Closed My office PC is infected! Please please help me!

bryanclemente · February 28, 2019

Please help me decrypting my files. My external harddrives are also infected. What should I do??! Please help!

Thank you so much!

Addition.txt FRST.txt scan_190228-235252.txt

ShadowPuterDude · March 2, 2019

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Hosts:
(Innorix -> INNORIX) C:\INNORIX_Agent\innorixam.exe
(Innorix -> INNORIX) C:\INNORIX_Agent\innorixas.exe
(SILCROW DESIGN LTD -> Max Programming, LLC) C:\Users\user\AppData\Local\Temp\AD18.tmp.exe
() [File not signed] C:\Users\user\AppData\Local\Temp\E67C.tmp\wuauclt.exe
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [BrightnessController] => [X]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [6919309] => C:\Users\user\AppData\Roaming\qcdrpbvewru\qitr4cbi5gr.exe [1053503 2019-02-28] ( ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [9751699] => C:\Users\user\AppData\Roaming\31yg2vcwnlm\54qzw42cfck.exe [1053503 2019-02-28] ( ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [7644957] => C:\Users\user\AppData\Roaming\p512jztb1hy\nywqzveodpl.exe [1053503 2019-02-28] ( ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [3424444] => C:\Users\user\AppData\Roaming\nkwv5hzqhwt\paw3b2wo3hx.exe [1053503 2019-02-28] ( ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [3503271] => C:\Users\user\AppData\Roaming\4qne4wqhizc\e33nqp52bik.exe [1053503 2019-02-28] ( ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [NEY397UQOX772PU] => C:\Program Files\G147MMARPI\G147MMARP.exe [883712 2019-02-28] (THJ372BQ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [8381358] => C:\Users\user\AppData\Roaming\5qddilcbf2i\s4bbnng0jui.exe [1053503 2019-02-28] ( ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [a74903cfc68943620cdec8cc3f6d0d43] => regsvr32.exe /s /n /u /i:"C:\Users\user\AppData\Roaming\8FGNPP1PUYA.txt" scrobj.dll. <==== ATTENTION
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [2OOYD04MX4AC8FG] => C:\Program Files\0HGHTYNOP8\0HGHTYNOP.exe [883712 2019-02-28] (THJ372BQ) [File not signed]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\Run: [9812428] => C:\Users\user\AppData\Roaming\o1it2qih425\bqdscidg2yr.exe [1053503 2019-02-28] ( ) [File not signed]
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhggessg.lnk [2019-02-28]
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcccgjaw.lnk [2019-02-28]
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jfscfrbg.lnk [2019-02-28]
GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms}
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mail.ru/cnt/10445?gp=834423
HKU\S-1-5-21-2481241284-3410650018-1836499266-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms}
HKU\S-1-5-21-2481241284-3410650018-1836499266-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQxHGNG94V2xqGoMhAvKKZ8Kr-dia_ptJmbU10kFDiFt799X1nA7es7MxX7Df6L1DO7LtwTe0qrkeyqrfvM-oPhP-IjeA,,
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001 -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxps://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7BE3BF7D25-32C2-400C-9E31-07DB1869DD2F%7D&gp=811610
SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxps://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7BE3BF7D25-32C2-400C-9E31-07DB1869DD2F%7D&gp=811610
SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1002 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2481241284-3410650018-1836499266-1002 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxkYLSSAJm98oUfQ064swWFNjn6csLaMcBhxJYqCHqYvvaxZgFJVEOiqTE6D0JXGWG7dQh6Ki9_mEjEQ9rx_23LyuURGdnIqaEAM6KqPOL8ILiPFBBnuTx3HcBXwtUTZ0K2_1ZhA1aZp0OTM8FLipcmaKIJmKzivYFhxOpSYZzA,,&q={searchTerms}
