Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Laptop Got Infected by Ransomware [Closed]

ransomware infected

  • This topic is locked This topic is locked

#1
wakodeprashant6

wakodeprashant6

    New Member

  • Member
  • Pip
  • 4 posts

Hi, I'd earlier posted about the same problem at http://www.geekstogo...malware-attack/. My laptop is infected by ransome malware and each file audio, images, video etc are encrypted with .a9e3 extension. How to recover it? I have removed the virus from the laptop via AVG antivirus software but didn't able to get the original files.Pasting the required scanning reports. Also attaching them.
--------------
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by Monkey (administrator) on MONKEY-PC (26-02-2017 15:07:00)
Running from C:\Users\Monkey\Downloads
Loaded Profiles: Monkey (Available Profiles: Monkey)
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagenta.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvca.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [QuickSet] => C:\Program Files\Dell\QuickSet\QuickSet.exe [3759504 2012-11-14] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2780400 2013-09-13] (Synaptics Incorporated)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [NeroFilterCheck] => C:\Windows\SysWOW64\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [240400 2016-12-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [240400 2016-12-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2180680 2016-12-09] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1521115235-458228028-669826753-1000\...\Run: [GoogleChromeAutoLaunch_2DFF1AA5B90BEA6D45DCD82164BF15E6] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [945496 2017-02-01] (Google Inc.)
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} =>  -> No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 103.245.69.5 45.112.0.5
Tcpip\..\Interfaces\{2661D3F7-60F6-4E42-94B7-6A391F93C2C1}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{C040B0B9-DD37-4C08-BC60-EEE154FA202A}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{C693CE1F-D9B8-4E48-804C-2DC07FB1D568}: [DhcpNameServer] 103.245.69.5 45.112.0.5
Tcpip\..\Interfaces\{E22AA2DC-01BF-4145-81A0-684EA8807130}: [DhcpNameServer] 103.245.69.5 45.112.0.5
Tcpip\..\Interfaces\{EC0ADC0B-2DBC-444C-8FCC-F2C88ED51CEB}: [DhcpNameServer] 192.168.42.129
 
Internet Explorer:
==================
HKU\S-1-5-21-1521115235-458228028-669826753-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={D0E6528A-E89A-4D90-8B52-9A617AB4168D}&mid=becc194646ef47cca8226dcc1020707f-d92cea63d541b109351f5bac06ea728dbc26f236&lang=en&ds=AVG&coid=avgtbavg&cmpid=0516pii&pr=fr&d=2016-11-26 12:08:44&v=4.3.6.255&pid=wtu&sg=&sap=hp
SearchScopes: HKU\S-1-5-21-1521115235-458228028-669826753-1000 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={D0E6528A-E89A-4D90-8B52-9A617AB4168D}&mid=becc194646ef47cca8226dcc1020707f-d92cea63d541b109351f5bac06ea728dbc26f236&lang=en&ds=AVG&coid=avgtbavg&cmpid=1216tb&pr=fr&d=2016-11-26 12:08:44&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1521115235-458228028-669826753-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={D0E6528A-E89A-4D90-8B52-9A617AB4168D}&mid=becc194646ef47cca8226dcc1020707f-d92cea63d541b109351f5bac06ea728dbc26f236&lang=en&ds=AVG&coid=avgtbavg&cmpid=1216tb&pr=fr&d=2016-11-26 12:08:44&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-02-17] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-05-20] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Web TuneUp\4.3.6.255\AVG Web TuneUp.dll [2016-12-09] (AVG)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2013-05-20] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-02-10] (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Monkey\AppData\Roaming\Mozilla\Firefox\Profiles\r4e5a9nm.default [2017-02-22]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\r4e5a9nm.default -> AVG Secure Search
FF Extension: (AVG Web TuneUp) - C:\Users\Monkey\AppData\Roaming\Mozilla\Firefox\Profiles\r4e5a9nm.default\Extensions\[email protected] [2016-12-09]
FF Extension: (Collection of all the available BDA Tuning Model Tuning Space objects on this system) - C:\Users\Monkey\AppData\Roaming\Mozilla\Firefox\Profiles\r4e5a9nm.default\Extensions\{D01B2509-CED5-0EED-4F8B-DE83D44650A8} [2016-10-29] [not signed]
FF SearchPlugin: C:\Users\Monkey\AppData\Roaming\Mozilla\Firefox\Profiles\r4e5a9nm.default\searchplugins\avg-secure-search.xml [2016-12-09]
FF HKU\S-1-5-21-1521115235-458228028-669826753-1000\...\SeaMonkey\Extensions: [[email protected]] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\wtu-secure-search.xml [2016-12-09]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2012-12-16] (VideoLAN)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.6\\npsitesafety.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-10] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\new_plugin\npjp2.dll [No File]
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-10] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-02-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-02-13] (Microsoft Corporation)
 
Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxp://search.mysearch.com/web?q={searchTerms}
CHR DefaultSearchKeyword: Default -> http://search.mysearch.com
CHR DefaultSuggestURL: Default -> hxxp://search.mysearch.com/ss?sstype=prefix&li=ff&q={searchTerms}
CHR Profile: C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default [2017-02-26]
CHR Extension: (MySearch) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\abicfbjlfphmdjndigagmfkgaobeppbp [2017-02-11]
CHR Extension: (Google Docs) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-07-26]
CHR Extension: (Google Drive) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-26]
CHR Extension: (Nimbus Screenshot & Screen Video Recorder) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpconcjcammlapcogcnnelfmaeghhagj [2017-02-25]
CHR Extension: (Page Analytics (by Google)) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnbdnhhicmebfgdgglcdacdapkcihcoh [2016-12-28]
CHR Extension: (Google Docs Offline) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-07-26]
CHR Extension: (AdBlock) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-02-25]
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2017-02-24]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2017-02-26]
CHR Extension: (Seen On Screen) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\jemfifkoelgbkgpcbhjlebmcdmffgjff [2017-02-11]
CHR Extension: (Save to Pocket) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\niloccemoadcdkdjlinkgdfekeahmflj [2017-02-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\Monkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-09]
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [971160 2017-01-09] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5337600 2017-01-09] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1146128 2016-12-06] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [725976 2017-01-09] (AVG Technologies CZ, s.r.o.)
R2 vToolbarUpdater40.3.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe [1349704 2016-12-09] (AVG Secure Search)
S3 wampapache; c:\wamp\bin\apache\apache2.2.17\bin\httpd.exe [20549 2010-12-31] (Apache Software Foundation) [File not signed]
S3 wampmysqld; c:\wamp\bin\mysql\mysql5.5.8\bin\mysqld.exe [8133120 2010-12-31] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [980552 2016-12-09] ()
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [163072 2016-05-13] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [312576 2016-11-04] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [267008 2016-10-05] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [298240 2016-11-30] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [254208 2016-09-26] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [52992 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [299264 2016-07-27] (AVG Technologies CZ, s.r.o.)
R0 avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [77056 2016-06-20] (AVG Technologies CZ, s.r.o.)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [34544 2013-09-13] (Synaptics Incorporated)
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-26 15:07 - 2017-02-26 15:07 - 00017361 _____ C:\Users\Monkey\Downloads\FRST.txt
2017-02-26 15:06 - 2017-02-26 15:07 - 00000000 ____D C:\FRST
2017-02-26 15:05 - 2017-02-26 15:06 - 02423296 _____ (Farbar) C:\Users\Monkey\Downloads\FRST64.exe
2017-02-24 20:34 - 2017-02-24 20:34 - 02509303 _____ C:\Users\Monkey\Downloads\POM_Lecture_3.zip
2017-02-24 20:28 - 2017-02-24 20:28 - 00111520 _____ C:\Users\Monkey\AppData\Local\GDIPFONTCACHEV1.DAT
2017-02-23 15:48 - 2017-02-23 15:50 - 04999008 _____ C:\Windows\system32\FNTCACHE.DAT
2017-02-16 20:16 - 2017-02-16 20:16 - 00000000 ____D C:\Users\Monkey\AppData\Roaming\Reallusion
2017-02-12 15:00 - 2017-02-12 15:00 - 00000000 ___SD C:\Users\Monkey\Documents\My Data Sources
2017-02-11 18:07 - 2017-02-11 18:07 - 00001179 _____ C:\Users\Monkey\Desktop\Client configurator.lnk
2017-02-11 18:07 - 2017-02-11 18:07 - 00001129 _____ C:\Users\Monkey\Desktop\easymeetingClient.lnk
2017-02-11 18:07 - 2017-02-11 18:07 - 00000000 ____D C:\Users\Monkey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Easymeeting
2017-02-11 18:07 - 2017-02-11 18:07 - 00000000 ____D C:\ProgramData\Easymeeting
2017-02-11 18:06 - 2017-02-11 18:07 - 00000000 ____D C:\Program Files (x86)\Easymeeting
2017-02-11 01:19 - 2017-02-11 01:19 - 00284651 _____ C:\Users\Monkey\Desktop\Prashant_Wakode.pdf
2017-02-10 23:53 - 2017-02-10 23:53 - 00000000 ____D C:\Users\Monkey\.ScreamingFrogSEOSpider
2017-02-10 23:47 - 2017-02-10 23:47 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-02-10 23:47 - 2017-02-10 23:47 - 00000000 ____D C:\Users\Monkey\AppData\Roaming\Sun
2017-02-10 23:47 - 2017-02-10 23:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-02-10 23:46 - 2017-02-10 23:46 - 00000000 ____D C:\ProgramData\Oracle
2017-02-10 23:43 - 2017-02-10 23:43 - 00000000 ____D C:\Users\Monkey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Screaming Frog SEO Spider
2017-02-10 23:43 - 2017-02-10 23:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Screaming Frog SEO Spider
2017-02-10 23:43 - 2017-02-10 23:43 - 00000000 ____D C:\Program Files (x86)\Screaming Frog SEO Spider
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-08 23:20 - 2016-07-23 18:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-26 15:03 - 2009-07-14 10:15 - 00016944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-26 15:03 - 2009-07-14 10:15 - 00016944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-26 15:01 - 2016-07-23 18:23 - 00000000 ____D C:\ProgramData\MFAData
2017-02-26 14:55 - 2009-07-14 10:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-25 19:38 - 2016-11-06 23:03 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task
2017-02-23 16:17 - 2016-07-23 18:17 - 00000000 ____D C:\Users\Monkey\AppData\Roaming\vlc
2017-02-23 16:13 - 2017-01-21 17:40 - 00080099 _____ C:\Users\Monkey\Documents\komal.xlsx
2017-02-22 22:59 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\inf
2017-02-16 20:16 - 2016-09-18 17:32 - 00000000 ____D C:\ProgramData\Creative
2017-02-13 23:33 - 2009-07-14 10:38 - 00032614 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-02-10 23:53 - 2016-07-23 17:42 - 00000000 ____D C:\Users\Monkey
2017-02-10 23:48 - 2016-11-18 15:56 - 00000000 ____D C:\Program Files (x86)\Java
2017-02-10 23:47 - 2016-11-18 15:56 - 00268864 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2017-02-10 23:14 - 2016-07-23 18:24 - 00000000 ____D C:\ProgramData\Adobe
2017-02-10 23:12 - 2016-07-23 18:25 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-02-10 23:11 - 2016-07-23 18:50 - 00000000 ____D C:\Program Files\Common Files\Adobe
2017-02-09 15:07 - 2009-07-14 10:43 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-08 23:21 - 2016-12-03 00:02 - 00000000 ____D C:\Users\Monkey\AppData\LocalLow\Mozilla
2017-02-07 23:01 - 2016-07-26 00:58 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-07 23:01 - 2016-07-26 00:58 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-02-04 08:01 - 2016-12-06 23:32 - 00000000 ____D C:\ProgramData\VMware
2017-02-04 07:58 - 2016-11-06 17:14 - 00000000 ____D C:\Users\Monkey\AppData\Local\AvgSetupLog
2017-01-27 22:50 - 2016-12-26 00:05 - 00000000 ____D C:\Users\Monkey\AppData\Roaming\DMCache
 
==================== Files in the root of some directories =======
 
2016-10-31 14:46 - 2016-11-05 01:48 - 0000000 ____H () C:\Users\Monkey\AppData\Roaming\wincryptzz.txt
2016-10-10 23:57 - 2016-11-05 01:19 - 0000000 ____H () C:\Users\Monkey\AppData\Roaming\winmgr.txt
2016-10-21 01:19 - 2016-10-21 01:19 - 0000480 ____H () C:\Users\Monkey\AppData\Roaming\½Ó
2016-11-05 01:10 - 2016-11-05 01:10 - 0007605 _____ () C:\Users\Monkey\AppData\Local\Resmon.ResmonCfg
2016-10-21 01:19 - 2016-10-21 01:19 - 0000008 ____H () C:\ProgramData\@000001.dat
2016-10-21 01:20 - 2016-11-06 17:11 - 0000000 ____H () C:\ProgramData\@system.temp
2016-10-21 01:19 - 2016-11-04 23:16 - 0000656 ____H () C:\ProgramData\@system3.att
 
Files to move or delete:
====================
C:\ProgramData\@000001.dat
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-11-28 21:18
 
==================== End of FRST.txt ============================
------------
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Monkey (26-02-2017 15:07:48)
Running from C:\Users\Monkey\Downloads
Windows 7 Ultimate (X64) (2016-07-23 12:11:58)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1521115235-458228028-669826753-500 - Administrator - Disabled)
Guest (S-1-5-21-1521115235-458228028-669826753-501 - Limited - Disabled)
Monkey (S-1-5-21-1521115235-458228028-669826753-1000 - Administrator - Enabled) => C:\Users\Monkey
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: AVG AntiVirus Free Edition (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.3.9120 - Adobe Systems Inc.)
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.2.152.32 - Adobe Systems Incorporated)
Advanced Audio FX Engine (HKLM-x32\...\Advanced Audio FX Engine) (Version: 1.12.05 - Creative Technology Ltd)
ASAP Utilities (HKLM-x32\...\ASAP Utilities_is1) (Version: 5.2.1 - Bastien Mensink - A Must in Every Office BV)
AVG (Version: 16.141.7998 - AVG Technologies) Hidden
AVG 2016 (Version: 16.0.4756 - AVG Technologies) Hidden
AVG PC TuneUp 2014 (en-US) (x32 Version: 14.0.1001.295 - AVG) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.141.7998 - AVG Technologies)
AVG Web TuneUp (HKLM-x32\...\AVG Web TuneUp) (Version: 4.3.6.255 - AVG Technologies)
CCleaner (HKLM\...\CCleaner) (Version: 4.10 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 17.0.14.0 - Synaptics Incorporated)
Dell Webcam Central (HKLM-x32\...\Dell Webcam Central) (Version: 1.40.05 - Creative Technology Ltd)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
DriverToolkit version 8.5.0.0 (HKLM-x32\...\{D66BF89F-B0A2-48F5-A2E4-242EB645AB76}_is1) (Version: 8.5.0.0 - Megaify Software)
easymeeting™ (remove only) (HKLM-x32\...\Easymeeting) (Version:  - )
FMW 1 (Version: 1.143.3 - AVG Technologies) Hidden
Free FLV Player (HKLM-x32\...\Free FLV Player) (Version:  - )
Free Viewer (HKLM\...\{5EF92F52-FA16-4CA6-A204-811524BEE514}_is1) (Version: 2.5 - Blue Labs, LLC)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.21.153 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2867 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Live! Cam Avatar Creator (HKLM-x32\...\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}) (Version: 4.6.3009.1 - Creative Technology Ltd)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 50.1.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 50.1.0 (x86 en-US)) (Version: 50.1.0 - Mozilla)
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4420.1017 - Microsoft Corporation) Hidden
PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 11.1.007 - Dell Inc.)
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 7.61.612.2012 - Realtek)
Screaming Frog SEO Spider (HKLM-x32\...\Screaming Frog SEO Spider) (Version: 2.50 - Screaming Frog Ltd)
VanDyke Software AbsoluteFTP 2.2 (HKLM-x32\...\AbsoluteFTP) (Version:  - )
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 2.0.5 (HKLM\...\VLC media player) (Version: 2.0.5 - VideoLAN)
WampServer 2.1 (HKLM-x32\...\WampServer 2_is1) (Version:  - Hervé Leclerc (HeL))
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0CCDE28A-7D24-4AFF-99C7-C18CF5D340E8} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-01-21] (Piriform Ltd)
Task: {0EDD6F4A-94D6-4A54-9D39-1DB4C158EEBB} - System32\Tasks\{0FB1E2DA-2C81-40CB-B6DA-81290796818F} => pcalua.exe -a "E:\All Dell Drivers\TP_Synaptics_W7W8_X07_A02_Setup-GN39D_ZPE.exe" -d "E:\All Dell Drivers"
Task: {0FF19057-E6B9-49AF-ABF4-4DA9DC2A76C8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-26] (Google Inc.)
Task: {19AF504A-683C-4837-9AD5-0E03B05174A3} - System32\Tasks\{AD114A5C-9DE9-4D0D-BB7C-F3D320A9B3AE} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.18.0.105&amp;LastError=12007
Task: {253BD558-A3E6-47F2-ACD2-1B4CFAF55E82} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {45746BFE-1234-40AF-875C-15A6A824BCDF} - System32\Tasks\{1A1738CB-D5FB-47ED-8A9C-398CE57192F4} => pcalua.exe -a C:\Users\Monkey\Desktop\dotnetfx.exe -d C:\Users\Monkey\Desktop
Task: {4F73384B-6712-44B4-8262-2BD89F209E7F} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe 
Task: {65CC30EA-2FC6-47AB-B9EA-74DB92C02079} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-26] (Google Inc.)
Task: {6E6898E2-2A66-44B0-B14E-7613689E7C54} - System32\Tasks\{73C4EDCB-5D63-4994-B24F-404484A2184C} => pcalua.exe -a "E:\All Dell Drivers\New folder\TP_Synaptics_W7W8_X07_A02_Setup-GN39D_ZPE.exe" -d "E:\All Dell Drivers\New folder"
Task: {AAA763A9-115A-4921-8029-F0CD53BE3924} - System32\Tasks\{12C8CC3C-5037-4AA4-A577-BC10FD2FB2AE} => pcalua.exe -a F:\Setup.exe -d F:\
Task: {C1C8B0E3-B989-41A8-8241-5B83827716AE} - System32\Tasks\{338EDC47-D592-40EF-B1C9-D681F8028D36} => pcalua.exe -a C:\Users\Monkey\Desktop\Install.exe -d C:\Users\Monkey\Desktop
Task: {C63F12B8-0603-4657-85BB-7F88468BE9CD} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe 
Task: {C986F870-9916-4D68-A7D1-D2304620D549} - System32\Tasks\Java™ Platform SE Auto Updater 2 0 => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2016-12-12] (Oracle Corporation)
Task: {D4726138-1AEA-4D0B-9622-BF6C1097B0B9} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2012-10-01] (Microsoft Corporation)
Task: {D7A427AF-B489-49BF-AAC5-AF9021AC6C8B} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-11-26 17:38 - 2016-12-09 10:40 - 00980552 ____N () C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
2013-03-19 21:27 - 2013-03-19 21:27 - 08864936 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-07-23 17:55 - 2012-09-28 11:51 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2016-11-26 17:38 - 2016-12-09 10:40 - 02180680 _____ () C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
2013-03-19 21:27 - 2013-03-19 21:27 - 08864912 _____ () C:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-11-29 00:04 - 2016-11-29 00:03 - 48920064 _____ () C:\Program Files (x86)\AVG\UiDll\2623\libcef.dll
2017-02-07 23:01 - 2017-02-01 14:31 - 01870168 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libglesv2.dll
2017-02-07 23:01 - 2017-02-01 14:31 - 00085848 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\Monkey\Local Settings:init [1364924]
AlternateDataStreams: C:\Users\Monkey\AppData\Local:init [1364924]
AlternateDataStreams: C:\Users\Monkey\AppData\Local\Application Data:init [1364924]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-1521115235-458228028-669826753-1000\...\incometaxindiaefiling.gov.in -> hxxps://incometaxindiaefiling.gov.in
IE trusted site: HKU\S-1-5-21-1521115235-458228028-669826753-1000\...\law.incometaxindia.gov.in -> hxxps://law.incometaxindia.gov.in
IE trusted site: HKU\S-1-5-21-1521115235-458228028-669826753-1000\...\services.tdscpc.gov.in -> hxxps://services.tdscpc.gov.in
IE trusted site: HKU\S-1-5-21-1521115235-458228028-669826753-1000\...\www.tdscpc.gov.in -> hxxps://www.tdscpc.gov.in
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 08:04 - 2016-07-26 00:58 - 00000874 ____N C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1521115235-458228028-669826753-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Monkey\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 103.245.69.5 - 45.112.0.5
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{0F983F94-1A72-4577-ABB8-0CE62E5C51CE}C:\wamp\bin\apache\apache2.2.17\bin\httpd.exe] => (Allow) C:\wamp\bin\apache\apache2.2.17\bin\httpd.exe
FirewallRules: [UDP Query User{3B8ABB1B-490E-40DE-BC24-72964085FE3F}C:\wamp\bin\apache\apache2.2.17\bin\httpd.exe] => (Allow) C:\wamp\bin\apache\apache2.2.17\bin\httpd.exe
FirewallRules: [{DA08A42B-269F-48C1-B3E5-C6A43E15FC18}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{81C2570F-696E-42AB-8E94-940BC7A101BD}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{B4A6C38B-257E-4A0F-9816-036EECB42721}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{A93084A0-3B2C-4810-98C2-51BB9161C0F0}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [TCP Query User{665A04CF-60B5-4E43-9F89-11EE4F6EC721}C:\windows\syswow64\svchost.exe] => (Block) C:\windows\syswow64\svchost.exe
FirewallRules: [UDP Query User{005AFD11-1BE9-41EC-982E-20458C94CBA3}C:\windows\syswow64\svchost.exe] => (Block) C:\windows\syswow64\svchost.exe
FirewallRules: [{86AF54CF-7953-4920-9C14-BBB1A4D2F75E}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{3885381A-4938-4B8F-9B1F-8121E69E6594}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{E808C764-F738-4B96-A754-E845DFF3CBB1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A2E1BAD9-93CD-4F3C-B038-EDEADBB90E38}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6E58730B-460E-44D2-B7DB-06D6CA4F0F66}] => (Allow) C:\Users\Monkey\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{DD6ACAC0-551D-49E5-BFBE-8500433A5C3D}] => (Allow) C:\Users\Monkey\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{A37CE6B3-43EA-4024-B158-9C6D9DDE6ED7}] => (Allow) C:\Users\Monkey\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{7D8D91DB-E6F1-42A6-B635-3D864455B4D4}] => (Allow) C:\Users\Monkey\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{8ED69B31-F0A6-4190-AFDE-21909D20E985}] => (Allow) C:\Users\Monkey\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{FD176A67-67A3-4361-9E82-B65101D90C26}] => (Allow) C:\Users\Monkey\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{717373E8-DA0B-4243-BDA3-21CFAE8B9589}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{80F66292-9FD4-4998-AF8E-9BC4470C3522}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{3B24E91C-04F9-441F-BAC7-78ACFCE475F3}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{11F8963F-D3B6-493C-A0FD-DDAA139EEBFC}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{733428CE-C77B-4CB7-966A-FC3674EB5BD0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{2A91D64E-C849-4E82-8B1B-DD9F0E64DD4C}C:\program files (x86)\easymeeting\client\clientconfigurator.exe] => (Allow) C:\program files (x86)\easymeeting\client\clientconfigurator.exe
FirewallRules: [UDP Query User{0CDDD685-F9AE-4140-BAC4-9F7BE17A1239}C:\program files (x86)\easymeeting\client\clientconfigurator.exe] => (Allow) C:\program files (x86)\easymeeting\client\clientconfigurator.exe
 
==================== Restore Points =========================
 
17-12-2016 00:52:40 Windows Update
17-12-2016 00:57:25 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
04-02-2017 08:00:06 Removed VMware Player
10-02-2017 22:58:03 Removed Adobe Community Help
10-02-2017 23:02:06 Removed Adobe Media Player
 
==================== Faulty Device Manager Devices =============
 
Name: Universal Serial Bus (USB) Controller
Description: Universal Serial Bus (USB) Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
 
System errors:
=============
Error: (02/26/2017 02:56:10 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/26/2017 02:56:02 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/26/2017 03:08:07 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/25/2017 11:27:22 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/25/2017 11:27:08 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/25/2017 08:16:29 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/25/2017 07:24:20 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/25/2017 07:24:09 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/25/2017 12:00:40 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
Error: (02/24/2017 08:26:20 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
Access is denied.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-3217U CPU @ 1.80GHz
Percentage of memory in use: 42%
Total physical RAM: 6010.5 MB
Available physical RAM: 3468.77 MB
Total Virtual: 12019.16 MB
Available Virtual: 9211.53 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:149.9 GB) (Free:101.41 GB) NTFS
Drive d: () (Fixed) (Total:150 GB) (Free:2.68 GB) NTFS
Drive e: () (Fixed) (Total:165.76 GB) (Free:84.7 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 8AC95F63)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=150 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=165.8 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
------------------

Attached Files


  • 0

Advertisements


#2
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,501 posts
Hi wakodeprashant6,

Welcome to GeeksToGo! :)

You were infected with a variant of the Locky Ransomeware. Last I knew of, there is no known way to decrypt files encrypted by Locky. Give me a moment for me review the research on the Locky Ransomeware to see if anything has changed since last you posted in Nov 2016.

We never encourage victims to pay the ransome because you are only financing cyber terrorism and the possibility of receiving the decryption code after paying the ransome are slim to none. This is why creating backups of your files is so important. We recommend that you image your drive before doing anything else. Then in the future, if there is a way to decrypt the files, you have everything you may need to do so.

Did you happen to backup your files when you found yourself to be infected with this variant just in case there had been a breakthrough with developing a way to rescue your files?

I do see some malicious files on your system that need to be removed. Let's clean you up a bit. Please do as follows:

Step 1: Junkware Removal Tool

junkware-removal-tool_zpspjolgpuh.png Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 2: AdwCleaner

Download ADWcleaner by clicking here. Please save it to your Desktop


adwcleanerscreen_zpsm6wq1ei9.jpg
  • Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
  • Once AdwCleaner's control panel is open and it says "Waiting for Action", click on Options at the top of the control panel.
  • Please Check the following options:
    • Reset Proxy Settings
    • Reset Winsock Settings
    • Reset TCP/IP Settings
    • Reset Firewall Settings
    • Reset IPSec Settings
    • Reset BITS Queue
    • Reset Internet Explorer Policies
    • Reset Chrome Policies
  • Close any open windows or browsers.
  • Pause your Anti-Virus program if it is running.
  • Once it starts, click on the Scan button.
  • Let the scan complete itself. This may take a few minutes.
  • Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.
  • When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
    • Click the Logfile button and the log will open. Copy and Paste the contents of the log file into your next reply.
    This report is also saved at C:\Adwcleaner
Step 3: WVCheck

Please download WVCheck.exe to your desktop from HERE.
  • Double click WVCheck.exe. (If you downloaded the zipped version you will need to extract it.)
  • As indicated by the prompt, This program can take a while depending on your hard drive space.
  • Once the program is done, copy the contents of the notepad file as a reply.
Please post the following logs in your next reply, and in the meantime I will review your FRST/Addition.txt's above and prepare a fix to rid your computer of the rest of those malicious files.
  • Junkware Removal Tool Log
  • AdwCleaner Log
  • WVCheck log
Thank you,
Donna :)
  • 0

#3
wakodeprashant6

wakodeprashant6

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Hey Donna, thank you for your help. I'll take my files backup asap.


  • 0

#4
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,501 posts
Hi wakodeprashant6,

Please do. When you are finished, post the logs to the scan I had requested in my last post so we can proceed to cleanse your system. There are a couple things we can try in regards to recovering your files, but I doubt we have much success. I have never been one to give up easily.
  • 0

#5
wakodeprashant6

wakodeprashant6

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sure, Donna. I'll do it by this weekend and let you know. I like your spirit. You are awesome!!!
  • 0

#6
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,501 posts
Hi wakodeprashant6,

It was not my intentions to make it appear that I had ignored your compliment above, which I kindly thank you for. I got so caught up reviewing the logs in your first post that after a bit of time I thought it best to sit back and wait for the logs I had requested since running those utilities will make some needed changes.

I got to thinking about your dilemma today and felt it best for me not to wait for you to reply with the logs, just so you know that I am still here and eager to help you in any way that I can.

Donna :)
  • 0

#7
DonnaB

DonnaB

    Miss Congeniality

  • GeekU Moderator
  • 7,501 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics


Also tagged with one or more of these keywords: ransomware, infected

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP