wasf2000
Members-
Posts
13 -
Joined
-
Last visited
Reputation
0 NeutralRecent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
-
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-04-2020 Ran by administrator (administrator) on ALHAZM-SERVER (HP ProLiant ML350 G6) (23-04-2020 07:32:30) Running from C:\Users\Administrator\Downloads Loaded Profiles: administrator & SQLAgent$SMACC & MSSQL$SMACC (Available Profiles: admin & assist & waleed & administrator & SQLAgent$SMACC & MSSQL$SMACC & Classic .NET AppPool) Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Kaspersky Lab -> AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avp.exe (Kaspersky Lab -> AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avpui.exe (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\SQLAGENT.EXE (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\sqlservr.exe (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dfsrs.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dfssvc.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dns.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\iashost.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ismserv.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ntfrs.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\snmp.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\vds.exe (Oracle America, Inc. -> Dyn) C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe <2> (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe ==================== Registry (Whitelisted) =================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM-x32\...\Run: [BGClients] => cmd /c start /min c:\windows\system32\wbem\123.bat HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042615463\Software\Policies\...\system: [DisableCMD] 0 HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042621524\Software\Policies\...\system: [DisableCMD] 0 HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\MountPoints2: {c2f48e3b-fc03-11e9-a3ac-80c16e6fc701} - V:\SETUP.EXE HKU\S-1-5-21-3197573395-1757021686-3003070210-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042617391\...\MountPoints2: {c2f48e3b-fc03-11e9-a3ac-80c16e6fc701} - V:\SETUP.EXE HKU\S-1-5-18\Software\Policies\...\system: [DisableCMD] 0 HKLM\Software\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache HKLM\Software\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) Lsa: [Notification Packages] scecli rassfm SecurityProviders: credssp.dll, pwdssp.dll Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dyn Updater.lnk [2020-02-22] ShortcutTarget: Dyn Updater.lnk -> C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe (Oracle America, Inc. -> Dyn) GroupPolicy: Restriction - Chrome <==== ATTENTION ==================== Scheduled Tasks (Whitelisted) ============ (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {37B67E42-00DF-4EF1-91AA-D5235AAD73EC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3197573395-1757021686-3003070210-500UA => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe Task: {5154FC59-7A38-4C86-BCCA-D3FAD3FFE6A7} - System32\Tasks\scan Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [152064 2009-07-14] (Microsoft Windows -> Microsoft Corporation) Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [252416 2010-11-20] (Microsoft Windows -> Microsoft Corporation) Task: {7561FAEF-ECD8-4D1A-A821-F10235970ECB} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3197573395-1757021686-3003070210-500Core => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe Task: {79B41E33-6C7B-4A20-8D5D-302D882E8656} - System32\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd} => C:\Windows\system32\vssadmin.exe [167424 2009-07-14] (Microsoft Windows -> Microsoft Corporation) Task: {80D49221-8D14-4B59-976C-BA89353DDF4A} - System32\Tasks\{3BFA57ED-F022-4DC4-BAE6-67F562BB2F4C} => E:\Printers\Canon printer\UFRII\us_eng\32BIT\Setup.exe Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [39424 2010-11-20] (Microsoft Windows -> Microsoft Corporation) Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [252416 2010-11-20] (Microsoft Windows -> Microsoft Corporation) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd}.job => C:\Windows\system32\vssadmin.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\..\Interfaces\{5A48297C-0B36-4338-B03E-488DF99129B3}: [NameServer] 192.168.1.1 Tcpip\..\Interfaces\{C7F984C1-07CE-49C7-AA72-7E07374C778E}: [NameServer] 216.146.35.35,216.146.36.36,,8.8.8.8 HKLM\System\...\Parameters\PersistentRoutes: [0.0.0.0,0.0.0.0,192.168.1.1,-1] Internet Explorer: ================== HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm HKU\S-1-5-21-3197573395-1757021686-3003070210-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042617391\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm Handler-x32: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll [2005-09-23] (Microsoft Corporation) [File not signed] FireFox: ======== FF DefaultProfile: 4uh09obj.default FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4uh09obj.default [2020-04-15] FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bk0mgr8c.default-release [2020-04-18] FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2020-04-01] <==== ATTENTION (Points to *.cfg file) FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2020-04-01] <==== ATTENTION ==================== Services (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [487424 2013-01-25] (Microsoft Windows -> Microsoft Corporation) R2 AVP20.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avp.exe [357416 2019-03-21] (Kaspersky Lab -> AO Kaspersky Lab) R2 Dfs; C:\Windows\system32\dfssvc.exe [377344 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 DFSR; C:\Windows\system32\DFSRs.exe [4518400 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 DNS; C:\Windows\system32\dns.exe [700928 2019-04-11] (Microsoft Windows -> Microsoft Corporation) R2 DynUpdater; C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe [1646784 2019-04-24] (Oracle America, Inc. -> Dyn) S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Windows -> Microsoft Corporation) S3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed] R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 kdc; C:\Windows\System32\lsass.exe [30720 2020-01-03] (Microsoft Windows -> Microsoft Corporation) S3 klvssbridge64_20.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\x64\vssbridge64.exe [438928 2019-03-21] (Kaspersky Lab -> AO Kaspersky Lab) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [6933272 2020-04-16] (Malwarebytes Inc -> Malwarebytes) R2 msftesql; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [95592 2007-06-22] (Microsoft Corporation -> Microsoft Corporation) R2 MSSQL$SMACC; C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\sqlservr.exe [372512 2018-09-07] (Microsoft Corporation -> Microsoft Corporation) R2 MSSQLSERVER; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29263712 2008-11-24] (Microsoft Corporation -> Microsoft Corporation) R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2014-04-28] (Hewlett-Packard) [File not signed] R2 NTDS; C:\Windows\System32\lsass.exe [30720 2020-01-03] (Microsoft Windows -> Microsoft Corporation) R2 NtFrs; C:\Windows\system32\ntfrs.exe [1020416 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2014-04-28] (Hewlett-Packard) [File not signed] S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Windows -> Microsoft Corporation) S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Windows -> Microsoft Corporation) R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 SQLAgent$SMACC; C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\SQLAGENT.EXE [613152 2018-09-07] (Microsoft Corporation -> Microsoft Corporation) R2 SQLSERVERAGENT; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [346976 2008-11-24] (Microsoft Corporation -> Microsoft Corporation) S4 sysdown; C:\Windows\system32\sysdown.exe [18784 2011-02-17] (Hewlett-Packard Company -> Hewlett-Packard Company) R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [13216784 2020-04-09] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-14] (Microsoft Windows -> Microsoft Corporation) ===================== Drivers (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R0 Achernar; C:\Windows\System32\Drivers\Achernar.sys [33592 2014-08-29] (An Chen Computer Co., Ltd. -> NewSoft Technology Corporation) R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [2210816 2009-06-24] (Microsoft Windows Hardware Compatibility Publisher -> ATI Technologies Inc.) R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [246912 2019-02-16] (Kaspersky Lab -> AO Kaspersky Lab) R3 CpqCiDrv; C:\Windows\System32\DRIVERS\cpqcidrv.sys [51752 2009-05-11] (Hewlett-Packard -> Hewlett-Packard Company) S3 CPQTeam; C:\Windows\System32\DRIVERS\cpqteam.sys [225792 2011-01-26] (Microsoft Windows Hardware Compatibility Publisher -> Hewlett-Packard Company) R0 CSCrySec; C:\Windows\System32\DRIVERS\CSCrySec.sys [85048 2009-12-14] (InfoWatch -> Infowatch) R1 CSVirtualDiskDrv; C:\Windows\System32\DRIVERS\CSVirtualDiskDrv.sys [66104 2009-12-14] (InfoWatch -> Infowatch) R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [51776 2009-07-14] (Microsoft Windows -> Microsoft Corporation) R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66944 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R0 HpCISSs2; C:\Windows\System32\DRIVERS\HpCISSs2.sys [157288 2010-08-10] (Hewlett-Packard -> Hewlett-Packard Company) R0 hpqilo2; C:\Windows\System32\DRIVERS\hpqilo2.sys [150880 2011-02-17] (Hewlett-Packard Company -> Hewlett-Packard Company) S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Microsoft Windows -> Intel Corporation) R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [531584 2019-03-18] (Kaspersky Lab -> AO Kaspersky Lab) R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [79768 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [145504 2020-02-07] (Kaspersky Lab -> AO Kaspersky Lab) R1 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [93312 2019-03-12] (Kaspersky Lab -> AO Kaspersky Lab) R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [251800 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R1 klgse; C:\Windows\System32\DRIVERS\klgse.sys [586496 2020-01-27] (Kaspersky Lab -> AO Kaspersky Lab) R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [1163216 2020-01-24] (Kaspersky Lab -> AO Kaspersky Lab) R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [998296 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R1 klim6; C:\Windows\System32\DRIVERS\klim6.sys [58192 2019-03-19] (Kaspersky Lab -> AO Kaspersky Lab) R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [51328 2019-03-13] (Kaspersky Lab -> AO Kaspersky Lab) R1 klwfp; C:\Windows\System32\DRIVERS\klwfp.sys [105600 2019-03-05] (Kaspersky Lab -> AO Kaspersky Lab) R1 klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [211048 2020-02-07] (Kaspersky Lab -> AO Kaspersky Lab) R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [232344 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248968 2020-04-23] (Malwarebytes Inc -> Malwarebytes) S3 q57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Microsoft Windows -> Broadcom Corporation) S4 RsFx0321; C:\Windows\System32\DRIVERS\RsFx0321.sys [258720 2018-07-25] (Microsoft Corporation -> Microsoft Corporation) S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Windows -> Microsoft Corporation) S3 WLBS; C:\Windows\System32\DRIVERS\NLB.sys [339968 2010-11-20] (Microsoft Windows -> Microsoft Corporation) S2 MBAMChameleon; \SystemRoot\System32\Drivers\MbamChameleon.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation) ==================== Three months (created) =================== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-04-23 07:32 - 2020-04-23 07:33 - 000018262 _____ C:\Users\Administrator\Downloads\FRST.txt 2020-04-23 04:25 - 2020-04-23 04:25 - 000248968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys 2020-04-19 17:46 - 2020-04-19 17:47 - 176246200 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT (1).exe 2020-04-19 03:52 - 2020-04-19 03:57 - 1925381853 _____ C:\Users\Administrator\Desktop\Logfile.XML 2020-04-19 03:49 - 2020-04-19 03:49 - 030403934 _____ C:\Users\Administrator\Downloads\SysinternalsSuite.zip 2020-04-19 03:33 - 2020-04-19 03:33 - 000001357 _____ C:\Users\Administrator\Desktop\result.txt 2020-04-17 01:52 - 2020-04-17 01:52 - 003827036 _____ C:\Users\Administrator\Downloads\powerevents(1).zip 2020-04-17 01:44 - 2020-04-17 01:45 - 000000000 ____D C:\Users\Administrator\Downloads\powerevents 2020-04-17 01:44 - 2020-04-17 01:44 - 003827036 _____ C:\Users\Administrator\Downloads\powerevents.zip 2020-04-17 01:36 - 2020-04-17 01:36 - 000000000 _____ C:\funs.txt 2020-04-17 00:57 - 2020-04-17 00:57 - 000333952 _____ (ESET) C:\Users\Administrator\Downloads\ESETEternalBlueChecker(1).exe 2020-04-17 00:53 - 2020-04-17 00:33 - 000011915 _____ C:\Users\Administrator\WMILister_20.vbs 2020-04-17 00:38 - 2020-04-17 00:33 - 000011915 _____ C:\Users\Administrator\Downloads\WMILister_20.vbs 2020-04-17 00:33 - 2020-04-17 00:33 - 000011915 _____ C:\WMILister_20.vbs 2020-04-17 00:12 - 2020-04-17 00:12 - 000001808 _____ C:\Users\Administrator\Desktop\WMI.txt 2020-04-16 18:58 - 2020-04-16 18:58 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\mbam 2020-04-16 18:57 - 2020-04-16 18:57 - 000001948 _____ C:\Users\Public\Desktop\Malwarebytes.lnk 2020-04-16 18:57 - 2020-04-16 18:57 - 000001948 _____ C:\ProgramData\Desktop\Malwarebytes.lnk 2020-04-16 18:57 - 2020-04-16 18:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes 2020-04-16 18:55 - 2020-04-16 18:55 - 001965536 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup(1).exe 2020-04-16 11:17 - 2020-04-18 18:59 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\WPF 2020-04-16 08:40 - 2020-04-16 08:40 - 000003353 _____ C:\Users\Administrator\Downloads\FSS.txt 2020-04-16 08:39 - 2020-04-16 08:39 - 000925696 _____ (Farbar) C:\Users\Administrator\Downloads\FSS.exe 2020-04-15 22:17 - 2020-04-15 22:18 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\is-C209R.tmp 2020-04-15 21:22 - 2020-04-23 04:25 - 000000077 _____ C:\Windows\SysWOW64\wpd1.xml 2020-04-15 21:14 - 2020-04-15 21:14 - 000008562 _____ C:\Users\Administrator\Desktop\report.txt 2020-04-15 18:59 - 2020-04-15 18:59 - 000000000 _____ C:\Users\Administrator\AppData\Local\Temp\KnoEDAF.tmp 2020-04-15 18:54 - 2020-04-15 18:54 - 047857952 _____ (Adlice Software ) C:\Users\Administrator\Downloads\RogueKiller_setup_ref3.exe 2020-04-14 15:28 - 2020-04-23 04:25 - 000000077 _____ C:\Windows\SysWOW64\wpd.xml 2020-04-14 02:43 - 2020-04-23 07:32 - 000000000 ____D C:\FRST 2020-04-14 02:42 - 2020-04-14 02:42 - 002281984 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe 2020-04-14 02:30 - 2020-04-14 02:30 - 000333952 _____ (ESET) C:\Users\Administrator\Downloads\ESETEternalBlueChecker.exe 2020-04-14 02:20 - 2020-04-14 02:20 - 000000000 ____D C:\Users\Administrator\Downloads\Autoruns 2020-04-14 02:19 - 2020-04-14 02:19 - 001728127 _____ C:\Users\Administrator\Downloads\Autoruns.zip 2020-04-14 02:03 - 2020-04-14 02:03 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1586819028-727.out 2020-04-14 02:01 - 2020-04-14 02:01 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1586818868-762.out 2020-04-14 01:58 - 2020-04-18 09:21 - 000000000 ____D C:\Program Files\Mozilla Firefox 2020-04-11 01:13 - 2020-04-11 01:13 - 175674808 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(3).exe 2020-04-07 15:37 - 2020-04-07 15:37 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFA597602FAD7E24E1.TMP 2020-04-06 13:27 - 2020-04-06 13:27 - 006458338 _____ C:\Windows\system32\PerfStringBackup.INI 2020-04-05 13:56 - 2020-04-05 13:56 - 000002146 _____ C:\Users\Public\Desktop\Kaspersky Small Office Security.lnk 2020-04-05 13:56 - 2020-04-05 13:56 - 000002146 _____ C:\ProgramData\Desktop\Kaspersky Small Office Security.lnk 2020-04-05 13:56 - 2020-04-05 13:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Small Office Security 2020-04-05 13:55 - 2020-04-23 09:57 - 000000000 ____D C:\ProgramData\Kaspersky Lab 2020-04-05 13:55 - 2020-04-15 13:21 - 000998296 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys 2020-04-05 13:55 - 2020-04-15 13:21 - 000251800 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys 2020-04-05 13:55 - 2020-04-05 13:55 - 000000000 ____D C:\Program Files (x86)\Kaspersky Lab 2020-04-05 13:55 - 2013-05-06 08:13 - 000110176 _____ (Kaspersky Lab ZAO) C:\Windows\system32\klfphc.dll 2020-04-05 13:54 - 2020-04-05 13:54 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DF6DD557B6E3E28AD4.TMP 2020-04-05 13:37 - 2020-04-05 13:39 - 175414200 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(2).exe 2020-04-05 12:47 - 2020-04-05 12:47 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\2mF0Ho2m.38h 2020-04-05 12:47 - 2020-04-05 12:47 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\wplysLp8.qZI 2020-04-05 12:30 - 2020-04-05 12:30 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\XGN0p24V.MFi 2020-04-05 12:30 - 2020-04-05 12:30 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\2i5Og960.6kE 2020-04-05 12:22 - 2020-04-05 12:22 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\0yCjBU41.i7H 2020-04-05 12:21 - 2020-04-05 12:21 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\2FIoI2VZ.707 2020-04-05 12:02 - 2020-04-05 12:02 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\b6n2r8ID.HWZ 2020-04-05 12:02 - 2020-04-05 12:02 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\D7GcsvFp.bG8 2020-04-05 11:52 - 2020-04-05 11:53 - 216974480 _____ C:\Users\Administrator\Downloads\avira_server_security_en.exe 2020-04-05 11:44 - 2020-04-05 13:04 - 000000000 ____D C:\Program Files (x86)\Avira 2020-04-05 11:34 - 2020-04-05 11:36 - 225041680 _____ (Avira Operations GmbH & Co. KG) C:\Users\Administrator\Downloads\avira_antivirus_en-us(1).exe 2020-04-05 11:28 - 2020-04-05 11:28 - 000036600 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Drivers\npf.sys 2020-04-05 11:27 - 2020-04-05 11:27 - 000282360 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\wpcap.dll 2020-04-05 11:27 - 2020-04-05 11:27 - 000102136 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\packet.dll 2020-04-05 11:27 - 2020-04-05 11:27 - 000048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\npptools.dll 2020-04-05 10:35 - 2020-04-05 11:04 - 000528094 _____ C:\Windows\ntbtlog.txt 2020-04-05 10:22 - 2020-04-05 10:22 - 000000128 _____ C:\Windows\system32\config\netlogon.ftl 2020-04-05 01:13 - 2020-04-05 01:13 - 000000000 ____D C:\Users\Administrator\Downloads\Gridinsoft Anti-Malware 4.1.34.Build 4820 2020-04-05 01:13 - 2020-04-05 01:13 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\WinRAR 2020-04-05 01:08 - 2020-04-05 01:13 - 087175575 _____ C:\Users\Administrator\Downloads\Gridinsoft Anti-Malware 4.1.34.Build 4820.rar 2020-04-04 17:09 - 2020-04-14 02:13 - 000000000 ____D C:\Program Files\GridinSoft Anti-Malware 2020-04-04 14:22 - 2020-04-04 14:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+yasser.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+yahya.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+waleed.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+tariq.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sun.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sultan.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sec.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sami.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+salqasm.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+salman.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+saad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+rakanm.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+rakan.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+qa.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+prog.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc3.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc2.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc1.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+omar.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+n.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mshari.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mohammedw.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mohammed.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+menhaj.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malzhrani.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malsafar.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malnabaoi.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malamer.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+maher.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+laptop1.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+khalida.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+khalid.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+kalasmari.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ibra.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ialhammad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+husain.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+hamad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+frzat.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+fin.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+faris.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+fahad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ejt.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+eid.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+bader.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aymans.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+assist.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ammar.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ali.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+alhazmlab.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+alhajri.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+akhalid.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ahmedm.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+administrator.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+admin.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+abdulmalik.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+Abdullahnq7.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+abdug.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalsalh.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalhosini.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalbokiri.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalasmri.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aabdalbari.bmp 2020-04-01 07:42 - 2020-04-01 07:42 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\2 2020-04-01 02:36 - 2020-04-01 02:36 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585697790-665.out 2020-04-01 02:34 - 2020-04-01 02:35 - 000000222 _____ C:\Windows\SysWOW64\report.file 2020-04-01 02:34 - 2020-04-01 02:34 - 000000111 _____ C:\Windows\system32\report.file 2020-04-01 02:32 - 2020-04-01 02:33 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{42EF9D13-5E53-44E4-8E66-C55BA2EBD6DE} 2020-04-01 02:26 - 2020-04-01 02:26 - 000277720 _____ C:\Users\Administrator\AppData\Local\Temp\dd_ReportViewerMSI5D5D.txt 2020-04-01 02:26 - 2020-04-01 02:26 - 000013626 _____ C:\Users\Administrator\AppData\Local\Temp\dd_ReportViewerUI5D5D.txt 2020-03-31 22:11 - 2020-03-31 22:11 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{30AB77A8-AC12-4C56-BBDF-97E0AD37835F} 2020-03-29 06:12 - 2020-03-29 06:20 - 3917530545 _____ C:\Users\Administrator\Downloads\WindowsImageBackup.zip 2020-03-28 22:10 - 2020-03-28 22:10 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422646-983.out 2020-03-28 22:10 - 2020-03-28 22:10 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422601-964.out 2020-03-28 22:09 - 2020-03-28 22:09 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422574-602.out 2020-03-28 18:24 - 2020-03-28 18:26 - 178423736 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(1).exe 2020-03-28 18:09 - 2020-03-28 18:09 - 000000130 ___RH C:\Users\Administrator\Downloads\Stinger.opt 2020-03-28 16:29 - 2020-03-28 16:31 - 000000828 _____ C:\Users\Administrator\Downloads\Stinger_28032020_162902.html 2020-03-28 16:28 - 2020-03-28 16:28 - 017779200 _____ (McAfee LLC) C:\Users\Administrator\Downloads\stinger64.exe 2020-03-28 16:20 - 2020-03-28 16:21 - 010527368 _____ C:\Users\Administrator\Downloads\BDRemTool.exe 2020-03-28 16:19 - 2020-03-28 16:19 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64(2).exe 2020-03-28 14:42 - 2020-03-28 14:42 - 000000000 ____D C:\ProgramData\Sophos 2020-03-28 14:38 - 2020-03-28 14:38 - 000270160 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Administrator\Downloads\avg_antivirus_free_setup.exe 2020-03-28 14:36 - 2020-03-28 14:37 - 188047008 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool.exe 2020-03-28 14:35 - 2020-03-28 14:35 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64(1).exe 2020-03-28 14:34 - 2020-03-28 14:34 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64.exe 2020-03-28 14:24 - 2020-03-28 14:24 - 002522224 _____ (Wiper Software, UAB) C:\Users\Administrator\Downloads\WiperSoft-installer.exe 2020-03-28 13:05 - 2020-04-14 02:08 - 000000000 _____ C:\Users\Administrator\AppData\Local\Temp\htmpl.htm 2020-03-28 06:37 - 2020-03-28 06:37 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{FC4C85FD-CA74-4102-89D2-3F0003CE1D46} 2020-03-28 06:25 - 2020-04-04 17:08 - 000000000 ____D C:\Users\Administrator\Downloads\GrdSoft.AntiMalwr.4.1.34_sigma4pc.com 2020-03-28 06:25 - 2020-03-28 06:25 - 000000000 ____D C:\Users\Administrator\Downloads\P_GrdSoft.AntiMalwr.4.1.34_sigma4pc.com 2020-03-28 06:24 - 2020-04-04 17:06 - 000000000 ____D C:\Users\Administrator\Downloads\GSAM4.1.34.4820TND 2020-03-28 06:15 - 2020-03-28 06:15 - 001447178 _____ (Igor Pavlov) C:\Users\Administrator\Downloads\7z1900-x64.exe 2020-03-28 06:03 - 2020-03-28 06:08 - 085359630 _____ C:\Users\Administrator\Downloads\GrdSoft.AntiMalwr.4.1.34_sigma4pc.com.rar 2020-03-28 05:58 - 2020-03-28 05:58 - 087301492 _____ C:\Users\Administrator\Downloads\GSAM4.1.34.4820TND.rar 2020-03-28 05:17 - 2020-04-18 09:20 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Mozilla 2020-03-28 05:17 - 2020-03-28 05:18 - 000000000 ____D C:\ProgramData\Mozilla 2020-03-28 05:17 - 2020-03-28 05:17 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla 2020-03-28 05:16 - 2020-03-28 05:16 - 000319824 _____ (Mozilla) C:\Users\Administrator\Downloads\Firefox Installer.exe 2020-03-28 04:57 - 2020-04-14 02:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware 2020-03-28 04:57 - 2020-03-28 04:57 - 000000000 ____D C:\ProgramData\GridinSoft 2020-03-28 04:56 - 2020-03-28 04:57 - 001214416 _____ C:\Users\Administrator\Downloads\install-antimalware.exe 2020-03-28 04:49 - 2020-03-28 18:22 - 000000000 ____D C:\Users\Administrator\Downloads\avira_antivir_antirootkit_en 2020-03-28 04:48 - 2020-03-28 04:48 - 000089324 _____ C:\Users\Administrator\Downloads\avira_antivir_antirootkit_en.zip 2020-03-28 04:47 - 2020-03-28 04:56 - 000000000 ____D C:\ProgramData\TEMP 2020-03-28 04:47 - 2019-10-19 11:13 - 000129872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSSTDFMT.DLL 2020-03-28 04:45 - 2020-03-28 04:45 - 004354328 _____ (BrightFort LLC ) C:\Users\Administrator\Downloads\spywareblastersetup56.exe 2020-03-28 04:45 - 2020-01-30 05:30 - 000834560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll 2020-03-28 04:45 - 2020-01-30 05:23 - 001010688 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll 2020-03-28 04:30 - 2020-03-28 07:21 - 000076197 _____ C:\Windows\ZAM.krnl.trace 2020-03-28 04:26 - 2020-03-28 04:26 - 012741568 _____ (Zemana Ltd. ) C:\Users\Administrator\Downloads\AntiMalware_Setup.exe 2020-03-28 04:13 - 2020-03-28 04:13 - 000000013 _____ C:\Users\Administrator\AppData\Local\Temp\jawshtml.html 2020-03-28 04:13 - 2020-03-28 04:13 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Sun 2020-03-28 04:12 - 2020-03-28 04:13 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\hsperfdata_administrator 2020-03-28 04:09 - 2020-03-28 04:10 - 076845600 _____ (Oracle Corporation) C:\Users\Administrator\Downloads\jre-8u241-windows-x64.exe 2020-03-28 03:54 - 2020-03-28 03:54 - 000050688 _____ (Atribune.org) C:\Users\Administrator\Downloads\ATF-Cleaner.exe 2020-03-28 02:30 - 2020-03-28 02:30 - 000000000 ____D C:\Windows\SysWOW64\ServerMigrationTools 2020-03-28 02:29 - 2020-03-28 02:29 - 000000000 ____D C:\Windows\system32\ServerMigrationTools 2020-03-27 04:34 - 2020-03-27 04:34 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{FC137322-9F52-482B-9D5C-17D4A69A3F33} 2020-03-27 04:20 - 2020-03-27 04:20 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{63959CDF-9D69-4D06-9E4D-7F40C3EF42B1} 2020-03-27 00:38 - 2020-03-27 00:39 - 000000029 _____ C:\Users\Administrator\Desktop\avira.txt 2020-03-27 00:38 - 2020-03-27 00:38 - 219655040 _____ (Avira Operations GmbH & Co. KG) C:\Users\Administrator\Downloads\avira_antivirus_en-us.exe 2020-03-25 15:55 - 2020-03-25 15:55 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFE94B35295AFD3FCB.TMP 2020-03-25 14:00 - 2020-03-25 14:00 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585134049-33.out 2020-03-25 14:00 - 2020-03-25 14:00 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585134030-369.out 2020-03-25 13:56 - 2020-03-25 13:56 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFBED540CDD0B98EFB.TMP 2020-03-25 11:00 - 2020-03-25 11:00 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFF93832665B2775BB.TMP 2020-03-25 11:00 - 2020-03-25 11:00 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFF4B04B19A54D0FAD.TMP 2020-03-25 06:50 - 2020-03-25 06:50 - 000018196 _____ C:\Users\Administrator\AppData\Local\Temp\~glary_lng.dat 2020-03-25 06:50 - 2020-03-25 06:50 - 000008827 _____ C:\Users\Administrator\AppData\Local\Temp\~glary_ref.dat 2020-03-25 06:50 - 2020-03-25 06:50 - 000000483 _____ C:\Users\Administrator\AppData\Local\Temp\~glaryutilities-version.dat 2020-03-25 06:46 - 2020-03-25 15:55 - 000001231 _____ C:\Users\Administrator\AppData\Local\Temp\~upgrade.dat 2020-03-25 06:46 - 2020-03-25 15:55 - 000000184 _____ C:\Users\Administrator\AppData\Local\Temp\~autoupdate.dat 2020-03-25 06:46 - 2020-03-25 06:46 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFE632DA7A359B33EA.TMP 2020-03-25 06:46 - 2020-03-25 06:46 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF9458BBC1678115F6.TMP 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\taskshostservices.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\WinmonProcessMonitor.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\winmonfs.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\winmon.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\taskshostservices.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\WinmonProcessMonitor.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\winmonfs.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\winmon.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SysWOW64\SecureBootThemes 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\system32\SecureBootThemes 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SpeechsTracing 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SecureBootThemes 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\AppDiagnostics 2020-03-25 06:44 - 2020-03-25 06:44 - 000032768 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb-shm 2020-03-25 06:44 - 2020-03-25 06:44 - 000012288 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb 2020-03-25 06:44 - 2020-03-25 06:44 - 000000000 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb-wal 2020-03-25 05:12 - 2020-03-25 06:32 - 000000000 ____D C:\KVRT_Data 2020-03-25 05:10 - 2020-03-25 05:10 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\DiskDefrag 2020-03-25 05:09 - 2020-03-25 19:10 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\GlarySoft 2020-03-25 05:09 - 2020-03-25 05:09 - 000002572 _____ C:\GUDownLoaddebug.txt 2020-03-25 05:08 - 2020-03-25 19:10 - 000000000 ____D C:\Program Files (x86)\Glarysoft 2020-03-25 05:04 - 2020-03-25 05:04 - 000079382 _____ C:\Users\Administrator\Documents\cc_20200325_050433.reg 2020-03-25 03:30 - 2020-03-25 03:30 - 022267744 _____ (Piriform Software Ltd) C:\Users\Administrator\Downloads\cctrialsetup.exe 2020-03-25 03:16 - 2020-03-25 03:16 - 006044256 _____ (Glarysoft Ltd) C:\Users\Administrator\Downloads\rrsetup.exe 2020-03-24 23:41 - 2020-03-24 23:42 - 178138552 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT.exe 2020-03-24 22:39 - 2020-04-16 18:56 - 000153312 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys 2020-03-24 22:38 - 2020-03-24 22:38 - 000000000 ____D C:\Program Files\Malwarebytes 2020-03-24 22:36 - 2020-03-24 22:36 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DF4E8AFEE2022E9F34.TMP 2020-03-24 22:35 - 2020-04-23 07:33 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\1 2020-03-24 21:05 - 2020-03-24 21:06 - 001957784 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup.exe 2020-03-24 21:01 - 2020-04-23 00:46 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\TeamViewer 2020-03-24 20:41 - 2020-03-24 20:41 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFD1AF6D49AB7E7881.TMP 2020-03-24 20:25 - 2020-03-24 20:25 - 006003272 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev135.exe 2020-03-24 19:43 - 2020-03-24 19:43 - 002526656 _____ (Kaspersky) C:\Users\Administrator\Downloads\startup.exe 2020-03-24 19:04 - 2020-03-24 19:04 - 002567616 _____ (Kaspersky) C:\Users\Administrator\Downloads\ksos20.0.14.1085abcdefghar_en_19402.exe 2020-03-24 17:45 - 2020-03-24 17:45 - 209302180 _____ C:\Users\Administrator\Documents\reg.reg 2020-03-24 17:12 - 2020-03-24 17:12 - 000000000 ____D C:\ProgramData\Google 2020-03-24 17:01 - 2020-03-24 17:01 - 015560704 _____ C:\Users\Administrator\Downloads\chromeremotedesktophost.msi 2020-03-24 17:00 - 2020-03-24 17:00 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps 2020-03-08 16:51 - 2020-04-01 02:33 - 000000000 ____D C:\Windows\system32\appmgmt 2020-03-03 22:27 - 2020-03-03 22:27 - 002007844 _____ C:\Users\Administrator\Downloads\ProcessExplorer.zip 2020-03-03 22:27 - 2020-03-03 22:27 - 000000000 ____D C:\Users\Administrator\Downloads\ProcessExplorer 2020-02-23 17:35 - 2020-02-23 17:35 - 000000000 ____D C:\Users\waleed\AppData\Local\Temp\mbam 2020-02-18 19:31 - 2020-04-09 10:21 - 000000000 ____D C:\Program Files (x86)\SMADAV 2020-02-18 19:31 - 2020-04-09 10:20 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Smadav 2020-02-18 19:31 - 2020-03-25 04:59 - 000000000 __SHD C:\[Smad-Cage] 2020-02-18 19:28 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134 (2).exe 2020-02-18 19:27 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134.exe 2020-02-18 19:27 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134 (1).exe 2020-02-18 19:13 - 2020-02-18 19:13 - 000014041 _____ C:\Users\Administrator\Desktop\View running processes with Task Manager - Shortcut.lnk 2020-02-17 20:57 - 2020-02-17 20:57 - 000000000 ____D C:\ProgramData\Loaris 2020-02-17 20:24 - 2020-04-18 09:31 - 000001315 _____ C:\Users\Administrator\Downloads\SpyHunter52020.zip 2020-02-17 20:24 - 2020-04-18 09:30 - 000001315 _____ C:\Users\Administrator\Downloads\SpyHunter52020 (1).zip 2020-02-17 20:11 - 2020-02-17 20:11 - 000000000 ____D C:\AdwCleaner 2020-02-17 17:36 - 2020-02-17 17:37 - 000001835 _____ C:\Users\Administrator\Desktop\kprm-20200217173629.txt 2020-02-17 17:36 - 2020-02-17 17:36 - 000000000 ____D C:\KPRM 2020-02-16 20:41 - 2020-03-31 16:24 - 000000000 ____D C:\Windows\pss 2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\Windows\system32\Drivers\etc\BACKUP 2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\ProgramData\Malwarebytes 2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\Program Files (x86)\Malwarebytes 2020-02-10 11:03 - 2020-02-10 11:03 - 000001883 _____ C:\Users\Administrator\Desktop\972341447.lnk 2020-02-09 14:52 - 2020-02-09 14:52 - 000000000 _____ C:\Windows\SysWOW64\TmpB791.tmp 2020-02-09 01:15 - 2020-04-17 05:04 - 000000079 _____ C:\Windows\system32\wpd1.xml 2020-02-09 01:15 - 2020-04-17 05:04 - 000000079 _____ C:\Windows\system32\wpd.xml 2020-02-08 21:16 - 2020-02-08 21:16 - 000000000 ____D C:\Windows\java 2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\Program Files\mainsoft 2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\Program Files\kugou2010 2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\download 2020-02-07 16:57 - 2020-04-15 13:21 - 000079768 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klbackupdisk.sys 2020-02-07 16:57 - 2020-02-07 16:57 - 000211048 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klwtp.sys 2020-02-07 16:57 - 2020-02-07 16:57 - 000145504 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klbackupflt.sys 2020-01-27 07:42 - 2020-01-27 07:42 - 000586496 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klgse.sys 2020-01-25 01:03 - 2020-01-25 01:03 - 000000000 ____D C:\Windows\تابعني 2020-01-25 01:03 - 2020-01-25 01:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mobily.ws 2020-01-24 04:36 - 2020-01-24 04:36 - 001163216 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys ==================== Three months (modified) ================== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-04-23 07:00 - 2015-09-04 13:01 - 000000446 _____ C:\Windows\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd}.job 2020-04-23 04:32 - 2009-07-14 07:49 - 000026000 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2020-04-23 04:32 - 2009-07-14 07:49 - 000026000 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2020-04-23 04:26 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\inetsrv 2020-04-23 04:24 - 2013-10-21 21:02 - 000000000 ____D C:\Program Files (x86)\TeamViewer 2020-04-23 04:24 - 2013-10-12 22:32 - 000005536 _____ C:\Windows\system32\config\netlogon.dnb 2020-04-23 04:24 - 2013-10-12 22:32 - 000002271 _____ C:\Windows\system32\config\netlogon.dns 2020-04-23 04:24 - 2013-10-12 22:10 - 000000000 ____D C:\Windows\system32\dns 2020-04-23 04:23 - 2013-10-12 22:12 - 000000000 ____D C:\Windows\NTDS 2020-04-23 04:23 - 2009-07-14 08:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT 2020-04-19 17:46 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\NDF 2020-04-17 11:04 - 2013-10-10 11:27 - 000000000 ____D C:\Users\Administrator 2020-04-15 21:12 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\inf 2020-04-15 21:12 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\Help 2020-04-15 13:21 - 2019-03-19 02:31 - 000232344 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\kneps.sys 2020-04-15 11:58 - 2013-10-23 23:40 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Temp 2020-04-15 11:58 - 2009-09-18 04:52 - 001056362 _____ C:\Windows\system32\perfh00A.dat 2020-04-15 11:58 - 2009-09-18 04:52 - 000273364 _____ C:\Windows\system32\perfc00A.dat 2020-04-15 11:58 - 2009-09-18 04:45 - 001011720 _____ C:\Windows\system32\perfh007.dat 2020-04-15 11:58 - 2009-09-18 04:45 - 000260304 _____ C:\Windows\system32\perfc007.dat 2020-04-15 11:58 - 2009-09-18 04:39 - 001047294 _____ C:\Windows\system32\perfh010.dat 2020-04-15 11:58 - 2009-09-18 04:39 - 000257984 _____ C:\Windows\system32\perfc010.dat 2020-04-15 11:58 - 2009-09-18 04:33 - 001057430 _____ C:\Windows\system32\perfh00C.dat 2020-04-15 11:58 - 2009-09-18 04:33 - 000262488 _____ C:\Windows\system32\perfc00C.dat 2020-04-10 23:53 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\Registration 2020-04-05 13:56 - 2013-10-10 22:26 - 000000000 ____D C:\ProgramData\Kaspersky Lab Setup Files 2020-04-05 11:29 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system 2020-04-04 14:25 - 2013-10-10 21:31 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information 2020-04-04 14:22 - 2019-10-28 18:47 - 000000000 ____D C:\Program Files\7-Zip 2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR 2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR 2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\Program Files (x86)\WinRAR 2020-04-01 02:42 - 2014-08-29 13:46 - 000000000 ____D C:\Program Files (x86)\HP 2020-04-01 02:42 - 2013-10-22 20:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP 2020-04-01 02:37 - 2013-10-26 12:30 - 000000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8 2020-04-01 02:36 - 2013-10-22 21:30 - 000000000 ____D C:\Program Files (x86)\FPSensor 2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Management Agents 2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\hp 2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\compaq 2020-04-01 02:35 - 2013-10-10 21:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP System Tools 2020-04-01 02:34 - 2013-10-10 21:30 - 000000000 ____D C:\Program Files\HP 2020-04-01 02:33 - 2013-10-10 11:29 - 000000000 ____D C:\Program Files (x86)\Hewlett-Packard 2020-03-28 08:47 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\rescache 2020-03-28 06:32 - 2019-10-28 10:52 - 000000000 ____D C:\Users\Classic .NET AppPool 2020-03-28 06:32 - 2019-05-07 14:00 - 000000000 ____D C:\Users\waleed 2020-03-28 06:32 - 2014-09-10 18:05 - 000000000 ____D C:\Users\admin 2020-03-28 06:32 - 2013-11-09 21:52 - 000000000 ____D C:\Users\assist 2020-03-28 04:54 - 2013-10-11 16:14 - 000112994 __RSH C:\ProgramData\ntuser.pol 2020-03-28 04:50 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy 2020-03-28 02:45 - 2009-07-14 08:07 - 000000000 ____D C:\Windows\system32\ServerManager 2020-03-28 02:30 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\SysWOW64\migwiz 2020-03-28 02:30 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\migwiz 2020-03-25 13:58 - 2013-10-22 21:26 - 000000000 ____D C:\Program Files (x86)\Att 2020-03-25 05:03 - 2013-10-26 12:52 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\TeamViewer 2020-03-25 05:02 - 2013-10-10 22:01 - 000000000 ____D C:\Windows\Panther 2020-03-24 20:34 - 2019-11-11 18:00 - 000000000 ____D C:\Program Files (x86)\AnyDesk 2020-03-24 17:06 - 2009-07-14 08:06 - 000032548 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2020-03-24 17:01 - 2015-05-20 22:08 - 000000000 ____D C:\Program Files (x86)\Google ==================== Files in the root of some directories ======== 2020-04-17 00:53 - 2020-04-17 00:33 - 000011915 _____ () C:\Users\Administrator\WMILister_20.vbs 2020-04-01 02:43 - 2020-04-01 02:44 - 000020014 _____ () C:\Users\Administrator\AppData\Local\dd_HelpSetup_UI6A84.txt 2020-02-22 19:18 - 2020-02-22 19:18 - 000007605 _____ () C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg ==================== SigCheckExt ========================= 2018-03-01 21:27 - 2016-02-10 16:33 - 000153088 _____ (CANON INC.) C:\Windows\system32\CNCENPM6.dll 2018-03-01 21:27 - 2013-01-31 21:21 - 000195584 _____ (CANON INC.) C:\Windows\system32\CNCENPR6.dll 2018-03-01 21:27 - 2013-01-31 21:21 - 000105984 _____ (CANON INC.) C:\Windows\system32\CNCENPU6.dll 2011-01-19 15:46 - 2011-01-19 15:46 - 000051200 _____ (Hewlett-Packard Company) C:\Windows\system32\cpqnimsg.dll 2011-03-09 03:33 - 2011-03-09 03:33 - 000164864 _____ (Hewlett-Packard Company) C:\Windows\system32\cpqstmsg.dll 2011-03-09 03:33 - 2011-03-09 03:33 - 000030720 _____ C:\Windows\system32\cqstrutl.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000051712 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbmiapi.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000052736 _____ (Hewlett-Packard Company) C:\Windows\system32\hpboid.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000012800 _____ (Hewlett-Packard Company) C:\Windows\system32\hpboidps.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000078848 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbpro.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000013312 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbprops.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000070144 _____ (Hewlett-Packard) C:\Windows\system32\HPBWSDR.DLL 2014-03-18 09:15 - 2014-03-18 09:15 - 000180736 _____ (hp) C:\Windows\system32\hplbddrv.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000067072 _____ (Hewlett-Packard) C:\Windows\system32\HPZidr12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000050688 _____ (Hewlett-Packard) C:\Windows\system32\HPZinw12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000066048 _____ (Hewlett-Packard) C:\Windows\system32\HPZipm12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000046592 _____ (Hewlett-Packard) C:\Windows\system32\HPZipr12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000038400 _____ (Hewlett-Packard) C:\Windows\system32\hpzipt12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000024064 _____ (Hewlett-Packard) C:\Windows\system32\hpzisn12.dll 2011-03-09 17:01 - 2011-03-09 17:01 - 000069632 _____ (Compaq) C:\Windows\system32\svrclu.dll 2011-03-09 17:01 - 2011-03-09 17:01 - 000073216 _____ (Compaq) C:\Windows\system32\svrntc.dll 2013-10-22 20:52 - 2005-03-18 14:18 - 000143360 ____R (Zenographics) C:\Windows\apptune1020.exe 2019-06-22 18:00 - 2019-06-22 18:54 - 000796672 _____ (Qsc) C:\Windows\GPInstall.exe 2014-08-29 17:00 - 2007-02-01 15:50 - 000306688 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe 2014-08-29 16:59 - 2009-07-27 16:50 - 000087392 _____ (Twain Working Group) C:\Windows\twain.dll 2014-08-29 16:59 - 2009-07-27 16:50 - 000077312 _____ (Twain Working Group) C:\Windows\twain_32.dll 2014-08-29 16:59 - 2009-07-27 16:50 - 000048560 _____ (Twain Working Group) C:\Windows\twunk_16.exe 2014-08-29 16:59 - 2009-07-27 16:50 - 000069632 _____ (Twain Working Group) C:\Windows\twunk_32.exe 2018-03-01 21:27 - 2016-02-10 16:33 - 000153088 _____ (CANON INC.) C:\Windows\SysWOW64\CNCENPM6.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000055296 _____ (Hewlett-Packard) C:\Windows\SysWOW64\HPZidr12.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000039424 _____ (Hewlett-Packard) C:\Windows\SysWOW64\HPZipr12.dll 2009-05-21 20:21 - 2009-05-21 20:21 - 000499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll 2014-08-29 17:01 - 2009-07-27 16:50 - 000401484 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcrtd.dll 2009-05-14 06:22 - 2009-05-14 06:22 - 000082432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml4r.dll 2020-04-05 11:27 - 2020-04-05 11:27 - 000048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\npptools.dll 2019-10-01 12:05 - 2019-10-01 12:05 - 000024576 _____ C:\Windows\SysWOW64\WebbrowsercontrolDialog.dll 2013-10-10 21:30 - 2010-08-27 09:39 - 000053248 _____ (Hewlett Packard) C:\Windows\system32\Drivers\HPTapeDriverVersion.dll 2020-03-28 06:15 - 2020-03-28 06:15 - 001447178 _____ (Igor Pavlov) C:\Users\Administrator\Downloads\7z1900-x64.exe 2020-03-28 03:54 - 2020-03-28 03:54 - 000050688 _____ (Atribune.org) C:\Users\Administrator\Downloads\ATF-Cleaner.exe 2020-04-14 02:42 - 2020-04-14 02:42 - 002281984 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe 2020-04-16 08:39 - 2020-04-16 08:39 - 000925696 _____ (Farbar) C:\Users\Administrator\Downloads\FSS.exe ==================== SigCheck ============================ (There is no automatic fix for files that do not pass verification.) ==================== BCD ================================ Windows Boot Manager -------------------- identifier {bootmgr} device partition=C: description Windows Boot Manager locale en-US inherit {globalsettings} default {current} resumeobject {2a977a7d-31df-11e3-8479-80c16e6fc700} displayorder {current} toolsdisplayorder {memdiag} timeout 30 Windows Boot Loader ------------------- identifier {current} device partition=C: path \Windows\system32\winload.exe description Windows Server 2008 R2 locale en-US inherit {bootloadersettings} recoverysequence {2a977a7f-31df-11e3-8479-80c16e6fc700} recoveryenabled Yes osdevice partition=C: systemroot \Windows resumeobject {2a977a7d-31df-11e3-8479-80c16e6fc700} nx OptOut safebootalternateshell No Windows Boot Loader ------------------- identifier {2a977a7f-31df-11e3-8479-80c16e6fc700} device ramdisk=[C:]\Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\Winre.wim,{2a977a80-31df-11e3-8479-80c16e6fc700} path \windows\system32\winload.exe description Windows Recovery Environment inherit {bootloadersettings} osdevice ramdisk=[C:]\Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\Winre.wim,{2a977a80-31df-11e3-8479-80c16e6fc700} systemroot \windows nx OptIn winpe Yes Resume from Hibernate --------------------- identifier {2a977a7d-31df-11e3-8479-80c16e6fc700} device partition=C: path \Windows\system32\winresume.exe description Windows Resume Application locale en-US inherit {resumeloadersettings} filedevice partition=C: filepath \hiberfil.sys debugoptionenabled No Windows Memory Tester --------------------- identifier {memdiag} device partition=C: path \boot\memtest.exe description Windows Memory Diagnostic locale en-US inherit {globalsettings} badmemoryaccess Yes EMS Settings ------------ identifier {emssettings} bootems Yes Debugger Settings ----------------- identifier {dbgsettings} debugtype Serial debugport 1 baudrate 115200 RAM Defects ----------- identifier {badmemory} Global Settings --------------- identifier {globalsettings} inherit {dbgsettings} {emssettings} {badmemory} Boot Loader Settings -------------------- identifier {bootloadersettings} inherit {globalsettings} {hypervisorsettings} Hypervisor Settings ------------------- identifier {hypervisorsettings} hypervisordebugtype Serial hypervisordebugport 1 hypervisorbaudrate 115200 Resume Loader Settings ---------------------- identifier {resumeloadersettings} inherit {globalsettings} Device options -------------- identifier {2a977a80-31df-11e3-8479-80c16e6fc700} description Ramdisk Options ramdisksdidevice partition=C: ramdisksdipath \Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\boot.sdi LastRegBack: 2020-04-17 00:07 ==================== End of FRST.txt ======================== -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
HKLM-x32\...\Run: [BGClients] => cmd /c start /min c:\windows\system32\wbem\123.bat -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
I did what you told me, I uninstall firefox, clean IE5 temp, make all website block and the still there when I report the PC I made full scan with Kaspersky Small Office Security 7 I delete everything and I made new scan by malwarebytes and I got this result Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/18/20 Scan Time: 7:01 PM Log File: d8c0378e-818d-11ea-95ec-80c16e6fc701.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.22632 License: Free -System Information- OS: Windows Server 2008 R2 Service Pack 1 CPU: x64 File System: NTFS User: THQURAN\administrator -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 346849 Threats Detected: 1 Threats Quarantined: 0 Time Elapsed: 2 hr, 31 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.Mirai.E, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BGCLIENTS, No Action By User, 6814, 427730, 1.0.22632, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
-
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
thats Malwarebytes log. evry time I restart my PC come back Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/17/20 Scan Time: 12:08 AM Log File: 7c215c64-8026-11ea-8986-80c16e6fc701.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.22544 License: Free -System Information- OS: Windows Server 2008 R2 Service Pack 1 CPU: x64 File System: NTFS User: THQURAN\administrator -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 347047 Threats Detected: 3 Threats Quarantined: 0 Time Elapsed: 2 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 3 Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:__FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\\\.\\root\\subscription:__EventFilter.Name=\"*****youmm_filter\"", No Action By User, 14977, 621747, , , , Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:__EventFilter.Name="*****youmm_filter", No Action By User, 14977, 621747, , , , Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:ActiveScriptEventConsumer.Name="*****youmm_consumer", No Action By User, 14977, 621747, 1.0.22544, , ame, (end) -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
yes its but after I restart my pc it back again even If i use safe mode -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
Farbar Service Scanner Version: 14-12-2019 Ran by administrator (administrator) on 16-04-2020 at 08:40:12 Running from "C:\Users\Administrator\Downloads" Microsoft Windows Server 2008 R2 Standard Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Policy: ======================== Action Center: ============ wscsvc Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Windows Defender Disabled Policy: ========================== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => File is digitally signed C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed C:\Windows\System32\dhcpcore.dll => File is digitally signed C:\Windows\System32\drivers\afd.sys => File is digitally signed C:\Windows\System32\drivers\tdx.sys => File is digitally signed C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed C:\Windows\System32\dnsrslvr.dll => File is digitally signed C:\Windows\System32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\System32\mpssvc.dll => File is digitally signed C:\Windows\System32\bfe.dll => File is digitally signed C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed ATTENTION!=====> C:\Windows\System32\SDRSVC.dll FILE IS MISSING. C:\Windows\System32\vssvc.exe => File is digitally signed ATTENTION!=====> C:\Windows\System32\wscsvc.dll FILE IS MISSING. C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed C:\Windows\System32\wuaueng.dll => File is digitally signed C:\Windows\System32\qmgr.dll => File is digitally signed C:\Windows\System32\es.dll => File is digitally signed C:\Windows\System32\cryptsvc.dll => File is digitally signed ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING. ATTENTION!=====> C:\Program Files\Windows Defender\MsMpEng.exe FILE IS MISSING. C:\Windows\System32\ipnathlp.dll => File is digitally signed C:\Windows\System32\iphlpsvc.dll => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed **** End of log **** FSS.txt -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
Hi did you mean the last Fixlist.txt that you sent to me before ? -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
RogueKiller Anti-Malware V14.4.0.0 (x64) [Apr 1 2020] (Premium) by Adlice Software mail : https://adlice.com/contact/ Website : https://adlice.com/download/roguekiller/ Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits Started in : Normal mode User : administrator [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Signatures : 20200414_084954, Driver : Loaded Mode : Standard Scan, Delete -- Date : 2020/04/15 21:12:47 (Duration : 00:08:06) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ [PUP.WiperSoft (Potentially Malicious)] HKEY_USERS\S-1-5-21-3197573395-1757021686-3003070210-500\Software\WiperSoft -- -> Deleted [Tr.Gen (Malicious)] get.exe [PPLive Corporation] -- %SystemRoot%\Help\get.exe -> Deleted [Miner.Gen (Malicious)] aspnet -- %SystemRoot%\inf\aspnet -> Deleted [Tr.Chapak (Malicious)] rss -- %SystemRoot%\rss -> Deleted => Protection Dir -- C:\Windows\rss\csrss.exe\PROTEC~1 [1] => csrss.exe -- C:\Windows\rss\csrss.exe [1] [PUP.EpicNet (Potentially Malicious)] EpicNet Inc -- %localappdata%\EpicNet Inc -> Deleted => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet\cloudnet.exe\PROTEC~1 [1] => cloudnet.exe -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet\cloudnet.exe [1] => CloudNet -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet [1] [Tr.Gen (Malicious)] csrss -- %localappdata%\Temp\csrss -> Deleted => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\al.exe\PROTEC~1 [1] => al.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\al.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\cloudnet.exe\PROTEC~1 [1] => cloudnet.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\cloudnet.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd\i2pd.exe\PROTEC~1 [1] => i2pd.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd\i2pd.exe [1] => i2pd -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\lsa64.exe\PROTEC~1 [1] => lsa64.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\lsa64.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\LSA64I~1.EXE\PROTEC~1 [1] => lsa64install_in.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\LSA64I~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\mrt.exe\PROTEC~1 [1] => mrt.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\mrt.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE\PROTEC~1 [1] => obfs4proxy.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor\tor.exe\PROTEC~1 [1] => tor.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor\tor.exe [1] => Tor -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\tor.exe\PROTEC~1 [1] => tor.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\tor.exe [1] => proxy -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\SCHEDU~1.EXE\PROTEC~1 [1] => scheduled.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\SCHEDU~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb\e7.exe\PROTEC~1 [1] => e7.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb\e7.exe [1] => smb -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\vc.exe\PROTEC~1 [1] => vc.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\vc.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~1.EXE\PROTEC~1 [1] => winboxls-1008-2.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~2.EXE\PROTEC~1 [1] => winboxscan-1003-2.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~2.EXE [1] [Miner.Gen (Malicious)] wup -- %localappdata%\Temp\wup -> Deleted => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\wup\wup.exe\PROTEC~1 [1] => wup.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\wup\wup.exe [1] -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
I got 3 files after I made full scan again. I attach them Addition.txt FRST.txt Shortcut.txt -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
thank you for helping me the problem still there Fix result of Farbar Recovery Scan Tool (x64) Version: 13-04-2020 Ran by administrator (15-04-2020 11:57:33) Run:1 Running from C:\Users\Administrator\Downloads Loaded Profiles: administrator & SQLAgent$SMACC & MSSQL$SMACC (Available Profiles: admin & assist & waleed & administrator & SQLAgent$SMACC & MSSQL$SMACC & Classic .NET AppPool) Boot Mode: Normal ============================================== fixlist content: ***************** SystemRestore: On CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer: [DisallowRun] 1 HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [1] Mshta.exe HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [2] powershell.exe HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk [2019-11-11] ShortcutTarget: AnyDesk.lnk -> C:\Program Files (x86)\AnyDesk\AnyDesk.exe (No File) CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {31352DAD-4920-4B3E-8AFD-4E370CB15EC2} - \Mysa1 -> No File <==== ATTENTION Task: {8500F974-F490-41F1-A9B2-CFF2835BC708} - \ok -> No File <==== ATTENTION Task: {F333B8C7-0A7E-4FC6-9BB3-951DDB53640F} - \Mysa3 -> No File <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{d8d24426-dbe6-434c-9a13-5b28f765ae01} <==== ATTENTION (Restriction - IP) S1 amsdk; \??\C:\Windows\system32\drivers\amsdk.sys [X] S3 dpK00701; system32\DRIVERS\dpK00701.sys [X] S3 usbdpfp; system32\DRIVERS\usbdpfp.sys [X] ContextMenuHandlers1-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File ContextMenuHandlers2-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File ContextMenuHandlers6-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"coronav2\"",Filter="__EventFilter.Name=\"coronav\":: WMI:subscription\__FilterToConsumerBinding->\\.\root\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"*****youmm_filter\":: <==== ATTENTION WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"*****amm4\"",Filter="__EventFilter.Name=\"*****amm3\":: <==== ATTENTION WMI:subscription\__TimerInstruction->*****youmm_itimer:: <==== ATTENTION WMI:subscription\__IntervalTimerInstruction->*****youmm_itimer:: <==== ATTENTION WMI:subscription\__EventFilter->*****amm3::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 180 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'] <==== ATTENTION WMI:subscription\__EventFilter->*****youmm_filter::[Query => select * from __timerevent where timerid="*****youmm_itimer"] <==== ATTENTION WMI:subscription\__EventFilter->coronav::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 10900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'] AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [143] FirewallRules: [DNSSrv-UDP-Out] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-TCP-Out] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-RPC-TCP-In] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-DNS-UDP-In] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-DNS-TCP-In] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [NTFRS-NTFRSSvc-In-TCP] => (Allow) %SystemRoot%\system32\NTFRS.exe No File FirewallRules: [DFSR-DFSRSvc-In-TCP] => (Allow) %SystemRoot%\system32\dfsrs.exe No File FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe No File FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe No File FirewallRules: [WindowsServerBackup-wbengine-In-TCP-NoScope] => (Allow) %systemroot%\system32\wbengine.exe No File FirewallRules: [{ADFED997-72A1-4BB8-8A5C-0008FEED40DD}] => (Allow) C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe No File ATTENTION: System Restore is disabled (Total:279.55 GB) (Free:126.44 GB) (45%) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\mssecsvc.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Users\Administrator\AppData\Local\Temp\explorer.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\EpicNet Inc CMD: "%WINDIR%\SYSTEM32\lodctr.exe" /R CMD: "%WINDIR%\SysWOW64\lodctr.exe" /R CMD: C:\Windows\SYSTEM32\lodctr.exe" /R CMD: C:\Windows\SysWOW64\lodctr.exe" /R CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: ***************** SystemRestore: On => Error Error: (0) Failed to create a restore point. Processes closed successfully. "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowRun" => removed successfully "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\1" => removed successfully "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\2" => removed successfully "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\3" => removed successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk => moved successfully "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" => not found HKLM\SOFTWARE\Policies\Google => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{31352DAD-4920-4B3E-8AFD-4E370CB15EC2}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31352DAD-4920-4B3E-8AFD-4E370CB15EC2}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mysa1" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{8500F974-F490-41F1-A9B2-CFF2835BC708}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8500F974-F490-41F1-A9B2-CFF2835BC708}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ok" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F333B8C7-0A7E-4FC6-9BB3-951DDB53640F}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F333B8C7-0A7E-4FC6-9BB3-951DDB53640F}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mysa3" => not found "HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\\ActivePolicy" => removed successfully HKLM\System\CurrentControlSet\Services\amsdk => removed successfully amsdk => service removed successfully HKLM\System\CurrentControlSet\Services\dpK00701 => removed successfully dpK00701 => service removed successfully HKLM\System\CurrentControlSet\Services\usbdpfp => removed successfully usbdpfp => service removed successfully HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7} => removed successfully HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully "CommandLineEventConsumer.Name=\"coronav2\"",Filter="__EventFilter.Name=\"coronav\"" => removed successfully "\\.\root\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"*****youmm_filter\"" => removed successfully "CommandLineEventConsumer.Name=\"*****amm4\"",Filter="__EventFilter.Name=\"*****amm3\"" => removed successfully "*****youmm_itimer" => removed successfully "*****youmm_itimer" => not found "*****amm3" => removed successfully "*****youmm_filter" => removed successfully "coronav" => removed successfully C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-UDP-Out" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-TCP-Out" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-RPC-TCP-In" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-DNS-UDP-In" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-DNS-TCP-In" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\NTFRS-NTFRSSvc-In-TCP" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DFSR-DFSRSvc-In-TCP" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SPPSVC-In-TCP" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\WindowsServerBackup-wbengine-In-TCP-NoScope" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{ADFED997-72A1-4BB8-8A5C-0008FEED40DD}" => removed successfully ATTENTION: System Restore is disabled (Total:279.55 GB) (Free:126.44 GB) (45%) => Error: No automatic fix found for this entry. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk" => not found C:\Windows\mssecsvc.exe => moved successfully C:\Users\Administrator\AppData\Local\Temp\explorer.exe => moved successfully C:\Users\Administrator\AppData\Roaming\EpicNet Inc => moved successfully ========= "%WINDIR%\SYSTEM32\lodctr.exe" /R ========= Info: Successfully rebuilt performance counter setting from system backup store ========= End of CMD: ========= ========= "%WINDIR%\SysWOW64\lodctr.exe" /R ========= Info: Successfully rebuilt performance counter setting from system backup store ========= End of CMD: ========= ========= C:\Windows\SYSTEM32\lodctr.exe" /R ========= ========= End of CMD: ========= ========= C:\Windows\SysWOW64\lodctr.exe" /R ========= ========= End of CMD: ========= ========= netsh int ip reset ========= Reseting Global, OK! Reseting Interface, OK! Reseting Unicast Address, OK! Reseting Route, OK! Restart the computer to complete this action. ========= End of CMD: ========= ========= ipconfig /flushDNS ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 2109189 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 4514507 B Edge => 0 B Chrome => 0 B Firefox => 228216281 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 0 B Public => 0 B ProgramData => 0 B systemprofile => 33661 B systemprofile32 => 66847 B LocalService => 66847 B NetworkService => 66847 B admin => 126106 B assist => 134394 B waleed => 155932 B Administrator => 272791645 B SQLAgent$SMACC => 272791645 B MSSQL$SMACC => 272791645 B Classic .NET AppPool => 272791645 B RecycleBin => 0 B EmptyTemp: => 1.2 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 11:58:41 ==== Fixlog.txt -
Bitcoin miner keeps reappearing after Reboot
wasf2000 replied to wasf2000's topic in Resolved Malware Removal Logs
I attached FRST.txt and Addition.txt Addition.txt FRST.txt