 _____ (Microsoft Corporation) C:\Users\administrator\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-12-14 13:21
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 merced25

merced25
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 25 December 2017 - 05:06 AM

Hello, we have been victims of a ransomware. I suspect that in addition to encrypting a large number of files which we were able to recover thanks to a backup modified parts of the operating system. I need to help me identify what services, executables, scheduled tasks and others were done. What I have noticed is that some hidden folders were created that I already deleted. A scheduled task named CreateExplorerShellUnelevatedTask and some services that are renamed (their termination after deleting them) UnistoreSvc_690c9, PimIndexMaintenanceSvc_690c9, WpnUserService_690c9, OneSyncSvc_690c9, CDPUserSvc_690c9.
The OS is a Windows Server 2016. Thank you very much!


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:54 AM

Posted 27 December 2017 - 09:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/666218 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 merced25

merced25
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 27 December 2017 - 11:18 AM

Hello, we have been victims of a ransomware. I suspect that in addition to encrypting a large number of files which we were able to recover thanks to a backup modified parts of the operating system. I need to help me identify what services, executables, scheduled tasks and others were done. What I have noticed is that some hidden folders were created that I already deleted. A scheduled task named CreateExplorerShellUnelevatedTask and some services that are renamed (their termination after deleting them) UnistoreSvc_690c9, PimIndexMaintenanceSvc_690c9, WpnUserService_690c9, OneSyncSvc_690c9, CDPUserSvc_690c9.
 
I have the original CD of the operating system.
 
The OS is a Windows Server 2016 64 bits. Thank you very much!
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-12-2017
Ran by administrator (administrator) on ALFA (27-12-2017 13:10:29)
Running from C:\Users\administrator\Downloads
Loaded Profiles: administrator (Available Profiles: administrator)
Platform: Windows Server 2016 Standard (X64) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Code Sector) C:\Program Files\TeraCopy\TeraCopyService.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\AMS\service\HpAmsStor.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Hewlett Packard Enterprise Development LP) C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\System32\ntfrs.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Ammyy LLC) C:\Users\administrator\Desktop\AA_v3.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast Business\AvastUI.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbService.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
"Path" (%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\ -> %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\) <==== Repaired successfully
HKLM\...\Run: [QLogicSaveSystemInfo] => rundll32.exe qlco10011.dll,QLSaveSystemInfo
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [392072 2012-10-12] (Acronis)
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [8850344 2017-11-29] (Emsisoft Ltd)
HKLM-x32\...\Run: [avast] => C:\Program Files\AVAST Software\Avast Business\avastUI.exe [4770952 2016-10-24] (Avast Software s.r.o.)
HKLM-x32\...\Run: [C:\12090629546\howtodecryptaesfiles.txt] => C:\12090629546\howtodecryptaesfiles.txt
HKLM-x32\...\Run: [Cobian Backup 11 interface] => C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe [4407808 2013-03-07] (Luis Cobian, CobianSoft)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-4017227460-457275624-4033542720-500\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [41061856 2017-11-20] ()
Lsa: [Notification Packages] rassfm scecli
SecurityProviders: pwdssp.dll, credssp.dll
BootExecute: autocheck autochk /q /v * 
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{ca96c418-fb49-4ae9-9db3-75f1eee47840}: [NameServer] 192.168.10.251,127.0.0.1
 
