Kevin Zoll

Emsisoft Employee
  • Content Count

    18456
  • Joined

  • Last visited

  • Days Won

    164

Everything posted by Kevin Zoll

  1. Decryption of certain variants is only possible because of seized encryption keys. DHARMA uses a secure encryption scheme that is unbreakable using current techniques and hardware. Unless you pay the ransom and rely on the benevolence of the authors to send you a working key and decryptor or a security firm was able to seize encryption keys from servers under control of the cybergang. DHARMA is not decryptable with third-party tools.
  2. We fixed some broken policies, deleted some orphaned registry items, removed a broken task, and removed an alternate data stream. I see no reason to change passwords, based on what I saw on the system.
  3. Hello, Unfortunately, DHARMA cannot be decrypted without contacting the ransomware authors and paying the ransom.
  4. The FRST report looks fine. I see no malware in the log. How are things running?
  5. Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan report to your reply. It is not recommended to run multiple AVs side by side, even when testing. If you are testing an AV you should always uninstall the currently installed AV. Even when one is disabled it will still have active running services that can and often do interfere with the active AV.
  6. Thread Closed Reason: Resolved PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  7. Svchost accessing the Internet is not unusual. Especially, when there is a running service that would need to connect to the internet. Facebook intrusions happen and they have nothing to do with malware, but instead, someone is attempting to access your account. You will also get messages when you try to log into your account from a location and device that Facebook does not recognize as one you have used and the location is not one that you would normally log in from. ComboFix should never be used unless you are instructed to use it. ComboFix is dangerous to use and has been known to cause unintended issues when run.
  8. Hello, This is total overkill: AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546} AV: Emsisoft Anti-Malware (Disabled - Up to date) {67773CDD-EA83-AD98-A2ED-386463EB3B0D} AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} Of these, 2 of them need to be uninstalled: AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546} AV: Emsisoft Anti-Malware (Disabled - Up to date) {67773CDD-EA83-AD98-A2ED-386463EB3B0D} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} With all that installed all kinds of strange things can happen. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  9. Your logs show no malware. 117.18.237.29 (AS15133) is MCI Communications Services, Inc. d/b/a Verizon Business out of Taiwan. They provide Webhosting services.
  10. If you are being told by ID Ransomware that the files cannot be decrypted. Then there are currently no decrypters available.
  11. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  12. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  13. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  14. Hello, This is a ransomware issue. I will transfer your support thread to the proper forum. It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like one of our experts to review them.
  15. We do not perform this type of service using live chat.
  16. Bryan, Let's take a fresh look. Run fresh scans with Emsisoft Anti-Malware (EAM) and FRST, attach the new EAM and FRST scans to your reply. Be sure to let me know how things are running.