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2019-01-13] (Microsoft Corporation -> Microsoft Corporation)
BHO: No Name -> {C2EB5F46-BF71-4B35-BA26-31B3A3F4F5B8}' -> No File
BHO: YoutubeAdBlock -> {E3049DDB-BF78-48FC-A37E-190DF306098F} -> C:\Program Files (x86)\lSuxVLLzOIE\tXgdU4lx.dll [2019-02-28] () [File not signed]
BHO-x32: [email protected] -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\user\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll => No File
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2018-11-01] (Evernote Corporation -> Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: No Name -> {C2EB5F46-BF71-4B35-BA26-31B3A3F4F5B8}' -> No File
BHO-x32: YoutubeAdBlock -> {E3049DDB-BF78-48FC-A37E-190DF306098F} -> C:\Program Files (x86)\lSuxVLLzOIE\kgxABIta.dll [2019-02-28] () [File not signed]
CHR Extension: (Adblocker for Youtube™) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldmhlfmikjfnpepnkcnepibmobdoeklc [2019-02-28] [UpdateUrl:hxxps://clients88.google.com/service/update2/crx] <==== ATTENTION
R2 innorixam; C:\INNORIX_Agent\innorixam.exe [576224 2019-02-19] (Innorix -> INNORIX)
R2 innorixas; C:\INNORIX_Agent\innorixas.exe [7990496 2019-02-19] (Innorix -> INNORIX)
S2 backlh; C:\ProgramData\Logic Cramble\set.exe [X] <==== ATTENTION
S2 Nettrans; C:\ProgramData\PrefsSecure\Nettrans.exe [X] <==== ATTENTION
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [X] <==== ATTENTION
S1 abeiijlm; C:\WINDOWS\system32\drivers\abeiijlm.sys [72816 2019-02-28] (Microsoft Corporation -> Microsoft Corporation)
2019-02-28 22:29 - 2019-02-28 22:29 - 000000000 ___DC C:\Users\user\AppData\LocalLow\bMjFhvtVUwkKS
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ___DC C:\Users\user\AppData\Roaming\o1it2qih425
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\ProgramData\OLYHUpvUSqfnpYVB
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files\0HGHTYNOP8
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\uOQrFxFVBAUn
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\qDDJrgJjrNmnmtXuCKR
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\MZrouHFtyLGOC
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\lSuxVLLzOIE
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\cRwPWqtmU
2019-02-28 22:17 - 2019-02-28 22:17 - 000000000 ____D C:\Program Files (x86)\CIXQfAPhcYmU2
2019-02-28 21:42 - 2019-02-28 21:54 - 000000000 ____D C:\Program Files (x86)\Simple Malware Protector
2019-02-28 21:42 - 2019-02-28 21:42 - 000004016 _____ C:\WINDOWS\System32\Tasks\Simple Malware Protector_ipm
2019-02-28 21:42 - 2019-02-28 21:42 - 000003258 _____ C:\WINDOWS\System32\Tasks\Simple Malware Protector_startup
2019-02-28 21:42 - 2019-02-28 21:42 - 000001262 _____ C:\Users\Public\Desktop\Simple Malware Protector.lnk
2019-02-28 21:42 - 2019-02-28 21:42 - 000000000 ___DC C:\Users\user\AppData\Roaming\SimpleStar
2019-02-28 21:42 - 2019-02-28 21:42 - 000000000 ____D C:\ProgramData\SimpleStar
2019-02-28 21:42 - 2019-02-28 21:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Simple Malware Protector
2019-02-28 21:42 - 2019-01-23 14:30 - 000027656 _____ (Corel Corporation) C:\WINDOWS\system32\smpnative64.exe
2019-02-28 21:17 - 2019-02-28 23:52 - 000000000 ___DC C:\Users\user\AppData\Local\0f80effc-7545-4eb1-8a0e-f0c69107f15f
2019-02-28 21:17 - 2019-02-28 21:18 - 000000000 ___DC C:\Users\user\AppData\Local\3fcfc7f1-a54c-4aad-a4ed-26a6060ff0fc
2019-02-28 21:17 - 2019-02-28 21:17 - 000003566 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 2796787680
2019-02-28 21:17 - 2019-02-28 21:17 - 000000260 ____C C:\Users\user\AppData\Roaming\8FGNPP1PUYA.txt
2019-02-28 21:17 - 2019-02-28 21:17 - 000000000 ___DC C:\Users\user\AppData\Roaming\Add6lApvnk
2019-02-28 21:17 - 2019-02-28 21:17 - 000000000 ___DC C:\Users\user\AppData\Roaming\5qddilcbf2i
2019-02-28 21:17 - 2019-02-28 21:17 - 000000000 ____D C:\Program Files\G147MMARPI
2019-02-28 21:00 - 2019-02-28 21:00 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\abeiijlm.sys
2019-02-28 20:53 - 2019-02-28 20:53 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ycfkkswn.sys
2019-02-28 20:50 - 2019-02-28 20:50 - 000000000 ___DC C:\Users\user\AppData\Roaming\4qne4wqhizc
2019-02-28 20:50 - 2019-02-28 20:49 - 001632256 ____C (TODO: <Company name>) C:\Users\user\AppData\Local\Solsonzap.exe
2019-02-28 20:49 - 2019-02-28 21:18 - 000000000 ____D C:\ProgramData\{EB978C45-3985-7DC7-FD24-44F1FDC31DA0}
2019-02-28 20:49 - 2019-02-28 21:18 - 000000000 ____D C:\ProgramData\{97668B85-3E45-0136-3D23-B58D3DC4ECDC}
2019-02-28 20:49 - 2019-02-28 20:53 - 000000000 ___DC C:\Users\user\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3}
2019-02-28 20:49 - 2019-02-28 20:50 - 000000000 ____D C:\Program Files\OT4RAF4V9Z
2019-02-28 20:49 - 2019-02-28 20:50 - 000000000 ____D C:\Program Files\B10ZLEQDND
2019-02-28 20:49 - 2019-02-28 20:49 - 000619880 _____ (VxDriver) C:\WINDOWS\421F24D90F1D.sys
2019-02-28 20:49 - 2019-02-28 20:49 - 000140800 ____C C:\Users\user\AppData\Local\installer.dat
2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\qcdrpbvewru
2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\p512jztb1hy
2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\nkwv5hzqhwt
2019-02-28 20:49 - 2019-02-28 20:49 - 000000000 ___DC C:\Users\user\AppData\Roaming\31yg2vcwnlm
2019-02-28 20:48 - 2019-02-28 20:50 - 000000000 ____D C:\Program Files (x86)\ew2c5m2uliz
2019-02-28 21:18 - 2018-11-15 17:07 - 000000000 ____D C:\ProgramData\{E721701D-606F-2657-3885-268C80F0075C}
2019-02-28 21:17 - 2019-02-28 21:17 - 000000260 ____C () C:\Users\user\AppData\Roaming\8FGNPP1PUYA.txt
2019-02-28 21:17 - 2019-02-28 21:17 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\11749f5e-ce6d-4656-a758-5d3beec5d9ff.tmp.exe
2019-02-28 20:48 - 2019-02-28 20:48 - 001593344 ____C () C:\Users\user\AppData\Local\Temp\1551372510866.exe
2019-02-27 19:27 - 2019-02-27 19:27 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\170e8235-bc5e-49ba-9f06-cd8033a21ce8.tmp.exe
2019-02-28 10:25 - 2019-02-28 10:25 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\28680635-2752-40b7-920f-4582074444c4.tmp.exe
2019-02-28 20:52 - 2019-02-28 20:52 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\35eff6dd-efd0-4458-b725-a8bea54c709b.tmp.exe
2019-02-26 10:16 - 2019-02-26 10:16 - 000651776 ____C (Igor Pavlov) C:\Users\user\AppData\Local\Temp\3e14d4e8-554b-4aef-8c1d-2a035a802e7b.tmp.exe
2019-02-26 10:15 - 2019-02-26 10:15 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\3fb402e7-dcaa-473f-903c-b8fb8728dad8.tmp.exe
2019-02-28 20:54 - 2019-02-28 20:48 - 001314008 ____C (Mail.Ru) C:\Users\user\AppData\Local\Temp\4280-5657-d4ec-6635.exe
2019-02-27 09:59 - 2019-02-27 09:59 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\56993436-51e5-4f10-83ec-69a06fcc725d.tmp.exe
2019-02-28 21:17 - 2019-02-28 21:17 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\60c9d09a-32a5-466f-b7bb-ca37e2ec427e.tmp.exe
2019-02-28 20:49 - 2019-02-28 20:49 - 000185344 ____C () C:\Users\user\AppData\Local\Temp\6504959658.exe
2019-02-28 20:49 - 2019-02-28 20:49 - 025260414 ____C (TigerTrade                                                  ) C:\Users\user\AppData\Local\Temp\6883543104.exe
2019-02-26 10:15 - 2019-02-26 10:15 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\a0d00038-d935-447d-9f04-a726dd2197c6.tmp.exe
2019-02-28 21:17 - 2019-02-28 21:17 - 000772280 ____C (Max Programming, LLC) C:\Users\user\AppData\Local\Temp\AD18.tmp.exe
2019-02-28 10:25 - 2019-02-28 10:25 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\b2c6aada-a367-4bca-b027-02cb666bd3cb.tmp.exe
2019-02-28 21:17 - 2019-02-28 21:17 - 000352256 ____C () C:\Users\user\AppData\Local\Temp\BCB9.tmp.exe
2019-02-27 19:27 - 2019-02-27 19:27 - 000010752 ____C () C:\Users\user\AppData\Local\Temp\bdba576c-4c17-42f8-b456-66290e3139d8.tmp.exe
2019-02-28 20:52 - 2019-02-28 20:52 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\c4e9547e-e522-491a-8779-b1328124f443.tmp.exe
2019-02-27 09:59 - 2019-02-27 09:59 - 000073728 ____C () C:\Users\user\AppData\Local\Temp\c7d4a3d8-3116-4dcb-a48d-0d0f32cd0491.tmp.exe
2019-02-28 21:17 - 2019-02-28 21:17 - 000382976 ____C () C:\Users\user\AppData\Local\Temp\CDA2.tmp.exe
2019-02-26 10:16 - 2019-02-26 10:16 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext1669127327702433066.dll
2019-02-27 10:00 - 2019-02-27 10:00 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext3374361332787860992.dll
2019-02-28 10:26 - 2019-02-28 10:26 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext4735620471717746660.dll
2019-02-28 21:17 - 2019-02-28 21:17 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext5115391823592550159.dll
2019-02-28 20:52 - 2019-02-28 20:52 - 000110592 ____C () C:\Users\user\AppData\Local\Temp\ext6275304727931247960.dll
2019-02-28 20:54 - 2019-02-28 20:48 - 001314008 ____C (Mail.Ru) C:\Users\user\AppData\Local\Temp\f738-524d-0a0e-eeb1.exe
2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_20192281427666.dll
2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_20192281448101.dll
2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_2019228144883.dll
2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_201922814585.dll
2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_2019228148575.dll
2019-02-28 23:14 - 2019-02-28 23:14 - 001853440 ____C (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_2019228148775.dll
2019-02-28 20:48 - 2019-02-28 20:48 - 000261120 ____C () C:\Users\user\AppData\Local\Temp\prg.exe
2019-02-28 20:57 - 2019-02-28 21:17 - 000099886 ____C () C:\Users\user\AppData\Local\Temp\Uninstall.exe
	CustomCLSID: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-2481241284-3410650018-1836499266-1001_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File
Task: {36A5E251-5621-4C38-AC99-A9ABB8311A82} - System32\Tasks\snp => C:\ProgramData\Voyasollam\Voyasollam.exe <==== ATTENTION
Task: {44FD080C-E5F1-4F16-B0A7-3F70ABB1C5B5} - System32\Tasks\Time Trigger Task => C:\Users\user\AppData\Local\0f80effc-7545-4eb1-8a0e-f0c69107f15f\BCB9.tmp.exe
Task: {48F8A59E-65DF-41F7-8822-B77570CEF070} - System32\Tasks\Opera scheduled Autoupdate 2414526821 => C:\Users\user\AppData\Roaming\Microsoft\Windows\jfscfrbg\raewwgsd.exe
Task: {855C5E38-E248-46B2-88E6-C66CD1B32215} - System32\Tasks\Opera scheduled Autoupdate 2796787680 => C:\Users\user\AppData\Roaming\Microsoft\Windows\jcccgjaw\raewwgsd.exe
Task: {87176D42-CDA8-4944-AE36-D4595E8C3FA7} - System32\Tasks\Simple Malware Protector_startup => C:\Program Files (x86)\Simple Malware Protector\SimpleMalwareProtector.exe (Corel Corporation -> SimpleStar)
Task: {B26B3472-6310-42E8-8A39-AD5D598D4642} - System32\Tasks\Opera scheduled Autoupdate 3919017627 => C:\Users\user\AppData\Roaming\Microsoft\Windows\hhggessg\raewwgsd.exe
Task: {CBEA2F5E-45C8-4509-B637-15002FBCD799} - System32\Tasks\snf => C:\ProgramData\Voyasollam\Voyasollam.exe <==== ATTENTION
Shortcut: C:\Users\user\Desktop\Stеllаr Data Rеcоvery Prоfеssionаl .lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.rehcnualrds.bat ()
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Explоrer.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.erolpxei.bat ()
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gоogle Сhromе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat ()
Shortcut: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооgle Сhrоmе.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gоoglе Сhrоme.lnk -> C:\Users\user\AppData\Roaming\Browsers\exe.emorhc.bat ()
2019-02-28 22:17 - 2019-02-28 22:17 - 000342528 ____C () [File not signed] C:\Users\user\AppData\Local\Temp\E67C.tmp\wuauclt.exe
2019-02-28 21:17 - 2019-02-28 21:17 - 000110592 ____C () [File not signed] C:\Users\user\AppData\Local\Temp\ext5115391823592550159.dll
AlternateDataStreams: C:\WINDOWS\system32\Drivers\abeiijlm.sys:changelist [1374]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\ycfkkswn.sys:changelist [1054]
AlternateDataStreams: C:\Users\user\Desktop\PROJ_ERICSSON LIVE (DAY 3).mp4:com.dropbox.attributes [168]
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "9812428"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "8381358"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "3503271"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "3424444"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "7644957"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "9751699"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "6919309"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "2OOYD04MX4AC8FG"
HKU\S-1-5-21-2481241284-3410650018-1836499266-1001\...\StartupApproved\Run: => "NEY397UQOX772PU"
C:\Windows\System32\.exe

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

NOTE: If the tool warns you about an outdated version please download and run the updated version.

bryanclemente · March 2, 2019

Hi! Please check this Fixlog I've got. Let me know what should I do next. Thanks!

Fixlog.txt

ShadowPuterDude · March 3, 2019

Bryan,

Let's take a fresh look.

Run fresh scans with Emsisoft Anti-Malware (EAM) and FRST, attach the new EAM and FRST scans to your reply.

Be sure to let me know how things are running.

bryanclemente · March 3, 2019

Okay. So I'll do all over again. Do you have any live chat support? Because I really want to fix this as soon as possible.

ShadowPuterDude · March 5, 2019

We do not perform this type of service using live chat.

ShadowPuterDude · March 8, 2019

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread

Sign In

Closed My office PC is infected! Please please help me!

Recommended Posts

bryanclemente

Link to comment

Share on other sites

ShadowPuterDude

Link to comment

Share on other sites

bryanclemente

Link to comment

Share on other sites

ShadowPuterDude

Link to comment

Share on other sites

bryanclemente

Link to comment

Share on other sites

ShadowPuterDude

Link to comment

Share on other sites

ShadowPuterDude

Link to comment

Share on other sites

Recently Browsing 0 members

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

Browse

Activity