Internet Explorer:
==================
HKU\S-1-5-21-4017227460-457275624-4033542720-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default [2017-12-27]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-15]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-15]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-11-22]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-15]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2017-07-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
CHR Extension: (No Name) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-15]
CHR Extension: (Chrome Media Router) - C:\Users\administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-18]
CHR HKU\S-1-5-21-4017227460-457275624-4033542720-500\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9216648 2017-11-29] (Emsisoft Ltd)
R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [465920 2017-02-08] (Microsoft Corporation)
S2 AmmyyAdmin; C:\Users\administrator\Desktop\AA_v3.exe [773624 2017-05-17] (Ammyy LLC)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe [54344 2016-10-24] (Avast Software s.r.o.)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
R2 CobianBackup11; C:\Program Files (x86)\Cobian Backup 11\cbService.exe [1131008 2013-03-07] (Luis Cobian, CobianSoft) [File not signed]
R2 Dfs; C:\Windows\system32\dfssvc.exe [454144 2017-02-08] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [3887104 2017-03-04] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [2078720 2016-09-15] (Microsoft Corporation)
S3 DsRoleSvc; C:\Windows\system32\dsrolesrv.dll [293376 2017-02-08] (Microsoft Corporation)
R2 HpAmsStor; C:\Program Files\Hewlett-Packard\AMS\service\HpAmsStor.exe [15248 2015-11-10] (Hewlett-Packard Company)
R2 hpqams; C:\Program Files\Hewlett-Packard\AMS\service\hpqams.exe [560528 2015-11-10] (Hewlett Packard Enterprise Development LP)
R2 IsmServ; C:\Windows\System32\ismserv.exe [69120 2017-02-08] (Microsoft Corporation)
R2 Kdc; C:\Windows\system32\kdcsvc.dll [564224 2017-03-04] (Microsoft Corporation)
S3 KdsSvc; C:\Windows\system32\KdsSvc.dll [37888 2017-02-08] (Microsoft Corporation)
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [177152 2016-07-16] (Microsoft Corporation)
S3 MaxSyncUpService; C:\Program Files (x86)\MaxSyncUp\msusvc.exe [2340080 2017-05-30] (@MAX Software)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 NTDS; C:\Windows\system32\ntdsa.dll [95744 2016-08-06] (Microsoft Corporation)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [1002496 2017-02-08] (Microsoft Corporation)
R2 ProLiantMonitor; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [259984 2015-02-09] (Hewlett-Packard Company)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [97280 2016-07-16] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83968 2016-07-16] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [16896 2016-07-16] (Microsoft Corporation)
R2 sysdown; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [259984 2015-02-09] (Hewlett-Packard Company)
R2 TeraCopyService; C:\Program Files\TeraCopy\TeraCopyService.exe [110416 2017-05-05] (Code Sector)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [261120 2016-07-16] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-03-04] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90344 2016-10-24] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [80376 2016-10-24] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74680 2016-10-24] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1053392 2016-10-24] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [441944 2016-10-24] (Avast Software s.r.o.)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [78264 2016-10-24] (Avast Software s.r.o.)
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292840 2016-10-24] ()
S0 bfad; C:\Windows\System32\drivers\bfad.sys [1964296 2014-09-29] (QLogic Corporation)
S0 bfadfcoei; C:\Windows\System32\drivers\bfadfcoei.sys [2279264 2016-07-16] (QLogic Corporation)
S0 bfadi; C:\Windows\System32\drivers\bfadi.sys [2279264 2016-07-16] (QLogic Corporation)
S0 bfad_up; C:\Windows\System32\drivers\bfad_up.sys [17160 2014-09-29] (QLogic Corporation)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [205152 2016-07-16] (QLogic Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [536416 2016-07-16] (QLogic Corporation)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [55648 2017-02-08] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [67424 2017-02-08] (Microsoft Corporation)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [758624 2016-07-16] (Emulex)
R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R0 HPpSA; C:\Windows\System32\drivers\HPpSA.sys [32440 2015-11-17] (PMC-Sierra Company)
R3 hpqilo3chif; C:\Windows\system32\DRIVERS\hpqilo3chif.sys [43920 2013-11-23] (Hewlett-Packard Company)
R3 hpqilo3core; C:\Windows\System32\drivers\hpqilo3core.sys [47384 2013-05-22] (Hewlett-Packard Company)
R0 hpqilo3whea; C:\Windows\System32\DRIVERS\hpqilo3whea.sys [18472 2010-02-12] (Hewlett-Packard Company)
S0 HPSA2; C:\Windows\System32\drivers\HPSA2.sys [173456 2015-08-20] (Hewlett-Packard Company)
R0 HPSA3; C:\Windows\System32\drivers\HPSA3.sys [180408 2015-11-17] (PMC-Sierra Company)
S3 IPsecGW; C:\Windows\System32\drivers\ipsecgw.sys [18432 2016-07-16] (Microsoft Corporation)
S1 isiigddb; C:\Windows\system32\drivers\isiigddb.sys [72816 2017-12-16] (Microsoft Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2017-12-16] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\DRIVERS\farflt.sys [110016 2017-12-16] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [46008 2017-12-16] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2017-12-16] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [94144 2017-12-27] (Malwarebytes)
R1 MpKslabc00e18; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{28A42F52-5F3E-47F5-9BB2-4F0BF5BFCDCC}\MpKslabc00e18.sys [58120 2017-12-26] (Microsoft Corporation)
S3 MsLbfoProvider; C:\Windows\System32\drivers\MsLbfoProvider.sys [121344 2016-07-16] (Microsoft Corporation)
S0 ql2300i; C:\Windows\System32\drivers\ql2300i.sys [1632608 2016-07-16] (QLogic Corporation)
S0 ql40xx2i; C:\Windows\System32\drivers\ql40xx2i.sys [475488 2016-07-16] (QLogic Corporation)
S0 qlfcoe; C:\Windows\System32\drivers\qlfcoe.sys [1357064 2015-03-24] (QLogic Corporation)
S0 qlfcoei; C:\Windows\System32\drivers\qlfcoei.sys [1300320 2016-07-16] (QLogic Corporation)
S3 RasGre; C:\Windows\System32\drivers\rasgre.sys [45056 2016-07-16] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [95072 2016-09-15] (Microsoft Corporation)
S3 smbdirect; C:\Windows\System32\DRIVERS\smbdirect.sys [159232 2016-09-15] (Microsoft Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-12-17] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-12-17] (Zemana Ltd.)
S3 vwifibus; \SystemRoot\System32\drivers\vwifibus.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-27 13:10 - 2017-12-27 13:11 - 000015715 _____ C:\Users\administrator\Downloads\FRST.txt
2017-12-27 13:09 - 2017-12-27 13:09 - 000000000 ____D C:\Users\administrator\Downloads\FRST-OlderVersion
2017-12-22 11:07 - 2017-12-27 13:10 - 000000000 ____D C:\FRST
2017-12-22 11:06 - 2017-12-27 13:09 - 002391552 _____ (Farbar) C:\Users\administrator\Downloads\FRST64.exe
2017-12-21 02:21 - 2017-12-21 02:21 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-003
2017-12-21 01:51 - 2017-12-21 01:51 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-001
2017-12-21 01:47 - 2017-12-21 01:47 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-002
2017-12-21 01:44 - 2017-12-21 01:44 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-004
2017-12-21 01:42 - 2017-12-21 01:42 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-006
2017-12-21 01:40 - 2017-12-21 01:40 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-005
2017-12-21 01:39 - 2017-12-21 01:39 - 000000000 ____D C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-007
2017-12-21 01:39 - 2017-12-21 01:39 - 000000000 ____D C:\Users\administrator\Downloads\controlsalud-20171220T210156Z-001
2017-12-20 18:17 - 2017-12-20 19:52 - 1387098212 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-001.zip
2017-12-20 18:17 - 2017-12-20 19:50 - 1215464476 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-002.zip
2017-12-20 18:17 - 2017-12-20 19:48 - 1161162502 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-003.zip
2017-12-20 18:17 - 2017-12-20 19:45 - 1098453796 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-004.zip
2017-12-20 18:17 - 2017-12-20 19:36 - 934886682 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-006.zip
2017-12-20 18:17 - 2017-12-20 19:22 - 721786001 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-005.zip
2017-12-20 18:17 - 2017-12-20 18:42 - 251871437 _____ C:\Users\administrator\Downloads\SATI-Q-20171220T210443Z-007.zip
2017-12-20 18:02 - 2017-12-20 18:03 - 085306491 _____ C:\Users\administrator\Downloads\controlsalud-20171220T210156Z-001.zip
2017-12-19 11:18 - 2017-12-19 11:20 - 000000000 ____D C:\Program Files\Recuva
2017-12-19 11:18 - 2017-12-19 11:18 - 000003938 _____ C:\Windows\System32\Tasks\CCleaner Update
2017-12-19 11:18 - 2017-12-19 11:18 - 000002870 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-12-19 11:18 - 2017-12-19 11:18 - 000001699 _____ C:\Users\Public\Desktop\Recuva.lnk
2017-12-19 11:18 - 2017-12-19 11:18 - 000000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recuva
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-12-19 11:18 - 2017-12-19 11:18 - 000000000 ____D C:\Program Files\CCleaner
2017-12-19 11:16 - 2017-12-19 11:17 - 005562976 _____ (Piriform Ltd) C:\Users\administrator\Downloads\rcsetup153.exe
2017-12-18 15:12 - 2017-12-18 15:12 - 000000000 ____D C:\Users\administrator\AppData\Local\FSDART
2017-12-18 15:11 - 2017-12-18 15:18 - 000000000 ____D C:\ProgramData\F-Secure
2017-12-18 15:11 - 2017-12-18 15:11 - 000524248 _____ (F-Secure Corporation) C:\Users\administrator\Downloads\F-SecureOnlineScanner.exe
2017-12-18 15:11 - 2017-12-18 15:11 - 000000000 ____D C:\Users\administrator\AppData\Local\F-Secure
2017-12-18 15:10 - 2017-12-18 15:11 - 000000459 _____ C:\Windows\wininit.ini
2017-12-18 15:10 - 2017-12-18 15:10 - 000000000 ____D C:\ProgramData\McAfee Security Scan
2017-12-18 15:10 - 2017-12-18 15:10 - 000000000 ____D C:\ProgramData\McAfee
2017-12-18 15:09 - 2017-12-18 15:10 - 011026328 _____ (McAfee, Inc.) C:\Users\administrator\Downloads\SecurityScan_Release.exe
2017-12-18 10:25 - 2017-12-18 10:25 - 000000000 ____D C:\Users\administrator\AppData\Local\ESET
2017-12-18 10:24 - 2017-12-18 10:24 - 006968952 _____ (ESET spol. s r.o.) C:\Users\administrator\Downloads\esetonlinescanner_enu.exe
2017-12-17 10:20 - 2017-12-18 10:21 - 000000000 ____D C:\ProgramData\HitmanPro
2017-12-17 10:20 - 2017-12-17 10:21 - 011584088 _____ (SurfRight B.V.) C:\Users\administrator\Downloads\HitmanPro_x64.exe
2017-12-17 10:19 - 2017-12-17 10:19 - 011024040 _____ (SurfRight B.V.) C:\Users\administrator\Downloads\HitmanPro.exe
2017-12-17 02:25 - 2017-12-17 02:25 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-12-17 02:24 - 2017-12-17 10:18 - 000000000 ____D C:\ProgramData\RogueKiller
2017-12-17 02:24 - 2017-12-17 02:24 - 026867784 _____ (Adlice Software) C:\Users\administrator\Downloads\RogueKiller_portable64.exe
2017-12-17 01:35 - 2017-12-27 13:11 - 015797688 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-12-17 01:35 - 2017-12-27 13:11 - 015049496 _____ C:\Windows\ZAM.krnl.trace
2017-12-17 01:35 - 2017-12-17 01:35 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-12-17 01:35 - 2017-12-17 01:35 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2017-12-17 01:35 - 2017-12-17 01:35 - 000000000 ____D C:\Users\administrator\AppData\Local\Zemana
2017-12-17 01:34 - 2017-12-17 01:35 - 015808656 _____ (Copyright 2017.) C:\Users\administrator\Downloads\Zemana.AntiMalware.Portable (1).exe
2017-12-17 00:23 - 2017-12-17 00:24 - 015808656 _____ (Copyright 2017.) C:\Users\administrator\Downloads\Zemana.AntiMalware.Portable.exe
2017-12-17 00:20 - 2017-12-17 00:20 - 000002205 _____ C:\Users\administrator\Desktop\malwarebytes.txt
2017-12-16 22:43 - 2017-12-27 11:46 - 000094144 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-12-16 22:43 - 2017-12-16 22:43 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-12-16 22:42 - 2017-12-16 22:42 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2017-12-16 22:42 - 2017-12-16 22:42 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-16 22:42 - 2017-12-16 22:42 - 000000000 ____D C:\Program Files\Malwarebytes
2017-12-16 22:42 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-12-16 22:40 - 2017-12-16 22:41 - 083316440 _____ (Malwarebytes ) C:\Users\administrator\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe
2017-12-16 18:58 - 2017-12-16 21:26 - 000000000 ____D C:\ProgramData\Emsisoft
2017-12-16 18:57 - 2017-12-16 18:57 - 000000937 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2017-12-16 18:57 - 2017-12-16 18:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2017-12-16 18:56 - 2017-12-27 13:00 - 000000000 ____D C:\Program Files\Emsisoft Anti-Malware
2017-12-16 18:47 - 2017-12-16 18:52 - 253383016 _____ (Emsisoft Ltd. ) C:\Users\administrator\Downloads\EmsisoftAntiMalwareSetup_bc.exe
2017-12-16 13:35 - 2017-12-16 13:35 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\isiigddb.sys
2017-12-14 15:36 - 2017-12-14 15:36 - 000000000 ____D C:\Windows\SysWOW64\XPSViewer
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files\Reference Assemblies
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files\MSBuild
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2017-12-14 15:35 - 2017-12-14 15:35 - 000000000 ____D C:\Program Files (x86)\MSBuild
2017-12-14 15:31 - 2016-05-25 11:03 - 000778936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationNative_v0300.dll
2017-12-14 15:31 - 2016-05-25 11:03 - 000103120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2017-12-14 15:31 - 2016-05-25 11:03 - 000035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2017-12-14 15:30 - 2016-05-25 14:31 - 001166520 _____ (Microsoft Corporation) C:\Windows\system32\PresentationNative_v0300.dll
2017-12-14 15:30 - 2016-05-25 14:31 - 000124624 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2017-12-14 15:30 - 2016-05-25 14:31 - 000035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2017-12-14 15:26 - 2017-12-14 15:26 - 002869264 _____ (Microsoft Corporation) C:\Users\administrator\Downloads\dotNetFx35setup.exe
2017-12-14 15:21 - 2017-12-14 15:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2017-12-14 15:21 - 2017-12-14 15:21 - 000000000 ____D C:\Program Files (x86)\Cobian Backup 11
2017-12-14 15:19 - 2017-12-14 15:19 - 019709440 _____ (Luis Cobian, CobianSoft) C:\Users\administrator\Downloads\cbSetup.exe
2017-12-14 15:19 - 2017-12-14 15:19 - 000000000 ____D C:\Users\administrator\Desktop\Servicios sospechosos
2017-12-14 14:47 - 2017-12-14 15:38 - 000003656 _____ C:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask
2017-12-14 14:36 - 2017-12-21 02:29 - 000000000 ____D C:\Users\administrator\AppData\Roaming\TeraCopy
2017-12-14 14:36 - 2017-12-14 14:36 - 000000000 ___HD C:\Users\administrator\AppData\Roaming\Obsidium
2017-12-14 14:36 - 2017-12-14 14:36 - 000000000 ___HD C:\Users\administrator\.obs32
2017-12-14 14:35 - 2017-12-14 14:35 - 000001725 _____ C:\ProgramData\Microsoft\Windows\Start Menu\TeraCopy.lnk
2017-12-14 14:35 - 2017-12-14 14:35 - 000000000 ____D C:\Program Files\TeraCopy
2017-12-14 14:04 - 2017-12-14 14:05 - 000000000 ____D C:\Share copia encriptada
2017-12-12 12:26 - 2017-12-14 13:06 - 000636278 _____ C:\Windows\ntbtlog.txt
2017-12-09 17:01 - 2017-12-12 12:46 - 000000371 _____ C:\Users\Public\Desktop\RDP PORT CHANGED.txt
2017-12-09 17:01 - 2017-12-12 12:46 - 000000371 _____ C:\RDP PORT CHANGED.txt
2017-12-09 15:55 - 2017-12-09 15:55 - 000000162 _____ C:\Windows\SysWOW64\s3456784.txt
2017-12-09 06:30 - 2017-12-09 06:30 - 000000167 _____ C:\Users\Public\Desktop\OK_SNT.ntuser.dat.crashlog.txt
2017-12-09 06:29 - 2016-04-17 04:01 - 000000082 _____ C:\Windows\SysWOW64\decryptaesfiles.txt
2017-12-09 06:29 - 2016-02-03 18:38 - 000510456 _____ (Alexander Roshal) C:\Windows\SysWOW64\cfwin32.dll
2017-12-09 06:29 - 2013-01-09 07:26 - 000155736 _____ (Sysinternals) C:\Windows\SysWOW64\sdelete.dll
2017-12-06 12:52 - 2017-12-06 12:52 - 000000000 ____D C:\Program Files\Common Files\avast software
2017-12-06 01:10 - 2017-12-06 01:10 - 001322120 _____ (Acronis) C:\Windows\system32\Drivers\tib_mounter.sys
2017-12-06 00:29 - 2017-12-06 00:30 - 000000000 ____D C:\Users\administrator\Downloads\Acronis
2017-12-06 00:23 - 2017-12-06 00:24 - 000000012 ____N C:\Users\administrator\Desktop\Eventos de auditoria.txt
2017-12-05 14:27 - 2017-12-14 16:50 - 000000000 ____D C:\ProgramData\Acronis
2017-12-05 13:48 - 2017-12-05 13:49 - 000000000 ____D C:\Users\administrator\Downloads\Acronis.Backup.And.Recovery.Server.With.Universal.Restore.v11.5.32266.ES.Incl.Serial
2017-12-05 13:47 - 2017-12-05 13:47 - 001381582 _____ (Igor Pavlov) C:\Users\administrator\Downloads\7z1604-x64.exe
2017-12-05 13:47 - 2017-12-05 13:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2017-12-05 13:47 - 2017-12-05 13:47 - 000000000 ____D C:\Program Files\7-Zip
2017-12-05 11:29 - 2017-12-05 11:29 - 000000000 ____D C:\Users\administrator\AppData\Local\Comms
2017-11-29 21:49 - 2017-11-30 02:11 - 943465172 _____ C:\Users\administrator\Downloads\Acronis.Backup.And.Recovery.Server.With.Universal.Restore.v11.5.32266.ES.Incl.Serial.rar
2017-11-29 13:48 - 2017-11-29 13:48 - 000000000 ____D C:\Users\administrator\Downloads\Nueva carpeta
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-27 13:10 - 2017-01-25 11:42 - 000072424 _____ C:\Windows\system32\driverslist.csv
2017-12-26 20:00 - 2017-02-15 10:27 - 000000000 ____D C:\Windows\NTDS
2017-12-17 03:20 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\rescache
2017-12-17 03:06 - 2017-01-25 11:44 - 002897042 _____ C:\Windows\system32\PerfStringBackup.INI
2017-12-17 03:06 - 2016-09-12 08:25 - 001238820 _____ C:\Windows\system32\perfh00A.dat
2017-12-17 03:06 - 2016-09-12 08:25 - 000310748 _____ C:\Windows\system32\perfc00A.dat
2017-12-17 03:00 - 2016-09-12 08:44 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-15 05:27 - 2017-01-25 12:57 - 000002230 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-15 05:27 - 2017-01-25 12:57 - 000002218 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-14 15:38 - 2016-07-16 10:02 - 000000000 ____D C:\Windows\CbsTemp
2017-12-14 15:36 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\SysWOW64\MUI
2017-12-14 15:36 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\system32\MUI
2017-12-14 15:35 - 2016-07-16 10:21 - 000000000 ____D C:\Windows\INF
2017-12-14 15:20 - 2017-02-11 19:21 - 000000000 ____D C:\Users\administrator\AppData\Local\ConnectedDevicesPlatform
2017-12-14 15:04 - 2017-04-04 12:43 - 000004298 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2017-12-14 15:03 - 2017-02-15 10:31 - 000003416 _____ C:\Windows\system32\config\netlogon.dnb
2017-12-14 15:03 - 2017-02-15 10:31 - 000002125 _____ C:\Windows\system32\config\netlogon.dns
2017-12-14 15:02 - 2017-02-15 10:26 - 000000000 ____D C:\Windows\system32\dns
2017-12-14 14:59 - 2016-07-16 03:04 - 000065536 _____ C:\Windows\system32\config\BBI
2017-12-14 14:36 - 2017-02-11 19:21 - 000000000 ____D C:\Users\administrator
2017-12-14 14:29 - 2017-08-25 20:54 - 000002664 _____ C:\Windows\System32\Tasks\Finalizar backup
2017-12-14 14:29 - 2017-08-25 20:53 - 000002644 _____ C:\Windows\System32\Tasks\Iniciar backup
2017-12-14 13:13 - 2017-10-06 22:50 - 000000448 __RSH C:\Users\administrator\ntuser.pol
2017-12-14 13:12 - 2017-02-11 19:14 - 000003752 __RSH C:\ProgramData\ntuser.pol
2017-12-09 07:54 - 2017-03-07 23:23 - 000000000 ____D C:\Users\administrator\AppData\Roaming\TeamViewer
2017-12-09 07:53 - 2017-02-15 13:30 - 000000000 ____D C:\ProgramData\MaxSyncUp
2017-12-09 07:53 - 2017-01-25 12:58 - 000000000 ____D C:\Users\Administrador.ALFA\AppData\Roaming\TeamViewer
2017-12-09 07:53 - 2017-01-25 11:40 - 000000000 ____D C:\Users\Administrador.ALFA\AppData\Local\ConnectedDevicesPlatform
2017-12-09 07:53 - 2017-01-25 08:18 - 000000000 ___HD C:\cpqsystem
2017-12-09 07:53 - 2016-09-12 08:45 - 000000000 ____D C:\Users\Administrador\AppData\Local\ConnectedDevicesPlatform
2017-12-09 07:24 - 2017-08-25 22:46 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Backup and Sync from Google
2017-12-09 06:30 - 2017-03-09 10:22 - 000002296 ____N C:\Users\administrator\Documents\Default.rdp
2017-12-07 16:27 - 2017-08-25 22:46 - 000002075 _____ C:\Users\Public\Desktop\Google Slides.lnk
2017-12-06 12:52 - 2017-04-05 12:52 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2017-12-05 14:52 - 2017-07-26 15:39 - 000000000 ____D C:\Windows\system32\appmgmt
2017-12-05 14:27 - 2016-07-16 10:23 - 000000000 ____D C:\Windows\security
 
==================== Files in the root of some directories =======
 
2017-04-04 14:25 - 2017-04-04 14:25 - 000007605 ____N () C:\Users\administrator\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
2017-12-17 02:24 - 2016-11-11 07:13 - 001886344 _____ (Microsoft Corporation) C:\Users\administrator\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-12-14 13:21
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by administrator (27-12-2017 13:12:43)
Running from C:\Users\administrator\Downloads
Windows Server 2016 Standard (X64) (2017-01-25 14:39:44)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
Guest (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
DefaultAccount (S-1-5-21-3983913466-1508181481-3891534483-503 - Limited - Disabled)
SUPPORT_388945a0 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
agorenstein (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
lprudent (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dsatragno (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
csilvestre (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
nvain (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cgarcia (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
nrossato (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cvecchiarelli (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IUSR_ALFA (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IWAM_ALFA (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
aquiroga (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
meserra (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
asistente (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
secretaria (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rmsoria (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IUSR_BETA (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IWAM_BETA (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
investigacion (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gchattas (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
estudios (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
becario (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
comunicacion (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
desarrolloinstitucio (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
recepcion (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
avarela (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
enfermeria (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mkenny (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mlvbalaguer (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
BETA$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
NEWALFA$ (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
ALFA$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
@MAX SyncUp 6.0 (HKLM\...\{68EF9E48-C970-4124-BBC1-85C8ADD59109}_is1) (Version:  - @MAX Software)
7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
avast! File Server Security (HKLM-x32\...\avast) (Version: 8.0.1609.0 - AVAST Software)
Backup and Sync from Google (HKLM-x32\...\{908DB568-E5FA-40C7-A2AA-AB340190858B}) (Version: 3.38.7642.3857 - Google, Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.38 - Piriform)
Cobian Backup 11 Gravity (HKLM-x32\...\CobBackup11) (Version:  - )
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 2017.4 - Emsisoft Ltd.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.84 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
HP ProLiant iLO 3/4 Management Controller Package (HKLM\...\HP-{15EC9FFF-3B11-4F2A-92F8-F63F33F64B31}) (Version: 3.20.0.0 - Hewlett-Packard Company)
HPE ProLiant Agentless Management Service (HKLM\...\{89C1F171-F24A-401C-B688-FAE669866478}) (Version: 10.40.0.0 - Hewlett Packard Enterprise Development LP) Hidden
HPE ProLiant Agentless Management Service (HKLM\...\HP-{EDE88CBB-3384-4DDA-B23B-7E54A3F4344F}) (Version: 10.40.0.0 - Hewlett Packard Enterprise Development LP)
Malwarebytes versión 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
MergeModule2012 (HKLM\...\{3E0D2B4B-CA5F-40D6-B0AE-648008897125}) (Version: 1.0.0 - Microsoft) Hidden
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Recuva (HKLM\...\Recuva) (Version: 1.53 - Piriform)
TeraCopy version 3.26 (HKLM\...\TeraCopy_is1) (Version: 3.26 - Code Sector)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-11-20] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-11-20] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-11-20] (Google)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast Business\ashShA64.dll [2016-10-24] (Avast Software s.r.o.)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast Business\ashShA64.dll [2016-10-24] (Avast Software s.r.o.)
ContextMenuHandlers1: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files (x86)\Google\Drive\contextmenu64.dll [2017-11-20] (Google)
ContextMenuHandlers1: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TeraCopyExt.dll [2016-12-07] ()
ContextMenuHandlers2-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TeraCopyExt.dll [2016-12-07] ()
ContextMenuHandlers3: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast Business\ashShA64.dll [2016-10-24] (Avast Software s.r.o.)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers4: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files (x86)\Google\Drive\contextmenu64.dll [2017-11-20] (Google)
ContextMenuHandlers4: [RecuvaShellExt] -> {435E5DF5-2510-463C-B223-BDA47006D002} => C:\Program Files\Recuva\RecuvaShell64.dll [2016-06-06] (Piriform Ltd)
ContextMenuHandlers4: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TeraCopyExt.dll [2016-12-07] ()
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast Business\ashShA64.dll [2016-10-24] (Avast Software s.r.o.)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6-x32: [RecuvaShellExt] -> {435E5DF5-2510-463C-B223-BDA47006D002} => C:\Program Files\Recuva\RecuvaShell64.dll [2016-06-06] (Piriform Ltd)
ContextMenuHandlers6-x32: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TeraCopyExt.dll [2016-12-07] ()
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {005E9852-43C1-4545-9089-3B62C3790C01} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\avast software\overseer\overseer.exe [2017-12-06] (AVAST Software)
Task: {01D24577-4E2B-4858-9B61-043DCF098E87} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-12-13] (Piriform Ltd)
Task: {18CFC687-ED43-4982-9DE7-FBC9E36BFEF6} - System32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor => %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)"
Task: {2CFC8EDF-FE50-4562-B8D3-DF254C3E018F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-25] (Google Inc.)
Task: {41600EBB-B4B7-472A-9F58-8AA04A7F8984} - System32\Tasks\Microsoft\Windows\Network Controller\SDN Diagnostics Task
Task: {423523CC-C7A9-46CD-B449-0C6C806C3F8D} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Configuration => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd configure
Task: {51AE33E2-880E-4C98-9283-D504F1A0142A} - System32\Tasks\Iniciar backup => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2017-11-20] ()
Task: {7A51A7AB-56A0-440E-92B8-274FE8092C1A} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe
Task: {B3969132-6F86-4C86-8112-7654CCE8EE1D} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast Business\AvastEmUpdate.exe [2017-04-05] (Avast Software s.r.o.)
Task: {C42217E9-71C2-483D-932D-C517BA56D1A3} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-12-13] (Piriform Ltd)
Task: {D27F3323-DB9F-42A6-8FE1-E91CFC98449C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-25] (Google Inc.)
Task: {DF1BA6A6-82D9-4DF9-A787-7804CDFA74B5} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2016-07-16] (Microsoft Corporation)
Task: {E0A67649-21C8-4620-81A8-EACF01A98AC3} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Collection => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd publish
Task: {EFDC23D7-2F66-41E7-8D44-7E7532F8AABD} - System32\Tasks\Finalizar backup => taskkill [Argument = /f /im googledrivesync.exe]
Task: {F0240DDF-FDD2-46B9-8664-34A1B0825CD3} - System32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs => %systemroot%\system32\cscript.exe /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1) $(Arg2)
Task: {F4FA9ECF-F4C5-4FA5-AE74-EA2ABA016D2C} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\explorer.exe /NOUACCHECK
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 10:18 - 2016-07-16 10:18 - 000231424 _____ () C:\Windows\SYSTEM32\ism32k.dll
2017-03-18 18:49 - 2017-03-04 04:19 - 002681200 _____ () C:\Windows\system32\CoreUIComponents.dll
2015-11-10 08:46 - 2015-11-10 08:46 - 000044944 _____ () C:\Program Files\Hewlett-Packard\AMS\service\CQMGSTOR.dll
2015-11-10 08:46 - 2015-11-10 08:46 - 000038800 _____ () C:\Program Files\Hewlett-Packard\AMS\service\cqstrutl.dll
2015-11-10 08:46 - 2015-11-10 08:46 - 000056208 _____ () C:\Program Files\Hewlett-Packard\AMS\service\CPQIDE.DLL
2015-11-10 08:46 - 2015-11-10 08:46 - 000054160 _____ () C:\Program Files\Hewlett-Packard\AMS\service\CPQMDISK.dll
2015-11-10 08:46 - 2015-11-10 08:46 - 000067984 _____ () C:\Program Files\Hewlett-Packard\AMS\service\CPQMSCSI.DLL
2015-11-10 08:47 - 2015-11-10 08:47 - 000065936 _____ () C:\Program Files\Hewlett-Packard\AMS\service\CPQSAS.DLL
2015-11-10 08:47 - 2015-11-10 08:47 - 000344464 _____ () C:\Program Files\Hewlett-Packard\AMS\service\w2kmgAMS.dll
2017-11-20 15:27 - 2017-11-20 15:27 - 041061856 _____ () C:\Program Files (x86)\Google\Drive\googledrivesync.exe
2017-12-14 14:35 - 2016-12-07 16:40 - 003681104 _____ () C:\Program Files\TeraCopy\TeraCopyExt.dll
2017-12-14 14:35 - 2017-03-14 16:51 - 001714688 _____ () C:\Program Files\TeraCopy\TeraCopy64.dll
2017-01-25 18:05 - 2016-09-07 01:56 - 000134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-03-18 18:47 - 2017-03-04 03:31 - 000474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-03-18 18:48 - 2017-03-04 03:12 - 009760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-03-18 18:48 - 2017-03-04 03:05 - 001401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-03-18 18:48 - 2017-03-04 03:05 - 000757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-03-18 18:48 - 2017-03-04 03:05 - 002424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-03-18 18:49 - 2017-03-04 03:08 - 004853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-12-16 22:42 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-12-16 22:42 - 2017-11-29 09:11 - 002358728 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-12-15 05:27 - 2017-12-06 01:24 - 002873688 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.84\swiftshader\libglesv2.dll
2017-12-15 05:26 - 2017-12-06 01:24 - 000137048 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.84\swiftshader\libegl.dll
2017-12-17 11:17 - 2017-12-17 10:00 - 005116928 _____ () C:\Program Files\AVAST Software\Avast Business\defs\17121700\algo.dll
2017-12-26 12:01 - 2017-12-26 08:55 - 005116928 _____ () C:\Program Files\AVAST Software\Avast Business\defs\17122602\algo.dll
2017-12-14 15:03 - 2017-12-14 15:03 - 000088064 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_ctypes.pyd
2017-12-14 15:03 - 2017-12-14 15:03 - 000919552 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_hashlib.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000098816 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32api.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000110080 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\pywintypes27.dll
2017-12-14 15:04 - 2017-12-14 15:04 - 000364544 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\pythoncom27.dll
2017-12-14 15:04 - 2017-12-14 15:04 - 000686080 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\unicodedata.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000320512 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32com.shell.shell.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 001177088 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\wx._core_.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000806912 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\wx._gdi_.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000816640 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\wx._windows_.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 001067520 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\wx._controls_.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000733696 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\wx._misc_.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000736256 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\pysqlite2._sqlite.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000119808 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32file.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000108544 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32security.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000007168 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\hashobjs_ext.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000017920 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\thumbnails_ext.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000082432 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\usb_ext.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000013824 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\common.time34.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000018432 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32event.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000027648 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\windows.conditional.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000017408 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\windows.winwrap.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000089088 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\windows.volumes.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000167936 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32gui.pyd
2017-12-14 15:03 - 2017-12-14 15:03 - 000046080 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_socket.pyd
2017-12-14 15:03 - 2017-12-14 15:04 - 001311744 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_ssl.pyd
2017-12-14 15:03 - 2017-12-14 15:03 - 000129536 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_elementtree.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000127488 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\pyexpat.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000038912 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32inet.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000077824 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\wx._html2.pyd
2017-12-14 15:03 - 2017-12-14 15:03 - 000036864 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_psutil_windows.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000524248 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\windows._lib_cacheinvalidation.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000011264 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32crypt.pyd
2017-12-14 15:03 - 2017-12-14 15:03 - 000218624 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\PIL._imaging.pyd
2017-12-14 15:03 - 2017-12-14 15:03 - 000027648 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_multiprocessing.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000020480 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\_yappi.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000035840 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32process.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000024064 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32pipe.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000010240 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\select.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000025600 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32pdh.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000059392 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\windows.device_monitor.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000017408 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32profile.pyd
2017-12-14 15:04 - 2017-12-14 15:04 - 000022528 _____ () C:\Users\administrator\AppData\Local\Temp\_MEI42442\win32ts.pyd
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Windows\system32\Drivers\isiigddb.sys:changelist [284]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdmin => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-07-16 10:23 - 2016-07-16 10:21 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4017227460-457275624-4033542720-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.10.251 - 127.0.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe
FirewallRules: [SLBM-MUX-IN-TCP] => (Allow) %SystemRoot%\system32\MuxSvcHost.exe
FirewallRules: [{F46E6A2D-C711-4775-93CA-34A842FCE997}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{65EE5DC5-F9AC-45EF-B8FD-2F165920382B}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{C2722FEE-2A17-4EA3-BAA3-A5C0404D263C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{644229C8-1D06-4243-9854-0A67B2A475C0}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [NTFRS-NTFRSSvc-In-TCP] => (Allow) %SystemRoot%\system32\NTFRS.exe
FirewallRules: [DfsMgmt-In-TCP] => (Block) %systemroot%\system32\dfsfrsHost.exe
FirewallRules: [DfSMgmt-DCOM-In-TCP] => (Block) %systemroot%\system32\svchost.exe
FirewallRules: [DfsMgmt-WMI-In-TCP] => (Block) %systemroot%\system32\svchost.exe
FirewallRules: [ADWS-TCP-In] => (Allow) %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe
FirewallRules: [ADWS-TCP-Out] => (Allow) %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe
FirewallRules: [DFSR-DFSRSvc-In-TCP] => (Allow) %SystemRoot%\system32\dfsrs.exe
FirewallRules: [DNSSrv-DNS-TCP-In] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-DNS-UDP-In] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-RPC-TCP-In] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-TCP-Out] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [DNSSrv-UDP-Out] => (Allow) %systemroot%\System32\dns.exe
FirewallRules: [{8D8B9A56-8FCA-4D13-90AE-5390F2D5E3A0}] => (Allow) C:\Program Files (x86)\MaxSyncUp\msusvc.exe
FirewallRules: [{4D1CFD0A-D38A-4EC4-BA0B-4E0893895392}] => (Allow) C:\Program Files (x86)\MaxSyncUp\MaxSyncUp.exe
FirewallRules: [WindowsServerBackup-wbengine-In-TCP-NoScope] => (Allow) %systemroot%\system32\wbengine.exe
FirewallRules: [{B7D2464F-B8C2-4DE6-98A4-7094D6C3105D}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
FirewallRules: [{052C6012-5549-4658-BC9A-175ADFF90265}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
FirewallRules: [{20F721CC-A55A-4471-B42A-EAE0EBEB68C1}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
FirewallRules: [{D078C96B-B461-49AF-820E-DE3E84D363A6}] => (Allow) C:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
FirewallRules: [{92C4E946-6C93-42AB-A17C-750D45C6B9D5}] => (Allow) C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
FirewallRules: [{EC788553-9539-4155-A5D8-7F97023F6C16}] => (Allow) C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
FirewallRules: [{EDB09A11-A6EC-4A50-84B4-75F861BF6FD8}] => (Allow) C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
FirewallRules: [{5F8828A2-B25C-40A9-8A7D-8AE26499D674}] => (Allow) C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
FirewallRules: [{54D495F2-E070-410A-A35C-B2E8337CC633}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/26/2017 08:00:10 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/25/2017 08:00:12 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/24/2017 08:00:11 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/23/2017 08:00:11 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/22/2017 08:00:11 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/21/2017 08:01:02 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/20/2017 08:00:09 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/19/2017 08:00:09 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/18/2017 08:00:08 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
Error: (12/17/2017 08:01:06 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.
 
 
Operación:
   Recopilando datos del escritor
 
Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {70cac2ee-ea7e-4c7e-b206-7bcf82e5f715}
 
 
System errors:
=============
Error: (12/27/2017 11:43:44 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_kpasswd._udp.network.fundasamin.org.ar. 600 IN SRV 0 100 464 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:42 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_kpasswd._tcp.network.fundasamin.org.ar. 600 IN SRV 0 100 464 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:39 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_kerberos._udp.network.fundasamin.org.ar. 600 IN SRV 0 100 88 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:37 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_kerberos._tcp.Default-First-Site-Name._sites.network.fundasamin.org.ar. 600 IN SRV 0 100 88 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:34 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_kerberos._tcp.network.fundasamin.org.ar. 600 IN SRV 0 100 88 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:32 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.network.fundasamin.org.ar. 600 IN SRV 0 100 88 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:29 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_kerberos._tcp.dc._msdcs.network.fundasamin.org.ar. 600 IN SRV 0 100 88 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:27 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_gc._tcp.Default-First-Site-Name._sites.network.fundasamin.org.ar. 600 IN SRV 0 100 3268 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:24 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_gc._tcp.network.fundasamin.org.ar. 600 IN SRV 0 100 3268 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
Error: (12/27/2017 11:43:22 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.network.fundasamin.org.ar. 600 IN SRV 0 100 389 ALFA.network.fundasamin.org.ar.' en el siguiente servidor DNS:
 
 
 
Dirección IP del servidor DNS: 74.124.210.242
 
Código de respuesta devuelto (RCODE): 5
 
Código de estado devuelto: 9017
 
 
 
Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.
 
 
 
ACCIÓN DEL USUARIO
 
 
Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de 
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon. 
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.
 
 
 
DATOS ADICIONALES
 
Valor del error: Clave DNS incorrecta.
 
 
CodeIntegrity:
===================================
  Date: 2017-12-19 11:18:54.472
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.
 
  Date: 2017-12-17 03:15:30.427
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.
 
  Date: 2017-12-17 03:10:21.462
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.
 
  Date: 2017-12-16 22:43:16.269
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.
 
  Date: 2017-12-16 22:43:09.647
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-16 19:19:30.402
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Xeon® CPU E5-2609 v4 @ 1.70GHz
Percentage of memory in use: 35%
Total physical RAM: 16118.62 MB
Available physical RAM: 10429.66 MB
Total Virtual: 23243.31 MB
Available Virtual: 11418.54 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:1862.76 GB) (Free:421.85 GB) NTFS
Drive f: () (Fixed) (Total:1862.98 GB) (Free:1702.61 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 1863 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
========================================================
Disk: 1 (Size: 1863 GB) (Disk ID: 16F2A91F)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#5 merced25

merced25
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 03 January 2018 - 04:42 PM

Hello, any help? Thank you very much



#6 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 04 January 2018 - 08:57 PM

Hi merced25,

 

My name is polskamachina and I would like to :welcome: you back to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.
 
polskamachina



#7 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 07 January 2018 - 12:27 PM

Hi merced25 :)
 
Sorry for the delay. Please read the following very carefully:
 
IMPORTANT NOTE
 
The main diagnostic tool we use at Bleeping Computer is FRST (Farbar's Recovery Scan Tool).  It provides us with the basis for constructing scripts to remove your malware and to repair or replace damaged or missing files. The limiting factor in this case is that FRST was designed to be used on Windows personal computers. In other words, FRST is very efficient with Windows XP, Vista, 7, and 10. It may be used with Windows server software but the staff and students here are not presently trained to give explicit support to server users. We must take many precautions as we proceed through our steps. When offering fixes, I will share with you the reason for what I am doing and have you verify that it makes sense to you as well. Another very important factor to consider is the security of your server's environment. From what I was able to discern, your logs show that the server is used in a professional, critical care, environment. It is a big responsibility not only to make sure the machine is running properly but also to make sure patient and other sensitive information is protected. I must make it very clear that we are not trained in this facet of computer information technology. It may be in your best interest to hire a professional company that specializes in this field. If you wish to proceed, I will try and assist you but please do consider having someone visit your system onsite and check it out.
 
One other thing that needs to be addressed is that there appears to be evidence of cracked (illegal) software on your computer. Do you have a license for your Acronis backup software?
 
In summary I will need from you:

  • Whether or not you want to continue having me troubleshoot your computer
  • Whether or not your Acronis backup software is legitimate

Let me know if you have any questions.
 
polskamachina



#8 merced25

merced25
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 07 January 2018 - 12:37 PM

Hello, I agree with you to guide me about what I should take into account. Basically my biggest uncertainty is if the ransonmeware modified any part of the operating system. I will assume all responsibility for the operation of the server.
The Acronis was installed to perform a test and can be uninstalled without any inconvenience. Thank you very much


#9 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 09 January 2018 - 04:05 PM

Hi merced25,
 
I am still working out the details of our next steps. :busy:
 
Thank you for your patience.
 
polskamachina



#10 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 11 January 2018 - 05:07 PM

Hi merced25 :)
 
Regarding the removal of the Acronis software, it is not a simple process because it is not showing up in your list of installed programs. Therefore, I'm going to leave it in your hands to remove it.
 
Next:

 

You have a folder listed on your system named, C:\Share copia encriptada Can you tell me if there is anything in that folder that you need or has a specific purpose? In the next step, I will list out the contents of the folder to have a look.

 
Please perform the following:

  • Highlight the text below in its entirety and press Ctrl-C
Start::
CloseProcesses:
Folder: C:\Share copia encriptada
SearchAll: wininit.exe
HKLM-x32\...\Run: [C:\12090629546\howtodecryptaesfiles.txt] => C:\12090629546\howtodecryptaesfiles.txt
C:\Windows\SysWOW64\decryptaesfiles.txt
C:\12090629546\howtodecryptaesfiles.txt
S1 isiigddb; C:\Windows\system32\drivers\isiigddb.sys [72816 2017-12-16] (Microsoft Corporation)
C:\Windows\system32\Drivers\isiigddb.sys
EmptyTemp:
End::
  • Run FRST
  • This time, click on Fix
  • When the Fix has completed, restart your computer if asked to do so
  • After the restart a file named Fixlog.txt will appear in the location from which you are running FRST
  • Please copy and paste that log into your next reply to me

In summary I will need from you:

  • Do the contents of this  folder, C:\Share copia encriptada, look familiar or important to you?
  • Fixlog.txt
  • How is your computer performing now? 

Let me know if you have any questions.
 
polskamachina



#11 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 14 January 2018 - 09:43 PM

Hi merced25 :)

 

It's been a while since you've checked in. Did you need any more help with this? If not, this topic will be closed in 48 hours.
 
Please let me know if you have any questions.
 
polskamachina



#12 merced25

merced25
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 15 January 2018 - 08:53 AM

Hello, tomorrow, Tuesday I will be executing what you indicate and I will answer your orders. Thank you very much



#13 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 15 January 2018 - 12:37 PM

Hi merced25 :)

You're welcome and thanks for the update.

 

polskamachina



#14 merced25

merced25
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 16 January 2018 - 11:50 AM

Hi, the C: \ Share folder, an encrypted copy is a copy that I made of all the folders and files that were encrypted by the ransonware for security. I could erase it without problems.
The computer is working well after attack, I just want to make sure that there is no trace of the ransonware. I ran several antivirus and antimalware scans. Everything found was eliminated.

 

After several days of running FRST, a memory allocation error window was presented. Commented and renown with 7z the report that was generated which weighs more than 10 megabytes.
 
Thank you

Attached Files



#15 polskamachina

polskamachina

  • Malware Response Team
  • 4,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 16 January 2018 - 11:00 PM

Hi merced25 :)

After several days of running FRST, a memory allocation error window was presented.

Thanks for explaining the contents of the share folder. I think the script I wrote to list the files inside it is what made your log too long to copy and paste The file you attached was saved in a text format so I was unable to read it. I have modified the script which should mean the next Fix you run should not take more than 10 minutes. If it takes more than an hour, let me know!
 
Please do the following:

  • Run FRST64
  • Copy and paste the text below in its entirety into FRST's Search box:
SearchAll: wininit.exe
  • Click on the Search Files button
  • When the search has completed, a file named Search.txt will appear in the folder from which you ran FRST64
  • Please copy and paste that log into your next reply to me

Next:

  • Highlight the text below and press Ctrl-C
Start::
CloseProcesses:
HKLM-x32\...\Run: [C:\12090629546\howtodecryptaesfiles.txt] => C:\12090629546\howtodecryptaesfiles.txt
C:\Windows\SysWOW64\decryptaesfiles.txt
C:\12090629546\howtodecryptaesfiles.txt
S1 isiigddb; C:\Windows\system32\drivers\isiigddb.sys [72816 2017-12-16] (Microsoft Corporation)
C:\Windows\system32\Drivers\isiigddb.sys
EmptyTemp:
End:
  • Run FRST64
  • This time, click on Fix
  • When the Fix has completed, restart your computer if asked to do so
  • After the restart a file named Fixlog.txt will appear in the location from which you are running FRST
  • Please copy and paste that log into your next reply to me

In summary I will need from you:

  • Search.txt
  • Fixlog.txt
  • How is your computer performing now?

Let me know if you have any questions.
 
polskamachina






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users