  17. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Hosts: (Innorix -> INNORIX) C:\INNORIX_Agent\innorixam.exe (Innorix -> INNORIX) C:\INNORIX_Agent\innorixas.exe (SILCROW DESIGN LTD -> Max Programming, LLC) C:\Users\user\AppData\Local\Temp\AD18.tmp.exe () [File not signed] C:\Users\user\AppData\Local\Temp\E67C.tmp\wuauclt.exe HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [BrightnessController] => [X] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [6919309] => C:\Users\user\AppData\Roaming\qcdrpbvewru\qitr4cbi5gr.exe [1053503 2019-02-28] ( ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [9751699] => C:\Users\user\AppData\Roaming\31yg2vcwnlm\54qzw42cfck.exe [1053503 2019-02-28] ( ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [7644957] => C:\Users\user\AppData\Roaming\p512jztb1hy\nywqzveodpl.exe [1053503 2019-02-28] ( ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [3424444] => C:\Users\user\AppData\Roaming\nkwv5hzqhwt\paw3b2wo3hx.exe [1053503 2019-02-28] ( ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [3503271] => C:\Users\user\AppData\Roaming\4qne4wqhizc\e33nqp52bik.exe [1053503 2019-02-28] ( ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [NEY397UQOX772PU] => C:\Program Files\G147MMARPI\G147MMARP.exe [883712 2019-02-28] (THJ372BQ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [8381358] => C:\Users\user\AppData\Roaming\5qddilcbf2i\s4bbnng0jui.exe [1053503 2019-02-28] ( ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [a74903cfc68943620cdec8cc3f6d0d43] => regsvr32.exe /s /n /u /i:"C:\Users\user\AppData\Roaming\8FGNPP1PUYA.txt" scrobj.dll. <==== ATTENTION HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [2OOYD04MX4AC8FG] => C:\Program Files\0HGHTYNOP8\0HGHTYNOP.exe [883712 2019-02-28] (THJ372BQ) [File not signed] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [9812428] => C:\Users\user\AppData\Roaming\o1it2qih425\bqdscidg2yr.exe [1053503 2019-02-28] ( ) [File not signed] Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhggessg.lnk [2019-02-28] Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcccgjaw.lnk [2019-02-28] Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jfscfrbg.lnk [2019-02-28] GroupPolicy: Restriction - Chrome <==== ATTENTION GroupPolicy\User: Restriction ? <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms} HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mail.ru/cnt/10445?gp=834423 HKU\S-1-5-21-2481241284-3410650018-1836499266-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms} HKU\S-1-5-21-2481241284-3410650018-1836499266-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQxHGNG94V2xqGoMhAvKKZ8Kr-dia_ptJmbU10kFDiFt799X1nA7es7MxX7Df6L1DO7LtwTe0qrkeyqrfvM-oPhP-IjeA,, SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms} SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001 -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxps://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7BE3BF7D25-32C2-400C-9E31-07DB1869DD2F%7D&gp=811610 SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxps://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7BE3BF7D25-32C2-400C-9E31-07DB1869DD2F%7D&gp=811610 SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms} SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1002 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms} SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1002 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms} BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2019-01-13] (Microsoft Corporation -> Microsoft Corporation) BHO: No Name -> {C2EB5F46-BF71-4B35-BA26-31B3A3F4F5B8}' -> No File BHO: YoutubeAdBlock -> {E3049DDB-BF78-48FC-A37E-190DF306098F} -> C:\Program Files (x86)\lSuxVLLzOIE\tXgdU4lx.dll [2019-02-28] () [File not signed] BHO-x32: [email protected] -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\user\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll => No File BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2018-11-01] (Evernote Corporation -> Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) BHO-x32: No Name -> {C2EB5F46-BF71-4B35-BA26-31B3A3F4F5B8}' -> No File BHO-x32: YoutubeAdBlock -> {E3049DDB-BF78-48FC-A37E-190DF306098F} -> C:\Program Files (x86)\lSuxVLLzOIE\kgxABIta.dll [2019-02-28] () [File not signed] CHR Extension: (Adblocker for Youtube™) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldmhlfmikjfnpepnkcnepibmobdoeklc [2019-02-28] [UpdateUrl:hxxps://clients88.google.com/service/update2/crx] <==== ATTENTION R2 innorixam; C:\INNORIX_Agent\innorixam.exe [576224 2019-02-19] (Innorix -> INNORIX) R2 innorixas; C:\INNORIX_Agent\innorixas.exe [7990496 2019-02-19] (Innorix -> INNORIX) S2 backlh; C:\ProgramData\Logic Cramble\set.exe [X] <==== ATTENTION S2 Nettrans; C:\ProgramData\PrefsSecure\Nettrans.exe [X] <==== ATTENTION S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [X] <==== ATTENTION S1 abeiijlm; C:\WINDOWS\system32\drivers\abeiijlm.sys [72816 2019-02-28] (Microsoft Corporation -> Microsoft Corporation) 2019-02-28 22:29 - 2019-02-28 22:29 - 000000000 ___DC C:\Users\user\AppData\LocalLow\bMjFhvtVUwkKS 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ___DC C:\Users\user\AppData\Roaming\o1it2qih425 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\ProgramData\OLYHUpvUSqfnpYVB 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files\0HGHTYNOP8 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\uOQrFxFVBAUn 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\qDDJrgJjrNmnmtXuCKR 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\MZrouHFtyLGOC 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\lSuxVLLzOIE 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\cRwPWqtmU 2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\CIXQfAPhcYmU2 2019-02-28 21:42 - 2019-02-28 21:54 - 000000000 ____D C:\Program Files (x86)\Simple Malware Protector 2019-02-28 21:42 - 2019-02-28 21:42 - 000004016 _____ C:\WINDOWS\System32\Tasks\Simple Malware Protector_ipm 2019-02-28 21:42 - 2019-02-28 21:42 - 000003258 _____ C:\WINDOWS\System32\Tasks\Simple Malware Protector_startup 2019-02-28 21:42 - 2019-02-28 21:42 - 000001262 _____ C:\Users\Public\Desktop\Simple Malware Protector.lnk 2019-02-28 21:42 - 2019-02-28 21:42 - 000000000 ___DC C:\Users\user\AppData\Roaming\SimpleStar 2019-02-28 21:42 - 2019-02-28 21:42 - 000000000 ____D C:\ProgramData\SimpleStar 2019-02-28 21:42 - 2019-02-28 21:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Simple Malware Protector 2019-02-28 21:42 - 2019-01-23 14:30 - 000027656 _____ (Corel Corporation) C:\WINDOWS\system32\smpnative64.exe 2019-02-28 21:17 - 2019-02-28 23:52 - 000000000 ___DC C:\Users\user\AppData\Local\0f80effc-7545-4eb1-8a0e-f0c69107f15f 2019-02-28 21:17 - 2019-02-28 21:18 - 000000000 ___DC C:\Users\user\AppData\Local\3fcfc7f1-a54c-4aad-a4ed-26a6060ff0fc 2019-02-28 21:17 - 2019-02-28 21:17 - 000003566 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 2796787680 2019-02-28 21:17 - 2019-02-28 21:17 - 000000260 ____C C:\Users\user\AppData\Roaming\8FGNPP1PUYA.txt 2019-02-28 21:17 - 2019-02-28 21:17 - 000000000 ___DC C:\Users\user\AppData\Roaming\Add6lApvnk 2019-02-28 21:17 - 2019-02-28 21:17 - 000000000 ___DC C:\Users\user\AppData\Roaming\5qddilcbf2i 2019-02-28 21:17 - 2019-02-28 21:17 - 000000000 ____D C:\Program Files\G147MMARPI 2019-02-28 21:00 - 2019-02-28 21:00 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\abeiijlm.sys 2019-02-28 20:53 - 2019-02-28 20:53 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ycfkkswn.sys 2019-02-28 20:50 - 2019-02-28 20:50 - 000000000 ___DC C:\Users\user\AppData\Roaming\4qne4wqhizc 2019-02-28 20:50 - 2019-02-28 20:49 - 001632256 ____C (TODO: <Company name>) C:\Users\user\AppData\Local\Solsonzap.exe 2019-02-28 20:49 - 2019-02-28 21:18 - 000000000 ____D C:\ProgramData\{EB978C45-3985-7DC7-FD24-44F1FDC31DA0} 2019-02-28 20:49 - 2019-02-28 21:18 - 000000000 ____D C:\ProgramData\{97668B85-3E45-0136-3D23-B58D3DC4ECDC} 2019-02-28 20:49 - 2019-02-28 20:53 - 000000000 ___DC C:\Users\user\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3} 2019-02-28 20:49 - 2019-02-28 20:50 - 000000000 ____D C:\Program Files\OT4RAF4V9Z 2019-02-28 20:49 - 2019-02-28 20:50 - 000000000 ____D C:\Program Files\B10ZLEQDND 2019-02-28 20:49 - 2019-02-28 20:49 - 000619880 _____ (VxDriver) C:\WINDOWS\421F24D90F1D.sys 2019-02-28 20:49 - 2019-02-28 20:49 - 000140800 ____C C:\Users\user\AppData\Local\installer.dat 2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\qcdrpbvewru 2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\p512jztb1hy 2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\nkwv5hzqhwt 2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\31yg2vcwnlm 2019-02-28 20:48 - 2019-02-28 20:50 - 000000000 ____D C:\Program Files (x86)\ew2c5m2uliz 2019-02-28 21:18 - 2018-11-15 17:07 - 000000000 ____D C:\ProgramData\{E721701D-606F-2657-3885-268C80F0075C} 2019-02-28 21:17 - 2019-02-28 21:17 - 000000260 ____C () C:\Users\user\AppData\Roaming\8FGNPP1PUYA.txt 2019-02-28 21:17 - 2019-02-28 21:17 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\11749f5e-ce6d-4656-a758-5d3beec5d9ff.tmp.exe 2019-02-28 20:48 - 2019-02-28 20:48 - 001593344 ____C () C:\Users\user\AppData\Local\Temp\1551372510866.exe 2019-02-27 19:27 - 2019-02-27 19:27 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\170e8235-bc5e-49ba-9f06-cd8033a21ce8.tmp.exe 2019-02-28 10:25 - 2019-02-28 10:25 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\28680635-2752-40b7-920f-4582074444c4.tmp.exe 2019-02-28 20:52 - 2019-02-28 20:52 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\35eff6dd-efd0-4458-b725-a8bea54c709b.tmp.exe 2019-02-26 10:16 - 2019-02-26 10:16 - 000651776 ____C (Igor Pavlov) C:\Users\user\AppData\Local\Temp\3e14d4e8-554b-4aef-8c1d-2a035a802e7b.tmp.exe 2019-02-26 10:15 - 2019-02-26 10:15 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\3fb402e7-dcaa-473f-903c-b8fb8728dad8.tmp.exe 2019-02-28 20:54 - 2019-02-28 20:48 - 001314008 ____C (Mail.Ru) C:\Users\user\AppData\Local\Temp\4280-5657-d4ec-6635.exe 2019-02-27 09:59 - 2019-02-27 09:59 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\56993436-51e5-4f10-83ec-69a06fcc725d.tmp.exe 2019-02-28 21:17 - 2019-02-28 21:17 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\60c9d09a-32a5-466f-b7bb-ca37e2ec427e.tmp.exe 2019-02-28 20:49 - 2019-02-28 20:49 - 000185344 ____C () C:\Users\user\AppData\Local\Temp\6504959658.exe 2019-02-28 20:49 - 2019-02-28 20:49 - 025260414 ____C (TigerTrade ) C:\Users\user\AppData\Local\Temp\6883543104.exe 2019-02-26 10:15 - 2019-02-26 10:15 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\a0d00038-d935-447d-9f04-a726dd2197c6.tmp.exe 2019-02-28 21:17 - 2019-02-28 21:17 - 000772280 ____C (Max Programming, LLC) C:\Users\user\AppData\Local\Temp\AD18.tmp.exe 2019-02-28 10:25 - 2019-02-28 10:25 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\b2c6aada-a367-4bca-b027-02cb666bd3cb.tmp.exe 2019-02-28 21:17 - 2019-02-28 21:17 - 000352256 ____C () C:\Users\user\AppData\Local\Temp\BCB9.tmp.exe 2019-02-27 19:27 - 2019-02-27 19:27 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\bdba576c-4c17-42f8-b456-66290e3139d8.tmp.exe 2019-02-28 20:52 - 2019-02-28 20:52 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\c4e9547e-e522-491a-8779-b1328124f443.tmp.exe 2019-02-27 09:59 - 2019-02-27 09:59 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\c7d4a3d8-3116-4dcb-a48d-0d0f32cd0491.tmp.exe 2019-02-28 21:17 - 2019-02-28 21:17 - 000382976 ____C () C:\Users\user\AppData\Local\Temp\CDA2.tmp.exe 2019-02-26 10:16 - 2019-02-26 10:16 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext1669127327702433066.dll 2019-02-27 10:00 - 2019-02-27 10:00 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext3374361332787860992.dll 2019-02-28 10:26 - 2019-02-28 10:26 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext4735620471717746660.dll 2019-02-28 21:17 - 2019-02-28 21:17 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext5115391823592550159.dll 2019-02-28 20:52 - 2019-02-28 20:52 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext6275304727931247960.dll 2019-02-28 20:54 - 2019-02-28 20:48 - 001314008 ____C (Mail.Ru) C:\Users\user\AppData\Local\Temp\f738-524d-0a0e-eeb1.exe 2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_20192281427666.dll 2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_20192281448101.dll 2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_2019228144883.dll 2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_201922814585.dll 