Jump to content

wasf2000

Members
  • Posts

    13
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-04-2020 Ran by administrator (administrator) on ALHAZM-SERVER (HP ProLiant ML350 G6) (23-04-2020 07:32:30) Running from C:\Users\Administrator\Downloads Loaded Profiles: administrator & SQLAgent$SMACC & MSSQL$SMACC (Available Profiles: admin & assist & waleed & administrator & SQLAgent$SMACC & MSSQL$SMACC & Classic .NET AppPool) Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Kaspersky Lab -> AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avp.exe (Kaspersky Lab -> AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avpui.exe (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\SQLAGENT.EXE (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\sqlservr.exe (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dfsrs.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dfssvc.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dns.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\iashost.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ismserv.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ntfrs.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\snmp.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\vds.exe (Oracle America, Inc. -> Dyn) C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe <2> (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe ==================== Registry (Whitelisted) =================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM-x32\...\Run: [BGClients] => cmd /c start /min c:\windows\system32\wbem\123.bat HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042615463\Software\Policies\...\system: [DisableCMD] 0 HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042621524\Software\Policies\...\system: [DisableCMD] 0 HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\MountPoints2: {c2f48e3b-fc03-11e9-a3ac-80c16e6fc701} - V:\SETUP.EXE HKU\S-1-5-21-3197573395-1757021686-3003070210-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042617391\...\MountPoints2: {c2f48e3b-fc03-11e9-a3ac-80c16e6fc701} - V:\SETUP.EXE HKU\S-1-5-18\Software\Policies\...\system: [DisableCMD] 0 HKLM\Software\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache HKLM\Software\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation) Lsa: [Notification Packages] scecli rassfm SecurityProviders: credssp.dll, pwdssp.dll Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dyn Updater.lnk [2020-02-22] ShortcutTarget: Dyn Updater.lnk -> C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe (Oracle America, Inc. -> Dyn) GroupPolicy: Restriction - Chrome <==== ATTENTION ==================== Scheduled Tasks (Whitelisted) ============ (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {37B67E42-00DF-4EF1-91AA-D5235AAD73EC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3197573395-1757021686-3003070210-500UA => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe Task: {5154FC59-7A38-4C86-BCCA-D3FAD3FFE6A7} - System32\Tasks\scan Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [152064 2009-07-14] (Microsoft Windows -> Microsoft Corporation) Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [252416 2010-11-20] (Microsoft Windows -> Microsoft Corporation) Task: {7561FAEF-ECD8-4D1A-A821-F10235970ECB} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3197573395-1757021686-3003070210-500Core => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe Task: {79B41E33-6C7B-4A20-8D5D-302D882E8656} - System32\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd} => C:\Windows\system32\vssadmin.exe [167424 2009-07-14] (Microsoft Windows -> Microsoft Corporation) Task: {80D49221-8D14-4B59-976C-BA89353DDF4A} - System32\Tasks\{3BFA57ED-F022-4DC4-BAE6-67F562BB2F4C} => E:\Printers\Canon printer\UFRII\us_eng\32BIT\Setup.exe Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [39424 2010-11-20] (Microsoft Windows -> Microsoft Corporation) Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [252416 2010-11-20] (Microsoft Windows -> Microsoft Corporation) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd}.job => C:\Windows\system32\vssadmin.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\..\Interfaces\{5A48297C-0B36-4338-B03E-488DF99129B3}: [NameServer] 192.168.1.1 Tcpip\..\Interfaces\{C7F984C1-07CE-49C7-AA72-7E07374C778E}: [NameServer] 216.146.35.35,216.146.36.36,,8.8.8.8 HKLM\System\...\Parameters\PersistentRoutes: [0.0.0.0,0.0.0.0,192.168.1.1,-1] Internet Explorer: ================== HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm HKU\S-1-5-21-3197573395-1757021686-3003070210-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042617391\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm Handler-x32: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll [2005-09-23] (Microsoft Corporation) [File not signed] FireFox: ======== FF DefaultProfile: 4uh09obj.default FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4uh09obj.default [2020-04-15] FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bk0mgr8c.default-release [2020-04-18] FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2020-04-01] <==== ATTENTION (Points to *.cfg file) FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2020-04-01] <==== ATTENTION ==================== Services (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [487424 2013-01-25] (Microsoft Windows -> Microsoft Corporation) R2 AVP20.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avp.exe [357416 2019-03-21] (Kaspersky Lab -> AO Kaspersky Lab) R2 Dfs; C:\Windows\system32\dfssvc.exe [377344 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 DFSR; C:\Windows\system32\DFSRs.exe [4518400 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 DNS; C:\Windows\system32\dns.exe [700928 2019-04-11] (Microsoft Windows -> Microsoft Corporation) R2 DynUpdater; C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe [1646784 2019-04-24] (Oracle America, Inc. -> Dyn) S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Windows -> Microsoft Corporation) S3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed] R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 kdc; C:\Windows\System32\lsass.exe [30720 2020-01-03] (Microsoft Windows -> Microsoft Corporation) S3 klvssbridge64_20.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\x64\vssbridge64.exe [438928 2019-03-21] (Kaspersky Lab -> AO Kaspersky Lab) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [6933272 2020-04-16] (Malwarebytes Inc -> Malwarebytes) R2 msftesql; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [95592 2007-06-22] (Microsoft Corporation -> Microsoft Corporation) R2 MSSQL$SMACC; C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\sqlservr.exe [372512 2018-09-07] (Microsoft Corporation -> Microsoft Corporation) R2 MSSQLSERVER; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29263712 2008-11-24] (Microsoft Corporation -> Microsoft Corporation) R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2014-04-28] (Hewlett-Packard) [File not signed] R2 NTDS; C:\Windows\System32\lsass.exe [30720 2020-01-03] (Microsoft Windows -> Microsoft Corporation) R2 NtFrs; C:\Windows\system32\ntfrs.exe [1020416 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2014-04-28] (Hewlett-Packard) [File not signed] S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Windows -> Microsoft Corporation) S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Windows -> Microsoft Corporation) R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R2 SQLAgent$SMACC; C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\SQLAGENT.EXE [613152 2018-09-07] (Microsoft Corporation -> Microsoft Corporation) R2 SQLSERVERAGENT; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [346976 2008-11-24] (Microsoft Corporation -> Microsoft Corporation) S4 sysdown; C:\Windows\system32\sysdown.exe [18784 2011-02-17] (Hewlett-Packard Company -> Hewlett-Packard Company) R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [13216784 2020-04-09] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-14] (Microsoft Windows -> Microsoft Corporation) ===================== Drivers (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R0 Achernar; C:\Windows\System32\Drivers\Achernar.sys [33592 2014-08-29] (An Chen Computer Co., Ltd. -> NewSoft Technology Corporation) R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [2210816 2009-06-24] (Microsoft Windows Hardware Compatibility Publisher -> ATI Technologies Inc.) R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [246912 2019-02-16] (Kaspersky Lab -> AO Kaspersky Lab) R3 CpqCiDrv; C:\Windows\System32\DRIVERS\cpqcidrv.sys [51752 2009-05-11] (Hewlett-Packard -> Hewlett-Packard Company) S3 CPQTeam; C:\Windows\System32\DRIVERS\cpqteam.sys [225792 2011-01-26] (Microsoft Windows Hardware Compatibility Publisher -> Hewlett-Packard Company) R0 CSCrySec; C:\Windows\System32\DRIVERS\CSCrySec.sys [85048 2009-12-14] (InfoWatch -> Infowatch) R1 CSVirtualDiskDrv; C:\Windows\System32\DRIVERS\CSVirtualDiskDrv.sys [66104 2009-12-14] (InfoWatch -> Infowatch) R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [51776 2009-07-14] (Microsoft Windows -> Microsoft Corporation) R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66944 2010-11-20] (Microsoft Windows -> Microsoft Corporation) R0 HpCISSs2; C:\Windows\System32\DRIVERS\HpCISSs2.sys [157288 2010-08-10] (Hewlett-Packard -> Hewlett-Packard Company) R0 hpqilo2; C:\Windows\System32\DRIVERS\hpqilo2.sys [150880 2011-02-17] (Hewlett-Packard Company -> Hewlett-Packard Company) S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Microsoft Windows -> Intel Corporation) R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [531584 2019-03-18] (Kaspersky Lab -> AO Kaspersky Lab) R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [79768 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [145504 2020-02-07] (Kaspersky Lab -> AO Kaspersky Lab) R1 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [93312 2019-03-12] (Kaspersky Lab -> AO Kaspersky Lab) R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [251800 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R1 klgse; C:\Windows\System32\DRIVERS\klgse.sys [586496 2020-01-27] (Kaspersky Lab -> AO Kaspersky Lab) R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [1163216 2020-01-24] (Kaspersky Lab -> AO Kaspersky Lab) R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [998296 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R1 klim6; C:\Windows\System32\DRIVERS\klim6.sys [58192 2019-03-19] (Kaspersky Lab -> AO Kaspersky Lab) R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [51328 2019-03-13] (Kaspersky Lab -> AO Kaspersky Lab) R1 klwfp; C:\Windows\System32\DRIVERS\klwfp.sys [105600 2019-03-05] (Kaspersky Lab -> AO Kaspersky Lab) R1 klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [211048 2020-02-07] (Kaspersky Lab -> AO Kaspersky Lab) R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [232344 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab) R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248968 2020-04-23] (Malwarebytes Inc -> Malwarebytes) S3 q57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Microsoft Windows -> Broadcom Corporation) S4 RsFx0321; C:\Windows\System32\DRIVERS\RsFx0321.sys [258720 2018-07-25] (Microsoft Corporation -> Microsoft Corporation) S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Windows -> Microsoft Corporation) S3 WLBS; C:\Windows\System32\DRIVERS\NLB.sys [339968 2010-11-20] (Microsoft Windows -> Microsoft Corporation) S2 MBAMChameleon; \SystemRoot\System32\Drivers\MbamChameleon.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation) ==================== Three months (created) =================== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-04-23 07:32 - 2020-04-23 07:33 - 000018262 _____ C:\Users\Administrator\Downloads\FRST.txt 2020-04-23 04:25 - 2020-04-23 04:25 - 000248968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys 2020-04-19 17:46 - 2020-04-19 17:47 - 176246200 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT (1).exe 2020-04-19 03:52 - 2020-04-19 03:57 - 1925381853 _____ C:\Users\Administrator\Desktop\Logfile.XML 2020-04-19 03:49 - 2020-04-19 03:49 - 030403934 _____ C:\Users\Administrator\Downloads\SysinternalsSuite.zip 2020-04-19 03:33 - 2020-04-19 03:33 - 000001357 _____ C:\Users\Administrator\Desktop\result.txt 2020-04-17 01:52 - 2020-04-17 01:52 - 003827036 _____ C:\Users\Administrator\Downloads\powerevents(1).zip 2020-04-17 01:44 - 2020-04-17 01:45 - 000000000 ____D C:\Users\Administrator\Downloads\powerevents 2020-04-17 01:44 - 2020-04-17 01:44 - 003827036 _____ C:\Users\Administrator\Downloads\powerevents.zip 2020-04-17 01:36 - 2020-04-17 01:36 - 000000000 _____ C:\funs.txt 2020-04-17 00:57 - 2020-04-17 00:57 - 000333952 _____ (ESET) C:\Users\Administrator\Downloads\ESETEternalBlueChecker(1).exe 2020-04-17 00:53 - 2020-04-17 00:33 - 000011915 _____ C:\Users\Administrator\WMILister_20.vbs 2020-04-17 00:38 - 2020-04-17 00:33 - 000011915 _____ C:\Users\Administrator\Downloads\WMILister_20.vbs 2020-04-17 00:33 - 2020-04-17 00:33 - 000011915 _____ C:\WMILister_20.vbs 2020-04-17 00:12 - 2020-04-17 00:12 - 000001808 _____ C:\Users\Administrator\Desktop\WMI.txt 2020-04-16 18:58 - 2020-04-16 18:58 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\mbam 2020-04-16 18:57 - 2020-04-16 18:57 - 000001948 _____ C:\Users\Public\Desktop\Malwarebytes.lnk 2020-04-16 18:57 - 2020-04-16 18:57 - 000001948 _____ C:\ProgramData\Desktop\Malwarebytes.lnk 2020-04-16 18:57 - 2020-04-16 18:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes 2020-04-16 18:55 - 2020-04-16 18:55 - 001965536 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup(1).exe 2020-04-16 11:17 - 2020-04-18 18:59 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\WPF 2020-04-16 08:40 - 2020-04-16 08:40 - 000003353 _____ C:\Users\Administrator\Downloads\FSS.txt 2020-04-16 08:39 - 2020-04-16 08:39 - 000925696 _____ (Farbar) C:\Users\Administrator\Downloads\FSS.exe 2020-04-15 22:17 - 2020-04-15 22:18 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\is-C209R.tmp 2020-04-15 21:22 - 2020-04-23 04:25 - 000000077 _____ C:\Windows\SysWOW64\wpd1.xml 2020-04-15 21:14 - 2020-04-15 21:14 - 000008562 _____ C:\Users\Administrator\Desktop\report.txt 2020-04-15 18:59 - 2020-04-15 18:59 - 000000000 _____ C:\Users\Administrator\AppData\Local\Temp\KnoEDAF.tmp 2020-04-15 18:54 - 2020-04-15 18:54 - 047857952 _____ (Adlice Software ) C:\Users\Administrator\Downloads\RogueKiller_setup_ref3.exe 2020-04-14 15:28 - 2020-04-23 04:25 - 000000077 _____ C:\Windows\SysWOW64\wpd.xml 2020-04-14 02:43 - 2020-04-23 07:32 - 000000000 ____D C:\FRST 2020-04-14 02:42 - 2020-04-14 02:42 - 002281984 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe 2020-04-14 02:30 - 2020-04-14 02:30 - 000333952 _____ (ESET) C:\Users\Administrator\Downloads\ESETEternalBlueChecker.exe 2020-04-14 02:20 - 2020-04-14 02:20 - 000000000 ____D C:\Users\Administrator\Downloads\Autoruns 2020-04-14 02:19 - 2020-04-14 02:19 - 001728127 _____ C:\Users\Administrator\Downloads\Autoruns.zip 2020-04-14 02:03 - 2020-04-14 02:03 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1586819028-727.out 2020-04-14 02:01 - 2020-04-14 02:01 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1586818868-762.out 2020-04-14 01:58 - 2020-04-18 09:21 - 000000000 ____D C:\Program Files\Mozilla Firefox 2020-04-11 01:13 - 2020-04-11 01:13 - 175674808 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(3).exe 2020-04-07 15:37 - 2020-04-07 15:37 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFA597602FAD7E24E1.TMP 2020-04-06 13:27 - 2020-04-06 13:27 - 006458338 _____ C:\Windows\system32\PerfStringBackup.INI 2020-04-05 13:56 - 2020-04-05 13:56 - 000002146 _____ C:\Users\Public\Desktop\Kaspersky Small Office Security.lnk 2020-04-05 13:56 - 2020-04-05 13:56 - 000002146 _____ C:\ProgramData\Desktop\Kaspersky Small Office Security.lnk 2020-04-05 13:56 - 2020-04-05 13:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Small Office Security 2020-04-05 13:55 - 2020-04-23 09:57 - 000000000 ____D C:\ProgramData\Kaspersky Lab 2020-04-05 13:55 - 2020-04-15 13:21 - 000998296 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys 2020-04-05 13:55 - 2020-04-15 13:21 - 000251800 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys 2020-04-05 13:55 - 2020-04-05 13:55 - 000000000 ____D C:\Program Files (x86)\Kaspersky Lab 2020-04-05 13:55 - 2013-05-06 08:13 - 000110176 _____ (Kaspersky Lab ZAO) C:\Windows\system32\klfphc.dll 2020-04-05 13:54 - 2020-04-05 13:54 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DF6DD557B6E3E28AD4.TMP 2020-04-05 13:37 - 2020-04-05 13:39 - 175414200 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(2).exe 2020-04-05 12:47 - 2020-04-05 12:47 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\2mF0Ho2m.38h 2020-04-05 12:47 - 2020-04-05 12:47 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\wplysLp8.qZI 2020-04-05 12:30 - 2020-04-05 12:30 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\XGN0p24V.MFi 2020-04-05 12:30 - 2020-04-05 12:30 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\2i5Og960.6kE 2020-04-05 12:22 - 2020-04-05 12:22 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\0yCjBU41.i7H 2020-04-05 12:21 - 2020-04-05 12:21 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\2FIoI2VZ.707 2020-04-05 12:02 - 2020-04-05 12:02 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\b6n2r8ID.HWZ 2020-04-05 12:02 - 2020-04-05 12:02 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\D7GcsvFp.bG8 2020-04-05 11:52 - 2020-04-05 11:53 - 216974480 _____ C:\Users\Administrator\Downloads\avira_server_security_en.exe 2020-04-05 11:44 - 2020-04-05 13:04 - 000000000 ____D C:\Program Files (x86)\Avira 2020-04-05 11:34 - 2020-04-05 11:36 - 225041680 _____ (Avira Operations GmbH & Co. KG) C:\Users\Administrator\Downloads\avira_antivirus_en-us(1).exe 2020-04-05 11:28 - 2020-04-05 11:28 - 000036600 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Drivers\npf.sys 2020-04-05 11:27 - 2020-04-05 11:27 - 000282360 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\wpcap.dll 2020-04-05 11:27 - 2020-04-05 11:27 - 000102136 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\packet.dll 2020-04-05 11:27 - 2020-04-05 11:27 - 000048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\npptools.dll 2020-04-05 10:35 - 2020-04-05 11:04 - 000528094 _____ C:\Windows\ntbtlog.txt 2020-04-05 10:22 - 2020-04-05 10:22 - 000000128 _____ C:\Windows\system32\config\netlogon.ftl 2020-04-05 01:13 - 2020-04-05 01:13 - 000000000 ____D C:\Users\Administrator\Downloads\Gridinsoft Anti-Malware 4.1.34.Build 4820 2020-04-05 01:13 - 2020-04-05 01:13 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\WinRAR 2020-04-05 01:08 - 2020-04-05 01:13 - 087175575 _____ C:\Users\Administrator\Downloads\Gridinsoft Anti-Malware 4.1.34.Build 4820.rar 2020-04-04 17:09 - 2020-04-14 02:13 - 000000000 ____D C:\Program Files\GridinSoft Anti-Malware 2020-04-04 14:22 - 2020-04-04 14:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+yasser.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+yahya.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+waleed.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+tariq.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sun.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sultan.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sec.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sami.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+salqasm.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+salman.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+saad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+rakanm.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+rakan.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+qa.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+prog.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc3.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc2.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc1.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+omar.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+n.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mshari.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mohammedw.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mohammed.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+menhaj.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malzhrani.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malsafar.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malnabaoi.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malamer.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+maher.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+laptop1.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+khalida.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+khalid.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+kalasmari.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ibra.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ialhammad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+husain.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+hamad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+frzat.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+fin.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+faris.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+fahad.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ejt.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+eid.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+bader.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aymans.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+assist.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ammar.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ali.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+alhazmlab.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+alhajri.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+akhalid.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ahmedm.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+administrator.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+admin.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+abdulmalik.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+Abdullahnq7.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+abdug.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalsalh.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalhosini.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalbokiri.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalasmri.bmp 2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aabdalbari.bmp 2020-04-01 07:42 - 2020-04-01 07:42 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\2 2020-04-01 02:36 - 2020-04-01 02:36 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585697790-665.out 2020-04-01 02:34 - 2020-04-01 02:35 - 000000222 _____ C:\Windows\SysWOW64\report.file 2020-04-01 02:34 - 2020-04-01 02:34 - 000000111 _____ C:\Windows\system32\report.file 2020-04-01 02:32 - 2020-04-01 02:33 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{42EF9D13-5E53-44E4-8E66-C55BA2EBD6DE} 2020-04-01 02:26 - 2020-04-01 02:26 - 000277720 _____ C:\Users\Administrator\AppData\Local\Temp\dd_ReportViewerMSI5D5D.txt 2020-04-01 02:26 - 2020-04-01 02:26 - 000013626 _____ C:\Users\Administrator\AppData\Local\Temp\dd_ReportViewerUI5D5D.txt 2020-03-31 22:11 - 2020-03-31 22:11 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{30AB77A8-AC12-4C56-BBDF-97E0AD37835F} 2020-03-29 06:12 - 2020-03-29 06:20 - 3917530545 _____ C:\Users\Administrator\Downloads\WindowsImageBackup.zip 2020-03-28 22:10 - 2020-03-28 22:10 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422646-983.out 2020-03-28 22:10 - 2020-03-28 22:10 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422601-964.out 2020-03-28 22:09 - 2020-03-28 22:09 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422574-602.out 2020-03-28 18:24 - 2020-03-28 18:26 - 178423736 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(1).exe 2020-03-28 18:09 - 2020-03-28 18:09 - 000000130 ___RH C:\Users\Administrator\Downloads\Stinger.opt 2020-03-28 16:29 - 2020-03-28 16:31 - 000000828 _____ C:\Users\Administrator\Downloads\Stinger_28032020_162902.html 2020-03-28 16:28 - 2020-03-28 16:28 - 017779200 _____ (McAfee LLC) C:\Users\Administrator\Downloads\stinger64.exe 2020-03-28 16:20 - 2020-03-28 16:21 - 010527368 _____ C:\Users\Administrator\Downloads\BDRemTool.exe 2020-03-28 16:19 - 2020-03-28 16:19 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64(2).exe 2020-03-28 14:42 - 2020-03-28 14:42 - 000000000 ____D C:\ProgramData\Sophos 2020-03-28 14:38 - 2020-03-28 14:38 - 000270160 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Administrator\Downloads\avg_antivirus_free_setup.exe 2020-03-28 14:36 - 2020-03-28 14:37 - 188047008 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool.exe 2020-03-28 14:35 - 2020-03-28 14:35 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64(1).exe 2020-03-28 14:34 - 2020-03-28 14:34 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64.exe 2020-03-28 14:24 - 2020-03-28 14:24 - 002522224 _____ (Wiper Software, UAB) C:\Users\Administrator\Downloads\WiperSoft-installer.exe 2020-03-28 13:05 - 2020-04-14 02:08 - 000000000 _____ C:\Users\Administrator\AppData\Local\Temp\htmpl.htm 2020-03-28 06:37 - 2020-03-28 06:37 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{FC4C85FD-CA74-4102-89D2-3F0003CE1D46} 2020-03-28 06:25 - 2020-04-04 17:08 - 000000000 ____D C:\Users\Administrator\Downloads\GrdSoft.AntiMalwr.4.1.34_sigma4pc.com 2020-03-28 06:25 - 2020-03-28 06:25 - 000000000 ____D C:\Users\Administrator\Downloads\P_GrdSoft.AntiMalwr.4.1.34_sigma4pc.com 2020-03-28 06:24 - 2020-04-04 17:06 - 000000000 ____D C:\Users\Administrator\Downloads\GSAM4.1.34.4820TND 2020-03-28 06:15 - 2020-03-28 06:15 - 001447178 _____ (Igor Pavlov) C:\Users\Administrator\Downloads\7z1900-x64.exe 2020-03-28 06:03 - 2020-03-28 06:08 - 085359630 _____ C:\Users\Administrator\Downloads\GrdSoft.AntiMalwr.4.1.34_sigma4pc.com.rar 2020-03-28 05:58 - 2020-03-28 05:58 - 087301492 _____ C:\Users\Administrator\Downloads\GSAM4.1.34.4820TND.rar 2020-03-28 05:17 - 2020-04-18 09:20 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Mozilla 2020-03-28 05:17 - 2020-03-28 05:18 - 000000000 ____D C:\ProgramData\Mozilla 2020-03-28 05:17 - 2020-03-28 05:17 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla 2020-03-28 05:16 - 2020-03-28 05:16 - 000319824 _____ (Mozilla) C:\Users\Administrator\Downloads\Firefox Installer.exe 2020-03-28 04:57 - 2020-04-14 02:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware 2020-03-28 04:57 - 2020-03-28 04:57 - 000000000 ____D C:\ProgramData\GridinSoft 2020-03-28 04:56 - 2020-03-28 04:57 - 001214416 _____ C:\Users\Administrator\Downloads\install-antimalware.exe 2020-03-28 04:49 - 2020-03-28 18:22 - 000000000 ____D C:\Users\Administrator\Downloads\avira_antivir_antirootkit_en 2020-03-28 04:48 - 2020-03-28 04:48 - 000089324 _____ C:\Users\Administrator\Downloads\avira_antivir_antirootkit_en.zip 2020-03-28 04:47 - 2020-03-28 04:56 - 000000000 ____D C:\ProgramData\TEMP 2020-03-28 04:47 - 2019-10-19 11:13 - 000129872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSSTDFMT.DLL 2020-03-28 04:45 - 2020-03-28 04:45 - 004354328 _____ (BrightFort LLC ) C:\Users\Administrator\Downloads\spywareblastersetup56.exe 2020-03-28 04:45 - 2020-01-30 05:30 - 000834560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll 2020-03-28 04:45 - 2020-01-30 05:23 - 001010688 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll 2020-03-28 04:30 - 2020-03-28 07:21 - 000076197 _____ C:\Windows\ZAM.krnl.trace 2020-03-28 04:26 - 2020-03-28 04:26 - 012741568 _____ (Zemana Ltd. ) C:\Users\Administrator\Downloads\AntiMalware_Setup.exe 2020-03-28 04:13 - 2020-03-28 04:13 - 000000013 _____ C:\Users\Administrator\AppData\Local\Temp\jawshtml.html 2020-03-28 04:13 - 2020-03-28 04:13 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Sun 2020-03-28 04:12 - 2020-03-28 04:13 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\hsperfdata_administrator 2020-03-28 04:09 - 2020-03-28 04:10 - 076845600 _____ (Oracle Corporation) C:\Users\Administrator\Downloads\jre-8u241-windows-x64.exe 2020-03-28 03:54 - 2020-03-28 03:54 - 000050688 _____ (Atribune.org) C:\Users\Administrator\Downloads\ATF-Cleaner.exe 2020-03-28 02:30 - 2020-03-28 02:30 - 000000000 ____D C:\Windows\SysWOW64\ServerMigrationTools 2020-03-28 02:29 - 2020-03-28 02:29 - 000000000 ____D C:\Windows\system32\ServerMigrationTools 2020-03-27 04:34 - 2020-03-27 04:34 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{FC137322-9F52-482B-9D5C-17D4A69A3F33} 2020-03-27 04:20 - 2020-03-27 04:20 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{63959CDF-9D69-4D06-9E4D-7F40C3EF42B1} 2020-03-27 00:38 - 2020-03-27 00:39 - 000000029 _____ C:\Users\Administrator\Desktop\avira.txt 2020-03-27 00:38 - 2020-03-27 00:38 - 219655040 _____ (Avira Operations GmbH & Co. KG) C:\Users\Administrator\Downloads\avira_antivirus_en-us.exe 2020-03-25 15:55 - 2020-03-25 15:55 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFE94B35295AFD3FCB.TMP 2020-03-25 14:00 - 2020-03-25 14:00 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585134049-33.out 2020-03-25 14:00 - 2020-03-25 14:00 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585134030-369.out 2020-03-25 13:56 - 2020-03-25 13:56 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFBED540CDD0B98EFB.TMP 2020-03-25 11:00 - 2020-03-25 11:00 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFF93832665B2775BB.TMP 2020-03-25 11:00 - 2020-03-25 11:00 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFF4B04B19A54D0FAD.TMP 2020-03-25 06:50 - 2020-03-25 06:50 - 000018196 _____ C:\Users\Administrator\AppData\Local\Temp\~glary_lng.dat 2020-03-25 06:50 - 2020-03-25 06:50 - 000008827 _____ C:\Users\Administrator\AppData\Local\Temp\~glary_ref.dat 2020-03-25 06:50 - 2020-03-25 06:50 - 000000483 _____ C:\Users\Administrator\AppData\Local\Temp\~glaryutilities-version.dat 2020-03-25 06:46 - 2020-03-25 15:55 - 000001231 _____ C:\Users\Administrator\AppData\Local\Temp\~upgrade.dat 2020-03-25 06:46 - 2020-03-25 15:55 - 000000184 _____ C:\Users\Administrator\AppData\Local\Temp\~autoupdate.dat 2020-03-25 06:46 - 2020-03-25 06:46 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFE632DA7A359B33EA.TMP 2020-03-25 06:46 - 2020-03-25 06:46 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF9458BBC1678115F6.TMP 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\taskshostservices.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\WinmonProcessMonitor.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\winmonfs.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\winmon.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\taskshostservices.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\WinmonProcessMonitor.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\winmonfs.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\winmon.sys 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SysWOW64\SecureBootThemes 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\system32\SecureBootThemes 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SpeechsTracing 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SecureBootThemes 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\AppDiagnostics 2020-03-25 06:44 - 2020-03-25 06:44 - 000032768 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb-shm 2020-03-25 06:44 - 2020-03-25 06:44 - 000012288 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb 2020-03-25 06:44 - 2020-03-25 06:44 - 000000000 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb-wal 2020-03-25 05:12 - 2020-03-25 06:32 - 000000000 ____D C:\KVRT_Data 2020-03-25 05:10 - 2020-03-25 05:10 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\DiskDefrag 2020-03-25 05:09 - 2020-03-25 19:10 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\GlarySoft 2020-03-25 05:09 - 2020-03-25 05:09 - 000002572 _____ C:\GUDownLoaddebug.txt 2020-03-25 05:08 - 2020-03-25 19:10 - 000000000 ____D C:\Program Files (x86)\Glarysoft 2020-03-25 05:04 - 2020-03-25 05:04 - 000079382 _____ C:\Users\Administrator\Documents\cc_20200325_050433.reg 2020-03-25 03:30 - 2020-03-25 03:30 - 022267744 _____ (Piriform Software Ltd) C:\Users\Administrator\Downloads\cctrialsetup.exe 2020-03-25 03:16 - 2020-03-25 03:16 - 006044256 _____ (Glarysoft Ltd) C:\Users\Administrator\Downloads\rrsetup.exe 2020-03-24 23:41 - 2020-03-24 23:42 - 178138552 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT.exe 2020-03-24 22:39 - 2020-04-16 18:56 - 000153312 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys 2020-03-24 22:38 - 2020-03-24 22:38 - 000000000 ____D C:\Program Files\Malwarebytes 2020-03-24 22:36 - 2020-03-24 22:36 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DF4E8AFEE2022E9F34.TMP 2020-03-24 22:35 - 2020-04-23 07:33 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\1 2020-03-24 21:05 - 2020-03-24 21:06 - 001957784 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup.exe 2020-03-24 21:01 - 2020-04-23 00:46 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\TeamViewer 2020-03-24 20:41 - 2020-03-24 20:41 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFD1AF6D49AB7E7881.TMP 2020-03-24 20:25 - 2020-03-24 20:25 - 006003272 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev135.exe 2020-03-24 19:43 - 2020-03-24 19:43 - 002526656 _____ (Kaspersky) C:\Users\Administrator\Downloads\startup.exe 2020-03-24 19:04 - 2020-03-24 19:04 - 002567616 _____ (Kaspersky) C:\Users\Administrator\Downloads\ksos20.0.14.1085abcdefghar_en_19402.exe 2020-03-24 17:45 - 2020-03-24 17:45 - 209302180 _____ C:\Users\Administrator\Documents\reg.reg 2020-03-24 17:12 - 2020-03-24 17:12 - 000000000 ____D C:\ProgramData\Google 2020-03-24 17:01 - 2020-03-24 17:01 - 015560704 _____ C:\Users\Administrator\Downloads\chromeremotedesktophost.msi 2020-03-24 17:00 - 2020-03-24 17:00 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps 2020-03-08 16:51 - 2020-04-01 02:33 - 000000000 ____D C:\Windows\system32\appmgmt 2020-03-03 22:27 - 2020-03-03 22:27 - 002007844 _____ C:\Users\Administrator\Downloads\ProcessExplorer.zip 2020-03-03 22:27 - 2020-03-03 22:27 - 000000000 ____D C:\Users\Administrator\Downloads\ProcessExplorer 2020-02-23 17:35 - 2020-02-23 17:35 - 000000000 ____D C:\Users\waleed\AppData\Local\Temp\mbam 2020-02-18 19:31 - 2020-04-09 10:21 - 000000000 ____D C:\Program Files (x86)\SMADAV 2020-02-18 19:31 - 2020-04-09 10:20 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Smadav 2020-02-18 19:31 - 2020-03-25 04:59 - 000000000 __SHD C:\[Smad-Cage] 2020-02-18 19:28 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134 (2).exe 2020-02-18 19:27 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134.exe 2020-02-18 19:27 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134 (1).exe 2020-02-18 19:13 - 2020-02-18 19:13 - 000014041 _____ C:\Users\Administrator\Desktop\View running processes with Task Manager - Shortcut.lnk 2020-02-17 20:57 - 2020-02-17 20:57 - 000000000 ____D C:\ProgramData\Loaris 2020-02-17 20:24 - 2020-04-18 09:31 - 000001315 _____ C:\Users\Administrator\Downloads\SpyHunter52020.zip 2020-02-17 20:24 - 2020-04-18 09:30 - 000001315 _____ C:\Users\Administrator\Downloads\SpyHunter52020 (1).zip 2020-02-17 20:11 - 2020-02-17 20:11 - 000000000 ____D C:\AdwCleaner 2020-02-17 17:36 - 2020-02-17 17:37 - 000001835 _____ C:\Users\Administrator\Desktop\kprm-20200217173629.txt 2020-02-17 17:36 - 2020-02-17 17:36 - 000000000 ____D C:\KPRM 2020-02-16 20:41 - 2020-03-31 16:24 - 000000000 ____D C:\Windows\pss 2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\Windows\system32\Drivers\etc\BACKUP 2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\ProgramData\Malwarebytes 2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\Program Files (x86)\Malwarebytes 2020-02-10 11:03 - 2020-02-10 11:03 - 000001883 _____ C:\Users\Administrator\Desktop\972341447.lnk 2020-02-09 14:52 - 2020-02-09 14:52 - 000000000 _____ C:\Windows\SysWOW64\TmpB791.tmp 2020-02-09 01:15 - 2020-04-17 05:04 - 000000079 _____ C:\Windows\system32\wpd1.xml 2020-02-09 01:15 - 2020-04-17 05:04 - 000000079 _____ C:\Windows\system32\wpd.xml 2020-02-08 21:16 - 2020-02-08 21:16 - 000000000 ____D C:\Windows\java 2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\Program Files\mainsoft 2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\Program Files\kugou2010 2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\download 2020-02-07 16:57 - 2020-04-15 13:21 - 000079768 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klbackupdisk.sys 2020-02-07 16:57 - 2020-02-07 16:57 - 000211048 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klwtp.sys 2020-02-07 16:57 - 2020-02-07 16:57 - 000145504 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klbackupflt.sys 2020-01-27 07:42 - 2020-01-27 07:42 - 000586496 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klgse.sys 2020-01-25 01:03 - 2020-01-25 01:03 - 000000000 ____D C:\Windows\تابعني 2020-01-25 01:03 - 2020-01-25 01:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mobily.ws 2020-01-24 04:36 - 2020-01-24 04:36 - 001163216 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys ==================== Three months (modified) ================== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-04-23 07:00 - 2015-09-04 13:01 - 000000446 _____ C:\Windows\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd}.job 2020-04-23 04:32 - 2009-07-14 07:49 - 000026000 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2020-04-23 04:32 - 2009-07-14 07:49 - 000026000 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2020-04-23 04:26 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\inetsrv 2020-04-23 04:24 - 2013-10-21 21:02 - 000000000 ____D C:\Program Files (x86)\TeamViewer 2020-04-23 04:24 - 2013-10-12 22:32 - 000005536 _____ C:\Windows\system32\config\netlogon.dnb 2020-04-23 04:24 - 2013-10-12 22:32 - 000002271 _____ C:\Windows\system32\config\netlogon.dns 2020-04-23 04:24 - 2013-10-12 22:10 - 000000000 ____D C:\Windows\system32\dns 2020-04-23 04:23 - 2013-10-12 22:12 - 000000000 ____D C:\Windows\NTDS 2020-04-23 04:23 - 2009-07-14 08:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT 2020-04-19 17:46 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\NDF 2020-04-17 11:04 - 2013-10-10 11:27 - 000000000 ____D C:\Users\Administrator 2020-04-15 21:12 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\inf 2020-04-15 21:12 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\Help 2020-04-15 13:21 - 2019-03-19 02:31 - 000232344 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\kneps.sys 2020-04-15 11:58 - 2013-10-23 23:40 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Temp 2020-04-15 11:58 - 2009-09-18 04:52 - 001056362 _____ C:\Windows\system32\perfh00A.dat 2020-04-15 11:58 - 2009-09-18 04:52 - 000273364 _____ C:\Windows\system32\perfc00A.dat 2020-04-15 11:58 - 2009-09-18 04:45 - 001011720 _____ C:\Windows\system32\perfh007.dat 2020-04-15 11:58 - 2009-09-18 04:45 - 000260304 _____ C:\Windows\system32\perfc007.dat 2020-04-15 11:58 - 2009-09-18 04:39 - 001047294 _____ C:\Windows\system32\perfh010.dat 2020-04-15 11:58 - 2009-09-18 04:39 - 000257984 _____ C:\Windows\system32\perfc010.dat 2020-04-15 11:58 - 2009-09-18 04:33 - 001057430 _____ C:\Windows\system32\perfh00C.dat 2020-04-15 11:58 - 2009-09-18 04:33 - 000262488 _____ C:\Windows\system32\perfc00C.dat 2020-04-10 23:53 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\Registration 2020-04-05 13:56 - 2013-10-10 22:26 - 000000000 ____D C:\ProgramData\Kaspersky Lab Setup Files 2020-04-05 11:29 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system 2020-04-04 14:25 - 2013-10-10 21:31 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information 2020-04-04 14:22 - 2019-10-28 18:47 - 000000000 ____D C:\Program Files\7-Zip 2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR 2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR 2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\Program Files (x86)\WinRAR 2020-04-01 02:42 - 2014-08-29 13:46 - 000000000 ____D C:\Program Files (x86)\HP 2020-04-01 02:42 - 2013-10-22 20:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP 2020-04-01 02:37 - 2013-10-26 12:30 - 000000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8 2020-04-01 02:36 - 2013-10-22 21:30 - 000000000 ____D C:\Program Files (x86)\FPSensor 2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Management Agents 2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\hp 2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\compaq 2020-04-01 02:35 - 2013-10-10 21:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP System Tools 2020-04-01 02:34 - 2013-10-10 21:30 - 000000000 ____D C:\Program Files\HP 2020-04-01 02:33 - 2013-10-10 11:29 - 000000000 ____D C:\Program Files (x86)\Hewlett-Packard 2020-03-28 08:47 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\rescache 2020-03-28 06:32 - 2019-10-28 10:52 - 000000000 ____D C:\Users\Classic .NET AppPool 2020-03-28 06:32 - 2019-05-07 14:00 - 000000000 ____D C:\Users\waleed 2020-03-28 06:32 - 2014-09-10 18:05 - 000000000 ____D C:\Users\admin 2020-03-28 06:32 - 2013-11-09 21:52 - 000000000 ____D C:\Users\assist 2020-03-28 04:54 - 2013-10-11 16:14 - 000112994 __RSH C:\ProgramData\ntuser.pol 2020-03-28 04:50 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy 2020-03-28 02:45 - 2009-07-14 08:07 - 000000000 ____D C:\Windows\system32\ServerManager 2020-03-28 02:30 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\SysWOW64\migwiz 2020-03-28 02:30 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\migwiz 2020-03-25 13:58 - 2013-10-22 21:26 - 000000000 ____D C:\Program Files (x86)\Att 2020-03-25 05:03 - 2013-10-26 12:52 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\TeamViewer 2020-03-25 05:02 - 2013-10-10 22:01 - 000000000 ____D C:\Windows\Panther 2020-03-24 20:34 - 2019-11-11 18:00 - 000000000 ____D C:\Program Files (x86)\AnyDesk 2020-03-24 17:06 - 2009-07-14 08:06 - 000032548 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2020-03-24 17:01 - 2015-05-20 22:08 - 000000000 ____D C:\Program Files (x86)\Google ==================== Files in the root of some directories ======== 2020-04-17 00:53 - 2020-04-17 00:33 - 000011915 _____ () C:\Users\Administrator\WMILister_20.vbs 2020-04-01 02:43 - 2020-04-01 02:44 - 000020014 _____ () C:\Users\Administrator\AppData\Local\dd_HelpSetup_UI6A84.txt 2020-02-22 19:18 - 2020-02-22 19:18 - 000007605 _____ () C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg ==================== SigCheckExt ========================= 2018-03-01 21:27 - 2016-02-10 16:33 - 000153088 _____ (CANON INC.) C:\Windows\system32\CNCENPM6.dll 2018-03-01 21:27 - 2013-01-31 21:21 - 000195584 _____ (CANON INC.) C:\Windows\system32\CNCENPR6.dll 2018-03-01 21:27 - 2013-01-31 21:21 - 000105984 _____ (CANON INC.) C:\Windows\system32\CNCENPU6.dll 2011-01-19 15:46 - 2011-01-19 15:46 - 000051200 _____ (Hewlett-Packard Company) C:\Windows\system32\cpqnimsg.dll 2011-03-09 03:33 - 2011-03-09 03:33 - 000164864 _____ (Hewlett-Packard Company) C:\Windows\system32\cpqstmsg.dll 2011-03-09 03:33 - 2011-03-09 03:33 - 000030720 _____ C:\Windows\system32\cqstrutl.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000051712 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbmiapi.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000052736 _____ (Hewlett-Packard Company) C:\Windows\system32\hpboid.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000012800 _____ (Hewlett-Packard Company) C:\Windows\system32\hpboidps.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000078848 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbpro.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000013312 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbprops.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000070144 _____ (Hewlett-Packard) C:\Windows\system32\HPBWSDR.DLL 2014-03-18 09:15 - 2014-03-18 09:15 - 000180736 _____ (hp) C:\Windows\system32\hplbddrv.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000067072 _____ (Hewlett-Packard) C:\Windows\system32\HPZidr12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000050688 _____ (Hewlett-Packard) C:\Windows\system32\HPZinw12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000066048 _____ (Hewlett-Packard) C:\Windows\system32\HPZipm12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000046592 _____ (Hewlett-Packard) C:\Windows\system32\HPZipr12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000038400 _____ (Hewlett-Packard) C:\Windows\system32\hpzipt12.dll 2014-04-28 05:22 - 2014-04-28 05:22 - 000024064 _____ (Hewlett-Packard) C:\Windows\system32\hpzisn12.dll 2011-03-09 17:01 - 2011-03-09 17:01 - 000069632 _____ (Compaq) C:\Windows\system32\svrclu.dll 2011-03-09 17:01 - 2011-03-09 17:01 - 000073216 _____ (Compaq) C:\Windows\system32\svrntc.dll 2013-10-22 20:52 - 2005-03-18 14:18 - 000143360 ____R (Zenographics) C:\Windows\apptune1020.exe 2019-06-22 18:00 - 2019-06-22 18:54 - 000796672 _____ (Qsc) C:\Windows\GPInstall.exe 2014-08-29 17:00 - 2007-02-01 15:50 - 000306688 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe 2014-08-29 16:59 - 2009-07-27 16:50 - 000087392 _____ (Twain Working Group) C:\Windows\twain.dll 2014-08-29 16:59 - 2009-07-27 16:50 - 000077312 _____ (Twain Working Group) C:\Windows\twain_32.dll 2014-08-29 16:59 - 2009-07-27 16:50 - 000048560 _____ (Twain Working Group) C:\Windows\twunk_16.exe 2014-08-29 16:59 - 2009-07-27 16:50 - 000069632 _____ (Twain Working Group) C:\Windows\twunk_32.exe 2018-03-01 21:27 - 2016-02-10 16:33 - 000153088 _____ (CANON INC.) C:\Windows\SysWOW64\CNCENPM6.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000055296 _____ (Hewlett-Packard) C:\Windows\SysWOW64\HPZidr12.dll 2014-04-28 05:21 - 2014-04-28 05:21 - 000039424 _____ (Hewlett-Packard) C:\Windows\SysWOW64\HPZipr12.dll 2009-05-21 20:21 - 2009-05-21 20:21 - 000499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll 2014-08-29 17:01 - 2009-07-27 16:50 - 000401484 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcrtd.dll 2009-05-14 06:22 - 2009-05-14 06:22 - 000082432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml4r.dll 2020-04-05 11:27 - 2020-04-05 11:27 - 000048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\npptools.dll 2019-10-01 12:05 - 2019-10-01 12:05 - 000024576 _____ C:\Windows\SysWOW64\WebbrowsercontrolDialog.dll 2013-10-10 21:30 - 2010-08-27 09:39 - 000053248 _____ (Hewlett Packard) C:\Windows\system32\Drivers\HPTapeDriverVersion.dll 2020-03-28 06:15 - 2020-03-28 06:15 - 001447178 _____ (Igor Pavlov) C:\Users\Administrator\Downloads\7z1900-x64.exe 2020-03-28 03:54 - 2020-03-28 03:54 - 000050688 _____ (Atribune.org) C:\Users\Administrator\Downloads\ATF-Cleaner.exe 2020-04-14 02:42 - 2020-04-14 02:42 - 002281984 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe 2020-04-16 08:39 - 2020-04-16 08:39 - 000925696 _____ (Farbar) C:\Users\Administrator\Downloads\FSS.exe ==================== SigCheck ============================ (There is no automatic fix for files that do not pass verification.) ==================== BCD ================================ Windows Boot Manager -------------------- identifier {bootmgr} device partition=C: description Windows Boot Manager locale en-US inherit {globalsettings} default {current} resumeobject {2a977a7d-31df-11e3-8479-80c16e6fc700} displayorder {current} toolsdisplayorder {memdiag} timeout 30 Windows Boot Loader ------------------- identifier {current} device partition=C: path \Windows\system32\winload.exe description Windows Server 2008 R2 locale en-US inherit {bootloadersettings} recoverysequence {2a977a7f-31df-11e3-8479-80c16e6fc700} recoveryenabled Yes osdevice partition=C: systemroot \Windows resumeobject {2a977a7d-31df-11e3-8479-80c16e6fc700} nx OptOut safebootalternateshell No Windows Boot Loader ------------------- identifier {2a977a7f-31df-11e3-8479-80c16e6fc700} device ramdisk=[C:]\Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\Winre.wim,{2a977a80-31df-11e3-8479-80c16e6fc700} path \windows\system32\winload.exe description Windows Recovery Environment inherit {bootloadersettings} osdevice ramdisk=[C:]\Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\Winre.wim,{2a977a80-31df-11e3-8479-80c16e6fc700} systemroot \windows nx OptIn winpe Yes Resume from Hibernate --------------------- identifier {2a977a7d-31df-11e3-8479-80c16e6fc700} device partition=C: path \Windows\system32\winresume.exe description Windows Resume Application locale en-US inherit {resumeloadersettings} filedevice partition=C: filepath \hiberfil.sys debugoptionenabled No Windows Memory Tester --------------------- identifier {memdiag} device partition=C: path \boot\memtest.exe description Windows Memory Diagnostic locale en-US inherit {globalsettings} badmemoryaccess Yes EMS Settings ------------ identifier {emssettings} bootems Yes Debugger Settings ----------------- identifier {dbgsettings} debugtype Serial debugport 1 baudrate 115200 RAM Defects ----------- identifier {badmemory} Global Settings --------------- identifier {globalsettings} inherit {dbgsettings} {emssettings} {badmemory} Boot Loader Settings -------------------- identifier {bootloadersettings} inherit {globalsettings} {hypervisorsettings} Hypervisor Settings ------------------- identifier {hypervisorsettings} hypervisordebugtype Serial hypervisordebugport 1 hypervisorbaudrate 115200 Resume Loader Settings ---------------------- identifier {resumeloadersettings} inherit {globalsettings} Device options -------------- identifier {2a977a80-31df-11e3-8479-80c16e6fc700} description Ramdisk Options ramdisksdidevice partition=C: ramdisksdipath \Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\boot.sdi LastRegBack: 2020-04-17 00:07 ==================== End of FRST.txt ========================
  2. HKLM-x32\...\Run: [BGClients] => cmd /c start /min c:\windows\system32\wbem\123.bat
  3. I did what you told me, I uninstall firefox, clean IE5 temp, make all website block and the still there when I report the PC I made full scan with Kaspersky Small Office Security 7 I delete everything and I made new scan by malwarebytes and I got this result Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/18/20 Scan Time: 7:01 PM Log File: d8c0378e-818d-11ea-95ec-80c16e6fc701.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.22632 License: Free -System Information- OS: Windows Server 2008 R2 Service Pack 1 CPU: x64 File System: NTFS User: THQURAN\administrator -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 346849 Threats Detected: 1 Threats Quarantined: 0 Time Elapsed: 2 hr, 31 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.Mirai.E, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BGCLIENTS, No Action By User, 6814, 427730, 1.0.22632, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)
  4. thats Malwarebytes log. evry time I restart my PC come back Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/17/20 Scan Time: 12:08 AM Log File: 7c215c64-8026-11ea-8986-80c16e6fc701.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.22544 License: Free -System Information- OS: Windows Server 2008 R2 Service Pack 1 CPU: x64 File System: NTFS User: THQURAN\administrator -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 347047 Threats Detected: 3 Threats Quarantined: 0 Time Elapsed: 2 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 3 Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:__FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\\\.\\root\\subscription:__EventFilter.Name=\"*****youmm_filter\"", No Action By User, 14977, 621747, , , , Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:__EventFilter.Name="*****youmm_filter", No Action By User, 14977, 621747, , , , Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:ActiveScriptEventConsumer.Name="*****youmm_consumer", No Action By User, 14977, 621747, 1.0.22544, , ame, (end)
  5. yes its but after I restart my pc it back again even If i use safe mode
  6. Farbar Service Scanner Version: 14-12-2019 Ran by administrator (administrator) on 16-04-2020 at 08:40:12 Running from "C:\Users\Administrator\Downloads" Microsoft Windows Server 2008 R2 Standard Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Policy: ======================== Action Center: ============ wscsvc Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Windows Defender Disabled Policy: ========================== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => File is digitally signed C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed C:\Windows\System32\dhcpcore.dll => File is digitally signed C:\Windows\System32\drivers\afd.sys => File is digitally signed C:\Windows\System32\drivers\tdx.sys => File is digitally signed C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed C:\Windows\System32\dnsrslvr.dll => File is digitally signed C:\Windows\System32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\System32\mpssvc.dll => File is digitally signed C:\Windows\System32\bfe.dll => File is digitally signed C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed ATTENTION!=====> C:\Windows\System32\SDRSVC.dll FILE IS MISSING. C:\Windows\System32\vssvc.exe => File is digitally signed ATTENTION!=====> C:\Windows\System32\wscsvc.dll FILE IS MISSING. C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed C:\Windows\System32\wuaueng.dll => File is digitally signed C:\Windows\System32\qmgr.dll => File is digitally signed C:\Windows\System32\es.dll => File is digitally signed C:\Windows\System32\cryptsvc.dll => File is digitally signed ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING. ATTENTION!=====> C:\Program Files\Windows Defender\MsMpEng.exe FILE IS MISSING. C:\Windows\System32\ipnathlp.dll => File is digitally signed C:\Windows\System32\iphlpsvc.dll => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed **** End of log **** FSS.txt
  7. Hi did you mean the last Fixlist.txt that you sent to me before ?
  8. RogueKiller Anti-Malware V14.4.0.0 (x64) [Apr 1 2020] (Premium) by Adlice Software mail : https://adlice.com/contact/ Website : https://adlice.com/download/roguekiller/ Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits Started in : Normal mode User : administrator [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Signatures : 20200414_084954, Driver : Loaded Mode : Standard Scan, Delete -- Date : 2020/04/15 21:12:47 (Duration : 00:08:06) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ [PUP.WiperSoft (Potentially Malicious)] HKEY_USERS\S-1-5-21-3197573395-1757021686-3003070210-500\Software\WiperSoft -- -> Deleted [Tr.Gen (Malicious)] get.exe [PPLive Corporation] -- %SystemRoot%\Help\get.exe -> Deleted [Miner.Gen (Malicious)] aspnet -- %SystemRoot%\inf\aspnet -> Deleted [Tr.Chapak (Malicious)] rss -- %SystemRoot%\rss -> Deleted => Protection Dir -- C:\Windows\rss\csrss.exe\PROTEC~1 [1] => csrss.exe -- C:\Windows\rss\csrss.exe [1] [PUP.EpicNet (Potentially Malicious)] EpicNet Inc -- %localappdata%\EpicNet Inc -> Deleted => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet\cloudnet.exe\PROTEC~1 [1] => cloudnet.exe -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet\cloudnet.exe [1] => CloudNet -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet [1] [Tr.Gen (Malicious)] csrss -- %localappdata%\Temp\csrss -> Deleted => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\al.exe\PROTEC~1 [1] => al.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\al.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\cloudnet.exe\PROTEC~1 [1] => cloudnet.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\cloudnet.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd\i2pd.exe\PROTEC~1 [1] => i2pd.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd\i2pd.exe [1] => i2pd -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\lsa64.exe\PROTEC~1 [1] => lsa64.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\lsa64.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\LSA64I~1.EXE\PROTEC~1 [1] => lsa64install_in.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\LSA64I~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\mrt.exe\PROTEC~1 [1] => mrt.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\mrt.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE\PROTEC~1 [1] => obfs4proxy.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor\tor.exe\PROTEC~1 [1] => tor.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor\tor.exe [1] => Tor -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\tor.exe\PROTEC~1 [1] => tor.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\tor.exe [1] => proxy -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\SCHEDU~1.EXE\PROTEC~1 [1] => scheduled.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\SCHEDU~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb\e7.exe\PROTEC~1 [1] => e7.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb\e7.exe [1] => smb -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\vc.exe\PROTEC~1 [1] => vc.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\vc.exe [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~1.EXE\PROTEC~1 [1] => winboxls-1008-2.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~1.EXE [1] => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~2.EXE\PROTEC~1 [1] => winboxscan-1003-2.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~2.EXE [1] [Miner.Gen (Malicious)] wup -- %localappdata%\Temp\wup -> Deleted => Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\wup\wup.exe\PROTEC~1 [1] => wup.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\wup\wup.exe [1]
  9. I got 3 files after I made full scan again. I attach them Addition.txt FRST.txt Shortcut.txt
  10. thank you for helping me the problem still there Fix result of Farbar Recovery Scan Tool (x64) Version: 13-04-2020 Ran by administrator (15-04-2020 11:57:33) Run:1 Running from C:\Users\Administrator\Downloads Loaded Profiles: administrator & SQLAgent$SMACC & MSSQL$SMACC (Available Profiles: admin & assist & waleed & administrator & SQLAgent$SMACC & MSSQL$SMACC & Classic .NET AppPool) Boot Mode: Normal ============================================== fixlist content: ***************** SystemRestore: On CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer: [DisallowRun] 1 HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [1] Mshta.exe HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [2] powershell.exe HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk [2019-11-11] ShortcutTarget: AnyDesk.lnk -> C:\Program Files (x86)\AnyDesk\AnyDesk.exe (No File) CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {31352DAD-4920-4B3E-8AFD-4E370CB15EC2} - \Mysa1 -> No File <==== ATTENTION Task: {8500F974-F490-41F1-A9B2-CFF2835BC708} - \ok -> No File <==== ATTENTION Task: {F333B8C7-0A7E-4FC6-9BB3-951DDB53640F} - \Mysa3 -> No File <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{d8d24426-dbe6-434c-9a13-5b28f765ae01} <==== ATTENTION (Restriction - IP) S1 amsdk; \??\C:\Windows\system32\drivers\amsdk.sys [X] S3 dpK00701; system32\DRIVERS\dpK00701.sys [X] S3 usbdpfp; system32\DRIVERS\usbdpfp.sys [X] ContextMenuHandlers1-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File ContextMenuHandlers2-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File ContextMenuHandlers6-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"coronav2\"",Filter="__EventFilter.Name=\"coronav\":: WMI:subscription\__FilterToConsumerBinding->\\.\root\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"*****youmm_filter\":: <==== ATTENTION WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"*****amm4\"",Filter="__EventFilter.Name=\"*****amm3\":: <==== ATTENTION WMI:subscription\__TimerInstruction->*****youmm_itimer:: <==== ATTENTION WMI:subscription\__IntervalTimerInstruction->*****youmm_itimer:: <==== ATTENTION WMI:subscription\__EventFilter->*****amm3::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 180 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'] <==== ATTENTION WMI:subscription\__EventFilter->*****youmm_filter::[Query => select * from __timerevent where timerid="*****youmm_itimer"] <==== ATTENTION WMI:subscription\__EventFilter->coronav::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 10900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'] AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [143] FirewallRules: [DNSSrv-UDP-Out] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-TCP-Out] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-RPC-TCP-In] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-DNS-UDP-In] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [DNSSrv-DNS-TCP-In] => (Allow) %systemroot%\System32\dns.exe No File FirewallRules: [NTFRS-NTFRSSvc-In-TCP] => (Allow) %SystemRoot%\system32\NTFRS.exe No File FirewallRules: [DFSR-DFSRSvc-In-TCP] => (Allow) %SystemRoot%\system32\dfsrs.exe No File FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe No File FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe No File FirewallRules: [WindowsServerBackup-wbengine-In-TCP-NoScope] => (Allow) %systemroot%\system32\wbengine.exe No File FirewallRules: [{ADFED997-72A1-4BB8-8A5C-0008FEED40DD}] => (Allow) C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe No File ATTENTION: System Restore is disabled (Total:279.55 GB) (Free:126.44 GB) (45%) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\mssecsvc.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Users\Administrator\AppData\Local\Temp\explorer.exe 2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\EpicNet Inc CMD: "%WINDIR%\SYSTEM32\lodctr.exe" /R CMD: "%WINDIR%\SysWOW64\lodctr.exe" /R CMD: C:\Windows\SYSTEM32\lodctr.exe" /R CMD: C:\Windows\SysWOW64\lodctr.exe" /R CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: ***************** SystemRestore: On => Error Error: (0) Failed to create a restore point. Processes closed successfully. "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowRun" => removed successfully "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\1" => removed successfully "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\2" => removed successfully "HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\3" => removed successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk => moved successfully "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" => not found HKLM\SOFTWARE\Policies\Google => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{31352DAD-4920-4B3E-8AFD-4E370CB15EC2}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31352DAD-4920-4B3E-8AFD-4E370CB15EC2}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mysa1" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{8500F974-F490-41F1-A9B2-CFF2835BC708}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8500F974-F490-41F1-A9B2-CFF2835BC708}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ok" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F333B8C7-0A7E-4FC6-9BB3-951DDB53640F}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F333B8C7-0A7E-4FC6-9BB3-951DDB53640F}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mysa3" => not found "HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\\ActivePolicy" => removed successfully HKLM\System\CurrentControlSet\Services\amsdk => removed successfully amsdk => service removed successfully HKLM\System\CurrentControlSet\Services\dpK00701 => removed successfully dpK00701 => service removed successfully HKLM\System\CurrentControlSet\Services\usbdpfp => removed successfully usbdpfp => service removed successfully HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7} => removed successfully HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully "CommandLineEventConsumer.Name=\"coronav2\"",Filter="__EventFilter.Name=\"coronav\"" => removed successfully "\\.\root\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"*****youmm_filter\"" => removed successfully "CommandLineEventConsumer.Name=\"*****amm4\"",Filter="__EventFilter.Name=\"*****amm3\"" => removed successfully "*****youmm_itimer" => removed successfully "*****youmm_itimer" => not found "*****amm3" => removed successfully "*****youmm_filter" => removed successfully "coronav" => removed successfully C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-UDP-Out" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-TCP-Out" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-RPC-TCP-In" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-DNS-UDP-In" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-DNS-TCP-In" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\NTFRS-NTFRSSvc-In-TCP" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DFSR-DFSRSvc-In-TCP" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SPPSVC-In-TCP" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\WindowsServerBackup-wbengine-In-TCP-NoScope" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{ADFED997-72A1-4BB8-8A5C-0008FEED40DD}" => removed successfully ATTENTION: System Restore is disabled (Total:279.55 GB) (Free:126.44 GB) (45%) => Error: No automatic fix found for this entry. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk" => not found C:\Windows\mssecsvc.exe => moved successfully C:\Users\Administrator\AppData\Local\Temp\explorer.exe => moved successfully C:\Users\Administrator\AppData\Roaming\EpicNet Inc => moved successfully ========= "%WINDIR%\SYSTEM32\lodctr.exe" /R ========= Info: Successfully rebuilt performance counter setting from system backup store ========= End of CMD: ========= ========= "%WINDIR%\SysWOW64\lodctr.exe" /R ========= Info: Successfully rebuilt performance counter setting from system backup store ========= End of CMD: ========= ========= C:\Windows\SYSTEM32\lodctr.exe" /R ========= ========= End of CMD: ========= ========= C:\Windows\SysWOW64\lodctr.exe" /R ========= ========= End of CMD: ========= ========= netsh int ip reset ========= Reseting Global, OK! Reseting Interface, OK! Reseting Unicast Address, OK! Reseting Route, OK! Restart the computer to complete this action. ========= End of CMD: ========= ========= ipconfig /flushDNS ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 2109189 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 4514507 B Edge => 0 B Chrome => 0 B Firefox => 228216281 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 0 B Public => 0 B ProgramData => 0 B systemprofile => 33661 B systemprofile32 => 66847 B LocalService => 66847 B NetworkService => 66847 B admin => 126106 B assist => 134394 B waleed => 155932 B Administrator => 272791645 B SQLAgent$SMACC => 272791645 B MSSQL$SMACC => 272791645 B Classic .NET AppPool => 272791645 B RecycleBin => 0 B EmptyTemp: => 1.2 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 11:58:41 ==== Fixlog.txt
  11. I attached FRST.txt and Addition.txt Addition.txt FRST.txt
  12. Hi I have same this guy problem on our server I try download fixlist.txt but I cant can some one help me please do get thats file thank you
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.