2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_2019228148575.dll 2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_2019228148775.dll 2019-02-28 20:48 - 2019-02-28 20:48 - 000261120 ____C () C:\Users\user\AppData\Local\Temp\prg.exe 2019-02-28 20:57 - 2019-02-28 21:17 - 000099886 ____C () C:\Users\user\AppData\Local\Temp\Uninstall.exe CustomCLSID: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File CustomCLSID: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File CustomCLSID: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File Task: {36A5E251-5621-4C38-AC99-A9ABB8311A82} - System32\Tasks\snp => C:\ProgramData\Voyasollam\Voyasollam.exe <==== ATTENTION Task: {44FD080C-E5F1-4F16-B0A7-3F70ABB1C5B5} - System32\Tasks\Time Trigger Task => C:\Users\user\AppData\Local\0f80effc-7545-4eb1-8a0e-f0c69107f15f\BCB9.tmp.exe Task: {48F8A59E-65DF-41F7-8822-B77570CEF070} - System32\Tasks\Opera scheduled Autoupdate 2414526821 => C:\Users\user\AppData\Roaming\Microsoft\Windows\jfscfrbg\raewwgsd.exe Task: {855C5E38-E248-46B2-88E6-C66CD1B32215} - System32\Tasks\Opera scheduled Autoupdate 2796787680 => C:\Users\user\AppData\Roaming\Microsoft\Windows\jcccgjaw\raewwgsd.exe Task: {87176D42-CDA8-4944-AE36-D4595E8C3FA7} - System32\Tasks\Simple Malware Protector_startup => C:\Program Files (x86)\Simple Malware Protector\SimpleMalwareProtector.exe (Corel Corporation -> SimpleStar) Task: {B26B3472-6310-42E8-8A39-AD5D598D4642} - System32\Tasks\Opera scheduled Autoupdate 3919017627 => C:\Users\user\AppData\Roaming\Microsoft\Windows\hhggessg\raewwgsd.exe Task: {CBEA2F5E-45C8-4509-B637-15002FBCD799} - System32\Tasks\snf => C:\ProgramData\Voyasollam\Voyasollam.exe <==== ATTENTION Shortcut: C:\Users\user\Desktop\Stеllаr Data Rеcоvery Prоfеssionаl .lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.rehcnualrds.bat () Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Explоrer.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat () Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gоogle Сhromе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat () Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооgle Сhrоmе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat () Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gоoglе Сhrоme.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat () 2019-02-28 22:17 - 2019-02-28 22:17 - 000342528 ____C () [File not signed] C:\Users\user\AppData\Local\Temp\E67C.tmp\wuauclt.exe 2019-02-28 21:17 - 2019-02-28 21:17 - 000110592 ____C () [File not signed] C:\Users\user\AppData\Local\Temp\ext5115391823592550159.dll AlternateDataStreams: C:\WINDOWS\system32\Drivers\abeiijlm.sys:changelist [1374] AlternateDataStreams: C:\WINDOWS\system32\Drivers\ycfkkswn.sys:changelist [1054] AlternateDataStreams: C:\Users\user\Desktop\PROJ_ERICSSON LIVE (DAY 3).mp4:com.dropbox.attributes [168] HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "9812428" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "8381358" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "3503271" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "3424444" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "7644957" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "9751699" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "6919309" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "2OOYD04MX4AC8FG" HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "NEY397UQOX772PU" C:\Windows\System32\.exe NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  18. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  19. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  20. Hello Spartan, Welcome to the Emsisoft Support Forums. Please read the entire instructions below. Yes, they are a bit lengthy and contain necessary administrative instructions as well as technical instructions. All users of the Emsisoft Support Forums who are in need of Malware Removal assistance are required to complete the procedures listed below: NOTE: You will want to print these instructions for reference, as you will perform all scans with all browsers closed. The majority of our support staff work Monday-Friday. We try very hard to answer all posts within 24-hours of the posting, but be aware that if you post anytime in the late afternoon or evening on Friday, or anytime on Saturday or Sunday, you will not receive an answer until Monday. Also, be aware that our support technicians may not be in the same time zone as you, therefore there could be several hours difference between when you post and the technician working your support case is available. The below guidelines are for the Help, my PC is infected! Support Forum. They are intended to help you provide the technician, working your thread, with enough information to start formulating a plan to clean your machine; and for you to leave the Emsisoft Support Forums with a safe, secure, functioning computer. Emsisoft does not condone the use of Pirated/Illegal software. If such software is found on your computer, the technician assisting you will insist that the Pirated/Illegal software be removed. We reserve the right to refuse help to anyone who is unwilling to uninstall Pirated/Illegal software We insist that anyone receiving help, here at the Emsisoft Support Forums, install an Anti-Malware program at a minimum to protect their system. Start only one thread requesting help. Keep all questions in your thread. DO NOT start a new topic. If you don't know, stop and ask! Don't keep going on. Continue to respond until you are given "All Clear" (Just because you can't see a problem doesn't mean it isn't there) Once your case has been solved, the thread will be closed. Your thread will be closed after 72-hours of no activity. DO NOT use any form of Haxor, Leetspeak, Netspeak, IM speak and the such in any postings on this forum. Use only proper spelling, grammar, punctuation, and capitalization. The more time the person helping you has to spend trying to figure out what you are saying, the longer it will take them to formulate a response. DO NOT post any logs without first completing the steps in this guide, they will be deleted. DO NOT copy and paste logs into your threads. All logs are to be attached to your post. Download to your Desktop: Emsisoft Emergency Kit Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download the tools from the infected system, the tools can be saved to and run from a USB flash drive. All scans are to be run in Normal Mode. Do not run anything in "Safe Mode", unless you are instructed to do so by the Malware Removal Specialist handling your case. Do not force Safe Mode. Instructions on How to Boot to "Safe Mode" can be found at http://www.malwarete…kb/SafeMode.php WARNING: The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. Let's get started: Install and Run Emsisoft Emergency Kit (EEK): Double click EmergencyKitScanner.exe to install EEK When the installation of EEK is complete the Emergency Kit scanner will run. NOTE: Make sure to enable PUPs detection. Click "Yes" to Update Emsisoft Emergency Kit Under "Scan" click-on "Malware Scan". IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted. Save the scan log somewhere that you can find it. Exit Emsisoft Emergency Kit. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Attach the following logs to your reply: Emsisoft Emergency Kit log (C:\EEK\Reports) FRST.txt Addition.txt IMPORTANT NOTE: Any logs that are copied and pasted to a post will be removed from the post without being read. Do not alter or change the logs in any way. Once a Malware Removal Specialist has replied to your request for malware removal, they will handle your case from start to finish. You will have 72 hours to reply to any instructions given by the Malware Removal Specialist handling your case. Failure to comply with requests for information or instructions from the Malware Removal Specialist handling your case will result in the locking of your thread.
  21. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  22. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread