Jump to content

Bitcoin miner keeps reappearing after Reboot


Recommended Posts

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

thank you for helping me the problem still there

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-04-2020
Ran by administrator (15-04-2020 11:57:33) Run:1
Running from C:\Users\Administrator\Downloads
Loaded Profiles: administrator & SQLAgent$SMACC & MSSQL$SMACC (Available Profiles: admin & assist & waleed & administrator & SQLAgent$SMACC & MSSQL$SMACC & Classic .NET AppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk [2019-11-11]
ShortcutTarget: AnyDesk.lnk -> C:\Program Files (x86)\AnyDesk\AnyDesk.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {31352DAD-4920-4B3E-8AFD-4E370CB15EC2} - \Mysa1 -> No File <==== ATTENTION
Task: {8500F974-F490-41F1-A9B2-CFF2835BC708} - \ok -> No File <==== ATTENTION
Task: {F333B8C7-0A7E-4FC6-9BB3-951DDB53640F} - \Mysa3 -> No File <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{d8d24426-dbe6-434c-9a13-5b28f765ae01} <==== ATTENTION (Restriction - IP)
S1 amsdk; \??\C:\Windows\system32\drivers\amsdk.sys [X]
S3 dpK00701; system32\DRIVERS\dpK00701.sys [X]
S3 usbdpfp; system32\DRIVERS\usbdpfp.sys [X]
ContextMenuHandlers1-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File
ContextMenuHandlers2-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File
ContextMenuHandlers6-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\ContextHandler.dll -> No File
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"coronav2\"",Filter="__EventFilter.Name=\"coronav\"::
WMI:subscription\__FilterToConsumerBinding->\\.\root\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"*****youmm_filter\":: <==== ATTENTION
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"*****amm4\"",Filter="__EventFilter.Name=\"*****amm3\":: <==== ATTENTION
WMI:subscription\__TimerInstruction->*****youmm_itimer:: <==== ATTENTION
WMI:subscription\__IntervalTimerInstruction->*****youmm_itimer:: <==== ATTENTION
WMI:subscription\__EventFilter->*****amm3::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 180 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'] <==== ATTENTION
WMI:subscription\__EventFilter->*****youmm_filter::[Query => select * from __timerevent where timerid="*****youmm_itimer"] <==== ATTENTION
WMI:subscription\__EventFilter->coronav::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 10900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System']
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [143]
FirewallRules: [DNSSrv-UDP-Out] => (Allow) %systemroot%\System32\dns.exe No File
FirewallRules: [DNSSrv-TCP-Out] => (Allow) %systemroot%\System32\dns.exe No File
FirewallRules: [DNSSrv-RPC-TCP-In] => (Allow) %systemroot%\System32\dns.exe No File
FirewallRules: [DNSSrv-DNS-UDP-In] => (Allow) %systemroot%\System32\dns.exe No File
FirewallRules: [DNSSrv-DNS-TCP-In] => (Allow) %systemroot%\System32\dns.exe No File
FirewallRules: [NTFRS-NTFRSSvc-In-TCP] => (Allow) %SystemRoot%\system32\NTFRS.exe No File
FirewallRules: [DFSR-DFSRSvc-In-TCP] => (Allow) %SystemRoot%\system32\dfsrs.exe No File
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe No File
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe No File
FirewallRules: [WindowsServerBackup-wbengine-In-TCP-NoScope] => (Allow) %systemroot%\system32\wbengine.exe No File
FirewallRules: [{ADFED997-72A1-4BB8-8A5C-0008FEED40DD}] => (Allow) C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe No File
ATTENTION: System Restore is disabled (Total:279.55 GB) (Free:126.44 GB) (45%)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\mssecsvc.exe
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Users\Administrator\AppData\Local\Temp\explorer.exe
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\EpicNet Inc
CMD: "%WINDIR%\SYSTEM32\lodctr.exe" /R
CMD: "%WINDIR%\SysWOW64\lodctr.exe" /R
CMD:  C:\Windows\SYSTEM32\lodctr.exe" /R
CMD:  C:\Windows\SysWOW64\lodctr.exe" /R
CMD: netsh int ip reset
CMD: ipconfig /flushDNS
EmptyTemp:

*****************

SystemRestore: On => Error
Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowRun" => removed successfully
"HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\1" => removed successfully
"HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\2" => removed successfully
"HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\3" => removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk => moved successfully
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" => not found
HKLM\SOFTWARE\Policies\Google => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{31352DAD-4920-4B3E-8AFD-4E370CB15EC2}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31352DAD-4920-4B3E-8AFD-4E370CB15EC2}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mysa1" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{8500F974-F490-41F1-A9B2-CFF2835BC708}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8500F974-F490-41F1-A9B2-CFF2835BC708}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ok" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F333B8C7-0A7E-4FC6-9BB3-951DDB53640F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F333B8C7-0A7E-4FC6-9BB3-951DDB53640F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mysa3" => not found
"HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\\ActivePolicy" => removed successfully
HKLM\System\CurrentControlSet\Services\amsdk => removed successfully
amsdk => service removed successfully
HKLM\System\CurrentControlSet\Services\dpK00701 => removed successfully
dpK00701 => service removed successfully
HKLM\System\CurrentControlSet\Services\usbdpfp => removed successfully
usbdpfp => service removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{B3C418F8-922B-4faf-915E-59BC14448CF7} => removed successfully
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\Glary Utilities => removed successfully
"CommandLineEventConsumer.Name=\"coronav2\"",Filter="__EventFilter.Name=\"coronav\"" => removed successfully
"\\.\root\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"*****youmm_filter\"" => removed successfully
"CommandLineEventConsumer.Name=\"*****amm4\"",Filter="__EventFilter.Name=\"*****amm3\"" => removed successfully
"*****youmm_itimer" => removed successfully
"*****youmm_itimer" => not found
"*****amm3" => removed successfully
"*****youmm_filter" => removed successfully
"coronav" => removed successfully
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-UDP-Out" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-TCP-Out" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-RPC-TCP-In" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-DNS-UDP-In" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DNSSrv-DNS-TCP-In" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\NTFRS-NTFRSSvc-In-TCP" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\DFSR-DFSRSvc-In-TCP" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SPPSVC-In-TCP" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\WindowsServerBackup-wbengine-In-TCP-NoScope" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{ADFED997-72A1-4BB8-8A5C-0008FEED40DD}" => removed successfully
ATTENTION: System Restore is disabled (Total:279.55 GB) (Free:126.44 GB) (45%) => Error: No automatic fix found for this entry.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk" => not found
C:\Windows\mssecsvc.exe => moved successfully
C:\Users\Administrator\AppData\Local\Temp\explorer.exe => moved successfully
C:\Users\Administrator\AppData\Roaming\EpicNet Inc => moved successfully

========= "%WINDIR%\SYSTEM32\lodctr.exe" /R =========


Info: Successfully rebuilt performance counter setting from system backup store
========= End of CMD: =========


========= "%WINDIR%\SysWOW64\lodctr.exe" /R =========


Info: Successfully rebuilt performance counter setting from system backup store
========= End of CMD: =========


========= C:\Windows\SYSTEM32\lodctr.exe" /R =========


========= End of CMD: =========


========= C:\Windows\SysWOW64\lodctr.exe" /R =========


========= End of CMD: =========


========= netsh int ip reset =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 2109189 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 4514507 B
Edge => 0 B
Chrome => 0 B
Firefox => 228216281 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 33661 B
systemprofile32 => 66847 B
LocalService => 66847 B
NetworkService => 66847 B
admin => 126106 B
assist => 134394 B
waleed => 155932 B
Administrator => 272791645 B
SQLAgent$SMACC => 272791645 B
MSSQL$SMACC => 272791645 B
Classic .NET AppPool => 272791645 B

RecycleBin => 0 B
EmptyTemp: => 1.2 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:58:41 ====

 

 

Fixlog.txt

Link to post
Share on other sites

Hi,

This was a bad infection there may still be some remnant items to look for.

Can your please run the Farbar Program one more time and attach fresh FRST.TXT and Addition.txt logs for my review.

I also would like you to run this program and attach the log.

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

 

Link to post
Share on other sites

RogueKiller Anti-Malware V14.4.0.0 (x64) [Apr  1 2020] (Premium) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : administrator [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20200414_084954, Driver : Loaded
Mode : Standard Scan, Delete -- Date : 2020/04/15 21:12:47 (Duration : 00:08:06)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.WiperSoft (Potentially Malicious)] HKEY_USERS\S-1-5-21-3197573395-1757021686-3003070210-500\Software\WiperSoft --  -> Deleted
[Tr.Gen (Malicious)] get.exe [PPLive Corporation] -- %SystemRoot%\Help\get.exe -> Deleted
[Miner.Gen (Malicious)] aspnet -- %SystemRoot%\inf\aspnet -> Deleted
[Tr.Chapak (Malicious)] rss -- %SystemRoot%\rss -> Deleted
=> Protection Dir -- C:\Windows\rss\csrss.exe\PROTEC~1 [1]
=> csrss.exe -- C:\Windows\rss\csrss.exe [1]
[PUP.EpicNet (Potentially Malicious)] EpicNet Inc -- %localappdata%\EpicNet Inc -> Deleted
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet\cloudnet.exe\PROTEC~1 [1]
=> cloudnet.exe -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet\cloudnet.exe [1]
=> CloudNet -- C:\Users\ADMINI~1\AppData\Local\EPICNE~1\CloudNet [1]
[Tr.Gen (Malicious)] csrss -- %localappdata%\Temp\csrss -> Deleted
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\al.exe\PROTEC~1 [1]
=> al.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\al.exe [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\cloudnet.exe\PROTEC~1 [1]
=> cloudnet.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\cloudnet.exe [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd\i2pd.exe\PROTEC~1 [1]
=> i2pd.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd\i2pd.exe [1]
=> i2pd -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\i2pd [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\lsa64.exe\PROTEC~1 [1]
=> lsa64.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\lsa64.exe [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\LSA64I~1.EXE\PROTEC~1 [1]
=> lsa64install_in.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\LSA64I~1.EXE [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\mrt.exe\PROTEC~1 [1]
=> mrt.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\mrt.exe [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE\PROTEC~1 [1]
=> obfs4proxy.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor\tor.exe\PROTEC~1 [1]
=> tor.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor\tor.exe [1]
=> Tor -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\Tor [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\tor.exe\PROTEC~1 [1]
=> tor.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy\tor.exe [1]
=> proxy -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\proxy [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\SCHEDU~1.EXE\PROTEC~1 [1]
=> scheduled.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\SCHEDU~1.EXE [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb\e7.exe\PROTEC~1 [1]
=> e7.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb\e7.exe [1]
=> smb -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\smb [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\vc.exe\PROTEC~1 [1]
=> vc.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\vc.exe [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~1.EXE\PROTEC~1 [1]
=> winboxls-1008-2.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~1.EXE [1]
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~2.EXE\PROTEC~1 [1]
=> winboxscan-1003-2.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\csrss\WINBOX~2.EXE [1]
[Miner.Gen (Malicious)] wup -- %localappdata%\Temp\wup -> Deleted
=> Protection Dir -- C:\Users\ADMINI~1\AppData\Local\Temp\wup\wup.exe\PROTEC~1 [1]
=> wup.exe -- C:\Users\ADMINI~1\AppData\Local\Temp\wup\wup.exe [1]

 

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services
  
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

If the problem is not solved run the Farbar program and post fresh logs.
I do not need to see the Shortcut.txt log.

Link to post
Share on other sites

Farbar Service Scanner Version: 14-12-2019
Ran by administrator (administrator) on 16-04-2020 at 08:40:12
Running from "C:\Users\Administrator\Downloads"
Microsoft Windows Server 2008 R2 Standard  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

ATTENTION!=====> C:\Windows\System32\SDRSVC.dll FILE IS MISSING.

C:\Windows\System32\vssvc.exe => File is digitally signed

ATTENTION!=====> C:\Windows\System32\wscsvc.dll FILE IS MISSING.

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING.


ATTENTION!=====> C:\Program Files\Windows Defender\MsMpEng.exe FILE IS MISSING.

C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

FSS.txt

Link to post
Share on other sites

Hi,

I have been informed that Malwarebytes has been updated to remove the WMI bitcoin malware.

Please update MBAM and remove all entries found.

If any problems remains run the Farbar program and attach fresh logs.

Run the Farbar Service scan and post the fresh FSS.txt log as well.

 

 

Link to post
Share on other sites

thats Malwarebytes log. evry time I restart my PC come back

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/17/20
Scan Time: 12:08 AM
Log File: 7c215c64-8026-11ea-8986-80c16e6fc701.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.875
Update Package Version: 1.0.22544
License: Free

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: THQURAN\administrator

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 347047
Threats Detected: 3
Threats Quarantined: 0
Time Elapsed: 2 min, 24 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 3
Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:__FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\"*****youmm_consumer\"",Filter="\\\\.\\root\\subscription:__EventFilter.Name=\"*****youmm_filter\"", No Action By User, 14977, 621747, , , ,
Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:__EventFilter.Name="*****youmm_filter", No Action By User, 14977, 621747, , , ,
Hijack.BitCoinMiner.WMI, \\ALHAZM-SERVER\ROOT\subscription:ActiveScriptEventConsumer.Name="*****youmm_consumer", No Action By User, 14977, 621747, 1.0.22544, , ame,


(end)

Link to post
Share on other sites

Hi,

If the problem persists and you are Syncing Firefox it with other Devices reset it.

Navigate to this page and Remove it as suggested.

https://support.mozilla.org/en-US/kb/remove-synced-device-firefox-accounts

When done restart the computer normally.

If all is well.

Return to your Firefox Account and Click the Connect button.

Reset the sync.

Restart the computer normally.
<<<>>>

Other link.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.
<<<>>>

Let me know if the problem is solved?

 

 

Link to post
Share on other sites

I did what you told me, I uninstall firefox, clean IE5 temp, make all website block and the still there when I report the PC

 

I made full scan with Kaspersky Small Office Security 7 I delete everything and I made new scan by malwarebytes and I got this result

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/18/20
Scan Time: 7:01 PM
Log File: d8c0378e-818d-11ea-95ec-80c16e6fc701.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.875
Update Package Version: 1.0.22632
License: Free

-System Information-
OS: Windows Server 2008 R2 Service Pack 1
CPU: x64
File System: NTFS
User: THQURAN\administrator

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 346849
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 2 hr, 31 min, 31 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Trojan.Mirai.E, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BGCLIENTS, No Action By User, 6814, 427730, 1.0.22632, , ame,

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Link to post
Share on other sites

Hi.

It looks like this is a remnant entries.

Lets have a look at that key in the Registry.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BGCLIENTS

Run the Farbar program.
In the Search text area, copy and paste the following:
BGCLIENTS
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-04-2020
Ran by administrator (administrator) on ALHAZM-SERVER (HP ProLiant ML350 G6) (23-04-2020 07:32:30)
Running from C:\Users\Administrator\Downloads
Loaded Profiles: administrator & SQLAgent$SMACC & MSSQL$SMACC (Available Profiles: admin & assist & waleed & administrator & SQLAgent$SMACC & MSSQL$SMACC & Classic .NET AppPool)
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Kaspersky Lab -> AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avp.exe
(Kaspersky Lab -> AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avpui.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\SQLAGENT.EXE
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dns.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\iashost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ntfrs.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\snmp.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\vds.exe
(Oracle America, Inc. -> Dyn) C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe <2>
(TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [BGClients] => cmd /c start /min c:\windows\system32\wbem\123.bat
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042615463\Software\Policies\...\system: [DisableCMD] 0
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042621524\Software\Policies\...\system: [DisableCMD] 0
HKU\S-1-5-21-3197573395-1757021686-3003070210-500\...\MountPoints2: {c2f48e3b-fc03-11e9-a3ac-80c16e6fc701} - V:\SETUP.EXE
HKU\S-1-5-21-3197573395-1757021686-3003070210-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042617391\...\MountPoints2: {c2f48e3b-fc03-11e9-a3ac-80c16e6fc701} - V:\SETUP.EXE
HKU\S-1-5-18\Software\Policies\...\system: [DisableCMD] 0
HKLM\Software\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
HKLM\Software\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
Lsa: [Notification Packages] scecli rassfm
SecurityProviders: credssp.dll, pwdssp.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dyn Updater.lnk [2020-02-22]
ShortcutTarget: Dyn Updater.lnk -> C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe (Oracle America, Inc. -> Dyn)
GroupPolicy: Restriction - Chrome <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {37B67E42-00DF-4EF1-91AA-D5235AAD73EC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3197573395-1757021686-3003070210-500UA => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {5154FC59-7A38-4C86-BCCA-D3FAD3FFE6A7} - System32\Tasks\scan
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [152064 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [252416 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
Task: {7561FAEF-ECD8-4D1A-A821-F10235970ECB} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3197573395-1757021686-3003070210-500Core => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {79B41E33-6C7B-4A20-8D5D-302D882E8656} - System32\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd} => C:\Windows\system32\vssadmin.exe [167424 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
Task: {80D49221-8D14-4B59-976C-BA89353DDF4A} - System32\Tasks\{3BFA57ED-F022-4DC4-BAE6-67F562BB2F4C} => E:\Printers\Canon printer\UFRII\us_eng\32BIT\Setup.exe
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [39424 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [252416 2010-11-20] (Microsoft Windows -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd}.job => C:\Windows\system32\vssadmin.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{5A48297C-0B36-4338-B03E-488DF99129B3}: [NameServer] 192.168.1.1
Tcpip\..\Interfaces\{C7F984C1-07CE-49C7-AA72-7E07374C778E}: [NameServer] 216.146.35.35,216.146.36.36,,8.8.8.8
HKLM\System\...\Parameters\PersistentRoutes: [0.0.0.0,0.0.0.0,192.168.1.1,-1]

Internet Explorer:
==================
HKU\S-1-5-21-3197573395-1757021686-3003070210-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
HKU\S-1-5-21-3197573395-1757021686-3003070210-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04232020042617391\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
Handler-x32: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll [2005-09-23] (Microsoft Corporation) [File not signed]

FireFox:
========
FF DefaultProfile: 4uh09obj.default
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4uh09obj.default [2020-04-15]
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\bk0mgr8c.default-release [2020-04-18]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2020-04-01] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2020-04-01] <==== ATTENTION

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [487424 2013-01-25] (Microsoft Windows -> Microsoft Corporation)
R2 AVP20.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\avp.exe [357416 2019-03-21] (Kaspersky Lab -> AO Kaspersky Lab)
R2 Dfs; C:\Windows\system32\dfssvc.exe [377344 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [4518400 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [700928 2019-04-11] (Microsoft Windows -> Microsoft Corporation)
R2 DynUpdater; C:\Program Files (x86)\Dyn\Updater\dyn_updater.exe [1646784 2019-04-24] (Oracle America, Inc. -> Dyn)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R2 kdc; C:\Windows\System32\lsass.exe [30720 2020-01-03] (Microsoft Windows -> Microsoft Corporation)
S3 klvssbridge64_20.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\x64\vssbridge64.exe [438928 2019-03-21] (Kaspersky Lab -> AO Kaspersky Lab)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [6933272 2020-04-16] (Malwarebytes Inc -> Malwarebytes)
R2 msftesql; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [95592 2007-06-22] (Microsoft Corporation -> Microsoft Corporation)
R2 MSSQL$SMACC; C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\sqlservr.exe [372512 2018-09-07] (Microsoft Corporation -> Microsoft Corporation)
R2 MSSQLSERVER; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29263712 2008-11-24] (Microsoft Corporation -> Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2014-04-28] (Hewlett-Packard) [File not signed]
R2 NTDS; C:\Windows\System32\lsass.exe [30720 2020-01-03] (Microsoft Windows -> Microsoft Corporation)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [1020416 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2014-04-28] (Hewlett-Packard) [File not signed]
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R2 SQLAgent$SMACC; C:\Program Files\Microsoft SQL Server\MSSQL12.SMACC\MSSQL\Binn\SQLAGENT.EXE [613152 2018-09-07] (Microsoft Corporation -> Microsoft Corporation)
R2 SQLSERVERAGENT; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [346976 2008-11-24] (Microsoft Corporation -> Microsoft Corporation)
S4 sysdown; C:\Windows\system32\sysdown.exe [18784 2011-02-17] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [13216784 2020-04-09] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-14] (Microsoft Windows -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 Achernar; C:\Windows\System32\Drivers\Achernar.sys [33592 2014-08-29] (An Chen Computer Co., Ltd. -> NewSoft Technology Corporation)
R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [2210816 2009-06-24] (Microsoft Windows Hardware Compatibility Publisher -> ATI Technologies Inc.)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [246912 2019-02-16] (Kaspersky Lab -> AO Kaspersky Lab)
R3 CpqCiDrv; C:\Windows\System32\DRIVERS\cpqcidrv.sys [51752 2009-05-11] (Hewlett-Packard -> Hewlett-Packard Company)
S3 CPQTeam; C:\Windows\System32\DRIVERS\cpqteam.sys [225792 2011-01-26] (Microsoft Windows Hardware Compatibility Publisher -> Hewlett-Packard Company)
R0 CSCrySec; C:\Windows\System32\DRIVERS\CSCrySec.sys [85048 2009-12-14] (InfoWatch -> Infowatch)
R1 CSVirtualDiskDrv; C:\Windows\System32\DRIVERS\CSVirtualDiskDrv.sys [66104 2009-12-14] (InfoWatch -> Infowatch)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [51776 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66944 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
R0 HpCISSs2; C:\Windows\System32\DRIVERS\HpCISSs2.sys [157288 2010-08-10] (Hewlett-Packard -> Hewlett-Packard Company)
R0 hpqilo2; C:\Windows\System32\DRIVERS\hpqilo2.sys [150880 2011-02-17] (Hewlett-Packard Company -> Hewlett-Packard Company)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Microsoft Windows -> Intel Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [531584 2019-03-18] (Kaspersky Lab -> AO Kaspersky Lab)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [79768 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [145504 2020-02-07] (Kaspersky Lab -> AO Kaspersky Lab)
R1 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [93312 2019-03-12] (Kaspersky Lab -> AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [251800 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klgse; C:\Windows\System32\DRIVERS\klgse.sys [586496 2020-01-27] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [1163216 2020-01-24] (Kaspersky Lab -> AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [998296 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klim6; C:\Windows\System32\DRIVERS\klim6.sys [58192 2019-03-19] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [51328 2019-03-13] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klwfp; C:\Windows\System32\DRIVERS\klwfp.sys [105600 2019-03-05] (Kaspersky Lab -> AO Kaspersky Lab)
R1 klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [211048 2020-02-07] (Kaspersky Lab -> AO Kaspersky Lab)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [232344 2020-04-15] (Kaspersky Lab -> AO Kaspersky Lab)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248968 2020-04-23] (Malwarebytes Inc -> Malwarebytes)
S3 q57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Microsoft Windows -> Broadcom Corporation)
S4 RsFx0321; C:\Windows\System32\DRIVERS\RsFx0321.sys [258720 2018-07-25] (Microsoft Corporation -> Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S3 WLBS; C:\Windows\System32\DRIVERS\NLB.sys [339968 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
S2 MBAMChameleon; \SystemRoot\System32\Drivers\MbamChameleon.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== Three months (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-04-23 07:32 - 2020-04-23 07:33 - 000018262 _____ C:\Users\Administrator\Downloads\FRST.txt
2020-04-23 04:25 - 2020-04-23 04:25 - 000248968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2020-04-19 17:46 - 2020-04-19 17:47 - 176246200 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT (1).exe
2020-04-19 03:52 - 2020-04-19 03:57 - 1925381853 _____ C:\Users\Administrator\Desktop\Logfile.XML
2020-04-19 03:49 - 2020-04-19 03:49 - 030403934 _____ C:\Users\Administrator\Downloads\SysinternalsSuite.zip
2020-04-19 03:33 - 2020-04-19 03:33 - 000001357 _____ C:\Users\Administrator\Desktop\result.txt
2020-04-17 01:52 - 2020-04-17 01:52 - 003827036 _____ C:\Users\Administrator\Downloads\powerevents(1).zip
2020-04-17 01:44 - 2020-04-17 01:45 - 000000000 ____D C:\Users\Administrator\Downloads\powerevents
2020-04-17 01:44 - 2020-04-17 01:44 - 003827036 _____ C:\Users\Administrator\Downloads\powerevents.zip
2020-04-17 01:36 - 2020-04-17 01:36 - 000000000 _____ C:\funs.txt
2020-04-17 00:57 - 2020-04-17 00:57 - 000333952 _____ (ESET) C:\Users\Administrator\Downloads\ESETEternalBlueChecker(1).exe
2020-04-17 00:53 - 2020-04-17 00:33 - 000011915 _____ C:\Users\Administrator\WMILister_20.vbs
2020-04-17 00:38 - 2020-04-17 00:33 - 000011915 _____ C:\Users\Administrator\Downloads\WMILister_20.vbs
2020-04-17 00:33 - 2020-04-17 00:33 - 000011915 _____ C:\WMILister_20.vbs
2020-04-17 00:12 - 2020-04-17 00:12 - 000001808 _____ C:\Users\Administrator\Desktop\WMI.txt
2020-04-16 18:58 - 2020-04-16 18:58 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\mbam
2020-04-16 18:57 - 2020-04-16 18:57 - 000001948 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2020-04-16 18:57 - 2020-04-16 18:57 - 000001948 _____ C:\ProgramData\Desktop\Malwarebytes.lnk
2020-04-16 18:57 - 2020-04-16 18:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2020-04-16 18:55 - 2020-04-16 18:55 - 001965536 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup(1).exe
2020-04-16 11:17 - 2020-04-18 18:59 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\WPF
2020-04-16 08:40 - 2020-04-16 08:40 - 000003353 _____ C:\Users\Administrator\Downloads\FSS.txt
2020-04-16 08:39 - 2020-04-16 08:39 - 000925696 _____ (Farbar) C:\Users\Administrator\Downloads\FSS.exe
2020-04-15 22:17 - 2020-04-15 22:18 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\is-C209R.tmp
2020-04-15 21:22 - 2020-04-23 04:25 - 000000077 _____ C:\Windows\SysWOW64\wpd1.xml
2020-04-15 21:14 - 2020-04-15 21:14 - 000008562 _____ C:\Users\Administrator\Desktop\report.txt
2020-04-15 18:59 - 2020-04-15 18:59 - 000000000 _____ C:\Users\Administrator\AppData\Local\Temp\KnoEDAF.tmp
2020-04-15 18:54 - 2020-04-15 18:54 - 047857952 _____ (Adlice Software ) C:\Users\Administrator\Downloads\RogueKiller_setup_ref3.exe
2020-04-14 15:28 - 2020-04-23 04:25 - 000000077 _____ C:\Windows\SysWOW64\wpd.xml
2020-04-14 02:43 - 2020-04-23 07:32 - 000000000 ____D C:\FRST
2020-04-14 02:42 - 2020-04-14 02:42 - 002281984 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
2020-04-14 02:30 - 2020-04-14 02:30 - 000333952 _____ (ESET) C:\Users\Administrator\Downloads\ESETEternalBlueChecker.exe
2020-04-14 02:20 - 2020-04-14 02:20 - 000000000 ____D C:\Users\Administrator\Downloads\Autoruns
2020-04-14 02:19 - 2020-04-14 02:19 - 001728127 _____ C:\Users\Administrator\Downloads\Autoruns.zip
2020-04-14 02:03 - 2020-04-14 02:03 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1586819028-727.out
2020-04-14 02:01 - 2020-04-14 02:01 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1586818868-762.out
2020-04-14 01:58 - 2020-04-18 09:21 - 000000000 ____D C:\Program Files\Mozilla Firefox
2020-04-11 01:13 - 2020-04-11 01:13 - 175674808 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(3).exe
2020-04-07 15:37 - 2020-04-07 15:37 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFA597602FAD7E24E1.TMP
2020-04-06 13:27 - 2020-04-06 13:27 - 006458338 _____ C:\Windows\system32\PerfStringBackup.INI
2020-04-05 13:56 - 2020-04-05 13:56 - 000002146 _____ C:\Users\Public\Desktop\Kaspersky Small Office Security.lnk
2020-04-05 13:56 - 2020-04-05 13:56 - 000002146 _____ C:\ProgramData\Desktop\Kaspersky Small Office Security.lnk
2020-04-05 13:56 - 2020-04-05 13:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Small Office Security
2020-04-05 13:55 - 2020-04-23 09:57 - 000000000 ____D C:\ProgramData\Kaspersky Lab
2020-04-05 13:55 - 2020-04-15 13:21 - 000998296 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys
2020-04-05 13:55 - 2020-04-15 13:21 - 000251800 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys
2020-04-05 13:55 - 2020-04-05 13:55 - 000000000 ____D C:\Program Files (x86)\Kaspersky Lab
2020-04-05 13:55 - 2013-05-06 08:13 - 000110176 _____ (Kaspersky Lab ZAO) C:\Windows\system32\klfphc.dll
2020-04-05 13:54 - 2020-04-05 13:54 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DF6DD557B6E3E28AD4.TMP
2020-04-05 13:37 - 2020-04-05 13:39 - 175414200 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(2).exe
2020-04-05 12:47 - 2020-04-05 12:47 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\2mF0Ho2m.38h
2020-04-05 12:47 - 2020-04-05 12:47 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\wplysLp8.qZI
2020-04-05 12:30 - 2020-04-05 12:30 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\XGN0p24V.MFi
2020-04-05 12:30 - 2020-04-05 12:30 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\2i5Og960.6kE
2020-04-05 12:22 - 2020-04-05 12:22 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\0yCjBU41.i7H
2020-04-05 12:21 - 2020-04-05 12:21 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\2FIoI2VZ.707
2020-04-05 12:02 - 2020-04-05 12:02 - 000001764 _____ C:\Users\Administrator\AppData\Local\Temp\b6n2r8ID.HWZ
2020-04-05 12:02 - 2020-04-05 12:02 - 000001757 _____ C:\Users\Administrator\AppData\Local\Temp\D7GcsvFp.bG8
2020-04-05 11:52 - 2020-04-05 11:53 - 216974480 _____ C:\Users\Administrator\Downloads\avira_server_security_en.exe
2020-04-05 11:44 - 2020-04-05 13:04 - 000000000 ____D C:\Program Files (x86)\Avira
2020-04-05 11:34 - 2020-04-05 11:36 - 225041680 _____ (Avira Operations GmbH & Co. KG) C:\Users\Administrator\Downloads\avira_antivirus_en-us(1).exe
2020-04-05 11:28 - 2020-04-05 11:28 - 000036600 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Drivers\npf.sys
2020-04-05 11:27 - 2020-04-05 11:27 - 000282360 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\wpcap.dll
2020-04-05 11:27 - 2020-04-05 11:27 - 000102136 _____ (Riverbed Technology, Inc.) C:\Windows\SysWOW64\packet.dll
2020-04-05 11:27 - 2020-04-05 11:27 - 000048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\npptools.dll
2020-04-05 10:35 - 2020-04-05 11:04 - 000528094 _____ C:\Windows\ntbtlog.txt
2020-04-05 10:22 - 2020-04-05 10:22 - 000000128 _____ C:\Windows\system32\config\netlogon.ftl
2020-04-05 01:13 - 2020-04-05 01:13 - 000000000 ____D C:\Users\Administrator\Downloads\Gridinsoft Anti-Malware 4.1.34.Build 4820
2020-04-05 01:13 - 2020-04-05 01:13 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\WinRAR
2020-04-05 01:08 - 2020-04-05 01:13 - 087175575 _____ C:\Users\Administrator\Downloads\Gridinsoft Anti-Malware 4.1.34.Build 4820.rar
2020-04-04 17:09 - 2020-04-14 02:13 - 000000000 ____D C:\Program Files\GridinSoft Anti-Malware
2020-04-04 14:22 - 2020-04-04 14:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+yasser.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+yahya.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+waleed.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+tariq.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sun.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sultan.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sec.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+sami.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+salqasm.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+salman.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+saad.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+rakanm.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+rakan.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+qa.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+prog.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc3.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc2.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+pc1.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+omar.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+n.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mshari.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mohammedw.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+mohammed.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+menhaj.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malzhrani.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malsafar.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malnabaoi.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+malamer.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+maher.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+laptop1.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+khalida.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+khalid.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+kalasmari.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ibra.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ialhammad.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+husain.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+hamad.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+frzat.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+fin.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+faris.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+fahad.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ejt.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+eid.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+bader.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aymans.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+assist.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ammar.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ali.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+alhazmlab.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+alhajri.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+akhalid.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+ahmedm.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+administrator.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+admin.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+abdulmalik.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+Abdullahnq7.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+abdug.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalsalh.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalhosini.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalbokiri.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aalasmri.bmp
2020-04-04 14:21 - 2020-04-04 14:21 - 000031832 _____ C:\Users\Administrator\AppData\Local\Temp\THQURAN+aabdalbari.bmp
2020-04-01 07:42 - 2020-04-01 07:42 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\2
2020-04-01 02:36 - 2020-04-01 02:36 - 000022622 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585697790-665.out
2020-04-01 02:34 - 2020-04-01 02:35 - 000000222 _____ C:\Windows\SysWOW64\report.file
2020-04-01 02:34 - 2020-04-01 02:34 - 000000111 _____ C:\Windows\system32\report.file
2020-04-01 02:32 - 2020-04-01 02:33 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{42EF9D13-5E53-44E4-8E66-C55BA2EBD6DE}
2020-04-01 02:26 - 2020-04-01 02:26 - 000277720 _____ C:\Users\Administrator\AppData\Local\Temp\dd_ReportViewerMSI5D5D.txt
2020-04-01 02:26 - 2020-04-01 02:26 - 000013626 _____ C:\Users\Administrator\AppData\Local\Temp\dd_ReportViewerUI5D5D.txt
2020-03-31 22:11 - 2020-03-31 22:11 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{30AB77A8-AC12-4C56-BBDF-97E0AD37835F}
2020-03-29 06:12 - 2020-03-29 06:20 - 3917530545 _____ C:\Users\Administrator\Downloads\WindowsImageBackup.zip
2020-03-28 22:10 - 2020-03-28 22:10 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422646-983.out
2020-03-28 22:10 - 2020-03-28 22:10 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422601-964.out
2020-03-28 22:09 - 2020-03-28 22:09 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585422574-602.out
2020-03-28 18:24 - 2020-03-28 18:26 - 178423736 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT(1).exe
2020-03-28 18:09 - 2020-03-28 18:09 - 000000130 ___RH C:\Users\Administrator\Downloads\Stinger.opt
2020-03-28 16:29 - 2020-03-28 16:31 - 000000828 _____ C:\Users\Administrator\Downloads\Stinger_28032020_162902.html
2020-03-28 16:28 - 2020-03-28 16:28 - 017779200 _____ (McAfee LLC) C:\Users\Administrator\Downloads\stinger64.exe
2020-03-28 16:20 - 2020-03-28 16:21 - 010527368 _____ C:\Users\Administrator\Downloads\BDRemTool.exe
2020-03-28 16:19 - 2020-03-28 16:19 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64(2).exe
2020-03-28 14:42 - 2020-03-28 14:42 - 000000000 ____D C:\ProgramData\Sophos
2020-03-28 14:38 - 2020-03-28 14:38 - 000270160 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Administrator\Downloads\avg_antivirus_free_setup.exe
2020-03-28 14:36 - 2020-03-28 14:37 - 188047008 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool.exe
2020-03-28 14:35 - 2020-03-28 14:35 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64(1).exe
2020-03-28 14:34 - 2020-03-28 14:34 - 011845608 _____ (Bitdefender LLC) C:\Users\Administrator\Downloads\BootkitRemoval_x64.exe
2020-03-28 14:24 - 2020-03-28 14:24 - 002522224 _____ (Wiper Software, UAB) C:\Users\Administrator\Downloads\WiperSoft-installer.exe
2020-03-28 13:05 - 2020-04-14 02:08 - 000000000 _____ C:\Users\Administrator\AppData\Local\Temp\htmpl.htm
2020-03-28 06:37 - 2020-03-28 06:37 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{FC4C85FD-CA74-4102-89D2-3F0003CE1D46}
2020-03-28 06:25 - 2020-04-04 17:08 - 000000000 ____D C:\Users\Administrator\Downloads\GrdSoft.AntiMalwr.4.1.34_sigma4pc.com
2020-03-28 06:25 - 2020-03-28 06:25 - 000000000 ____D C:\Users\Administrator\Downloads\P_GrdSoft.AntiMalwr.4.1.34_sigma4pc.com
2020-03-28 06:24 - 2020-04-04 17:06 - 000000000 ____D C:\Users\Administrator\Downloads\GSAM4.1.34.4820TND
2020-03-28 06:15 - 2020-03-28 06:15 - 001447178 _____ (Igor Pavlov) C:\Users\Administrator\Downloads\7z1900-x64.exe
2020-03-28 06:03 - 2020-03-28 06:08 - 085359630 _____ C:\Users\Administrator\Downloads\GrdSoft.AntiMalwr.4.1.34_sigma4pc.com.rar
2020-03-28 05:58 - 2020-03-28 05:58 - 087301492 _____ C:\Users\Administrator\Downloads\GSAM4.1.34.4820TND.rar
2020-03-28 05:17 - 2020-04-18 09:20 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Mozilla
2020-03-28 05:17 - 2020-03-28 05:18 - 000000000 ____D C:\ProgramData\Mozilla
2020-03-28 05:17 - 2020-03-28 05:17 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2020-03-28 05:16 - 2020-03-28 05:16 - 000319824 _____ (Mozilla) C:\Users\Administrator\Downloads\Firefox Installer.exe
2020-03-28 04:57 - 2020-04-14 02:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware
2020-03-28 04:57 - 2020-03-28 04:57 - 000000000 ____D C:\ProgramData\GridinSoft
2020-03-28 04:56 - 2020-03-28 04:57 - 001214416 _____ C:\Users\Administrator\Downloads\install-antimalware.exe
2020-03-28 04:49 - 2020-03-28 18:22 - 000000000 ____D C:\Users\Administrator\Downloads\avira_antivir_antirootkit_en
2020-03-28 04:48 - 2020-03-28 04:48 - 000089324 _____ C:\Users\Administrator\Downloads\avira_antivir_antirootkit_en.zip
2020-03-28 04:47 - 2020-03-28 04:56 - 000000000 ____D C:\ProgramData\TEMP
2020-03-28 04:47 - 2019-10-19 11:13 - 000129872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSSTDFMT.DLL
2020-03-28 04:45 - 2020-03-28 04:45 - 004354328 _____ (BrightFort LLC ) C:\Users\Administrator\Downloads\spywareblastersetup56.exe
2020-03-28 04:45 - 2020-01-30 05:30 - 000834560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2020-03-28 04:45 - 2020-01-30 05:23 - 001010688 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2020-03-28 04:30 - 2020-03-28 07:21 - 000076197 _____ C:\Windows\ZAM.krnl.trace
2020-03-28 04:26 - 2020-03-28 04:26 - 012741568 _____ (Zemana Ltd. ) C:\Users\Administrator\Downloads\AntiMalware_Setup.exe
2020-03-28 04:13 - 2020-03-28 04:13 - 000000013 _____ C:\Users\Administrator\AppData\Local\Temp\jawshtml.html
2020-03-28 04:13 - 2020-03-28 04:13 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Sun
2020-03-28 04:12 - 2020-03-28 04:13 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\hsperfdata_administrator
2020-03-28 04:09 - 2020-03-28 04:10 - 076845600 _____ (Oracle Corporation) C:\Users\Administrator\Downloads\jre-8u241-windows-x64.exe
2020-03-28 03:54 - 2020-03-28 03:54 - 000050688 _____ (Atribune.org) C:\Users\Administrator\Downloads\ATF-Cleaner.exe
2020-03-28 02:30 - 2020-03-28 02:30 - 000000000 ____D C:\Windows\SysWOW64\ServerMigrationTools
2020-03-28 02:29 - 2020-03-28 02:29 - 000000000 ____D C:\Windows\system32\ServerMigrationTools
2020-03-27 04:34 - 2020-03-27 04:34 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{FC137322-9F52-482B-9D5C-17D4A69A3F33}
2020-03-27 04:20 - 2020-03-27 04:20 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\{63959CDF-9D69-4D06-9E4D-7F40C3EF42B1}
2020-03-27 00:38 - 2020-03-27 00:39 - 000000029 _____ C:\Users\Administrator\Desktop\avira.txt
2020-03-27 00:38 - 2020-03-27 00:38 - 219655040 _____ (Avira Operations GmbH & Co. KG) C:\Users\Administrator\Downloads\avira_antivirus_en-us.exe
2020-03-25 15:55 - 2020-03-25 15:55 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFE94B35295AFD3FCB.TMP
2020-03-25 14:00 - 2020-03-25 14:00 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585134049-33.out
2020-03-25 14:00 - 2020-03-25 14:00 - 000029378 _____ C:\Users\Administrator\AppData\Local\Temp\debug-1585134030-369.out
2020-03-25 13:56 - 2020-03-25 13:56 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFBED540CDD0B98EFB.TMP
2020-03-25 11:00 - 2020-03-25 11:00 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFF93832665B2775BB.TMP
2020-03-25 11:00 - 2020-03-25 11:00 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFF4B04B19A54D0FAD.TMP
2020-03-25 06:50 - 2020-03-25 06:50 - 000018196 _____ C:\Users\Administrator\AppData\Local\Temp\~glary_lng.dat
2020-03-25 06:50 - 2020-03-25 06:50 - 000008827 _____ C:\Users\Administrator\AppData\Local\Temp\~glary_ref.dat
2020-03-25 06:50 - 2020-03-25 06:50 - 000000483 _____ C:\Users\Administrator\AppData\Local\Temp\~glaryutilities-version.dat
2020-03-25 06:46 - 2020-03-25 15:55 - 000001231 _____ C:\Users\Administrator\AppData\Local\Temp\~upgrade.dat
2020-03-25 06:46 - 2020-03-25 15:55 - 000000184 _____ C:\Users\Administrator\AppData\Local\Temp\~autoupdate.dat
2020-03-25 06:46 - 2020-03-25 06:46 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFE632DA7A359B33EA.TMP
2020-03-25 06:46 - 2020-03-25 06:46 - 000016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF9458BBC1678115F6.TMP
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\taskshostservices.exe
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\WinmonProcessMonitor.sys
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\winmonfs.sys
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\SysWOW64\Drivers\winmon.sys
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\taskshostservices.exe
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\WinmonProcessMonitor.sys
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\winmonfs.sys
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 _RSHD C:\Windows\system32\Drivers\winmon.sys
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SysWOW64\SecureBootThemes
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\system32\SecureBootThemes
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SpeechsTracing
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\SecureBootThemes
2020-03-25 06:45 - 2020-03-25 06:45 - 000000000 ____D C:\Windows\AppDiagnostics
2020-03-25 06:44 - 2020-03-25 06:44 - 000032768 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb-shm
2020-03-25 06:44 - 2020-03-25 06:44 - 000012288 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb
2020-03-25 06:44 - 2020-03-25 06:44 - 000000000 _____ C:\Windows\SysWOW64\antimalware.patch_management.product_registry.kvdb-wal
2020-03-25 05:12 - 2020-03-25 06:32 - 000000000 ____D C:\KVRT_Data
2020-03-25 05:10 - 2020-03-25 05:10 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\DiskDefrag
2020-03-25 05:09 - 2020-03-25 19:10 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\GlarySoft
2020-03-25 05:09 - 2020-03-25 05:09 - 000002572 _____ C:\GUDownLoaddebug.txt
2020-03-25 05:08 - 2020-03-25 19:10 - 000000000 ____D C:\Program Files (x86)\Glarysoft
2020-03-25 05:04 - 2020-03-25 05:04 - 000079382 _____ C:\Users\Administrator\Documents\cc_20200325_050433.reg
2020-03-25 03:30 - 2020-03-25 03:30 - 022267744 _____ (Piriform Software Ltd) C:\Users\Administrator\Downloads\cctrialsetup.exe
2020-03-25 03:16 - 2020-03-25 03:16 - 006044256 _____ (Glarysoft Ltd) C:\Users\Administrator\Downloads\rrsetup.exe
2020-03-24 23:41 - 2020-03-24 23:42 - 178138552 _____ (AO Kaspersky Lab) C:\Users\Administrator\Downloads\KVRT.exe
2020-03-24 22:39 - 2020-04-16 18:56 - 000153312 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2020-03-24 22:38 - 2020-03-24 22:38 - 000000000 ____D C:\Program Files\Malwarebytes
2020-03-24 22:36 - 2020-03-24 22:36 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DF4E8AFEE2022E9F34.TMP
2020-03-24 22:35 - 2020-04-23 07:33 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\1
2020-03-24 21:05 - 2020-03-24 21:06 - 001957784 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup.exe
2020-03-24 21:01 - 2020-04-23 00:46 - 000000000 ____D C:\Users\Administrator\AppData\Local\Temp\TeamViewer
2020-03-24 20:41 - 2020-03-24 20:41 - 000032768 _____ C:\Users\Administrator\AppData\Local\Temp\~DFD1AF6D49AB7E7881.TMP
2020-03-24 20:25 - 2020-03-24 20:25 - 006003272 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev135.exe
2020-03-24 19:43 - 2020-03-24 19:43 - 002526656 _____ (Kaspersky) C:\Users\Administrator\Downloads\startup.exe
2020-03-24 19:04 - 2020-03-24 19:04 - 002567616 _____ (Kaspersky) C:\Users\Administrator\Downloads\ksos20.0.14.1085abcdefghar_en_19402.exe
2020-03-24 17:45 - 2020-03-24 17:45 - 209302180 _____ C:\Users\Administrator\Documents\reg.reg
2020-03-24 17:12 - 2020-03-24 17:12 - 000000000 ____D C:\ProgramData\Google
2020-03-24 17:01 - 2020-03-24 17:01 - 015560704 _____ C:\Users\Administrator\Downloads\chromeremotedesktophost.msi
2020-03-24 17:00 - 2020-03-24 17:00 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2020-03-08 16:51 - 2020-04-01 02:33 - 000000000 ____D C:\Windows\system32\appmgmt
2020-03-03 22:27 - 2020-03-03 22:27 - 002007844 _____ C:\Users\Administrator\Downloads\ProcessExplorer.zip
2020-03-03 22:27 - 2020-03-03 22:27 - 000000000 ____D C:\Users\Administrator\Downloads\ProcessExplorer
2020-02-23 17:35 - 2020-02-23 17:35 - 000000000 ____D C:\Users\waleed\AppData\Local\Temp\mbam
2020-02-18 19:31 - 2020-04-09 10:21 - 000000000 ____D C:\Program Files (x86)\SMADAV
2020-02-18 19:31 - 2020-04-09 10:20 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Smadav
2020-02-18 19:31 - 2020-03-25 04:59 - 000000000 __SHD C:\[Smad-Cage]
2020-02-18 19:28 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134 (2).exe
2020-02-18 19:27 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134.exe
2020-02-18 19:27 - 2020-02-18 19:28 - 004895216 _____ (Smadsoft ) C:\Users\Administrator\Downloads\smadav2020rev134 (1).exe
2020-02-18 19:13 - 2020-02-18 19:13 - 000014041 _____ C:\Users\Administrator\Desktop\View running processes with Task Manager - Shortcut.lnk
2020-02-17 20:57 - 2020-02-17 20:57 - 000000000 ____D C:\ProgramData\Loaris
2020-02-17 20:24 - 2020-04-18 09:31 - 000001315 _____ C:\Users\Administrator\Downloads\SpyHunter52020.zip
2020-02-17 20:24 - 2020-04-18 09:30 - 000001315 _____ C:\Users\Administrator\Downloads\SpyHunter52020 (1).zip
2020-02-17 20:11 - 2020-02-17 20:11 - 000000000 ____D C:\AdwCleaner
2020-02-17 17:36 - 2020-02-17 17:37 - 000001835 _____ C:\Users\Administrator\Desktop\kprm-20200217173629.txt
2020-02-17 17:36 - 2020-02-17 17:36 - 000000000 ____D C:\KPRM
2020-02-16 20:41 - 2020-03-31 16:24 - 000000000 ____D C:\Windows\pss
2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\Windows\system32\Drivers\etc\BACKUP
2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\ProgramData\Malwarebytes
2020-02-15 18:52 - 2020-02-15 18:52 - 000000000 ____D C:\Program Files (x86)\Malwarebytes
2020-02-10 11:03 - 2020-02-10 11:03 - 000001883 _____ C:\Users\Administrator\Desktop\972341447.lnk
2020-02-09 14:52 - 2020-02-09 14:52 - 000000000 _____ C:\Windows\SysWOW64\TmpB791.tmp
2020-02-09 01:15 - 2020-04-17 05:04 - 000000079 _____ C:\Windows\system32\wpd1.xml
2020-02-09 01:15 - 2020-04-17 05:04 - 000000079 _____ C:\Windows\system32\wpd.xml
2020-02-08 21:16 - 2020-02-08 21:16 - 000000000 ____D C:\Windows\java
2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\Program Files\mainsoft
2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\Program Files\kugou2010
2020-02-08 21:15 - 2020-02-08 21:15 - 000000000 __SHD C:\download
2020-02-07 16:57 - 2020-04-15 13:21 - 000079768 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klbackupdisk.sys
2020-02-07 16:57 - 2020-02-07 16:57 - 000211048 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klwtp.sys
2020-02-07 16:57 - 2020-02-07 16:57 - 000145504 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klbackupflt.sys
2020-01-27 07:42 - 2020-01-27 07:42 - 000586496 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klgse.sys
2020-01-25 01:03 - 2020-01-25 01:03 - 000000000 ____D C:\Windows\تابعني
2020-01-25 01:03 - 2020-01-25 01:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mobily.ws
2020-01-24 04:36 - 2020-01-24 04:36 - 001163216 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys

==================== Three months (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-04-23 07:00 - 2015-09-04 13:01 - 000000446 _____ C:\Windows\Tasks\ShadowCopyVolume{4dfb487e-c568-469a-a415-a37d0667aebd}.job
2020-04-23 04:32 - 2009-07-14 07:49 - 000026000 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2020-04-23 04:32 - 2009-07-14 07:49 - 000026000 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2020-04-23 04:26 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\inetsrv
2020-04-23 04:24 - 2013-10-21 21:02 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2020-04-23 04:24 - 2013-10-12 22:32 - 000005536 _____ C:\Windows\system32\config\netlogon.dnb
2020-04-23 04:24 - 2013-10-12 22:32 - 000002271 _____ C:\Windows\system32\config\netlogon.dns
2020-04-23 04:24 - 2013-10-12 22:10 - 000000000 ____D C:\Windows\system32\dns
2020-04-23 04:23 - 2013-10-12 22:12 - 000000000 ____D C:\Windows\NTDS
2020-04-23 04:23 - 2009-07-14 08:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-04-19 17:46 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\NDF
2020-04-17 11:04 - 2013-10-10 11:27 - 000000000 ____D C:\Users\Administrator
2020-04-15 21:12 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\inf
2020-04-15 21:12 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\Help
2020-04-15 13:21 - 2019-03-19 02:31 - 000232344 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\kneps.sys
2020-04-15 11:58 - 2013-10-23 23:40 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Temp
2020-04-15 11:58 - 2009-09-18 04:52 - 001056362 _____ C:\Windows\system32\perfh00A.dat
2020-04-15 11:58 - 2009-09-18 04:52 - 000273364 _____ C:\Windows\system32\perfc00A.dat
2020-04-15 11:58 - 2009-09-18 04:45 - 001011720 _____ C:\Windows\system32\perfh007.dat
2020-04-15 11:58 - 2009-09-18 04:45 - 000260304 _____ C:\Windows\system32\perfc007.dat
2020-04-15 11:58 - 2009-09-18 04:39 - 001047294 _____ C:\Windows\system32\perfh010.dat
2020-04-15 11:58 - 2009-09-18 04:39 - 000257984 _____ C:\Windows\system32\perfc010.dat
2020-04-15 11:58 - 2009-09-18 04:33 - 001057430 _____ C:\Windows\system32\perfh00C.dat
2020-04-15 11:58 - 2009-09-18 04:33 - 000262488 _____ C:\Windows\system32\perfc00C.dat
2020-04-10 23:53 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\Registration
2020-04-05 13:56 - 2013-10-10 22:26 - 000000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2020-04-05 11:29 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system
2020-04-04 14:25 - 2013-10-10 21:31 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2020-04-04 14:22 - 2019-10-28 18:47 - 000000000 ____D C:\Program Files\7-Zip
2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2020-04-04 14:21 - 2013-10-22 20:53 - 000000000 ____D C:\Program Files (x86)\WinRAR
2020-04-01 02:42 - 2014-08-29 13:46 - 000000000 ____D C:\Program Files (x86)\HP
2020-04-01 02:42 - 2013-10-22 20:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2020-04-01 02:37 - 2013-10-26 12:30 - 000000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2020-04-01 02:36 - 2013-10-22 21:30 - 000000000 ____D C:\Program Files (x86)\FPSensor
2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Management Agents
2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\hp
2020-04-01 02:35 - 2013-10-10 21:31 - 000000000 ____D C:\compaq
2020-04-01 02:35 - 2013-10-10 21:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP System Tools
2020-04-01 02:34 - 2013-10-10 21:30 - 000000000 ____D C:\Program Files\HP
2020-04-01 02:33 - 2013-10-10 11:29 - 000000000 ____D C:\Program Files (x86)\Hewlett-Packard
2020-03-28 08:47 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\rescache
2020-03-28 06:32 - 2019-10-28 10:52 - 000000000 ____D C:\Users\Classic .NET AppPool
2020-03-28 06:32 - 2019-05-07 14:00 - 000000000 ____D C:\Users\waleed
2020-03-28 06:32 - 2014-09-10 18:05 - 000000000 ____D C:\Users\admin
2020-03-28 06:32 - 2013-11-09 21:52 - 000000000 ____D C:\Users\assist
2020-03-28 04:54 - 2013-10-11 16:14 - 000112994 __RSH C:\ProgramData\ntuser.pol
2020-03-28 04:50 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2020-03-28 02:45 - 2009-07-14 08:07 - 000000000 ____D C:\Windows\system32\ServerManager
2020-03-28 02:30 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\SysWOW64\migwiz
2020-03-28 02:30 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\system32\migwiz
2020-03-25 13:58 - 2013-10-22 21:26 - 000000000 ____D C:\Program Files (x86)\Att
2020-03-25 05:03 - 2013-10-26 12:52 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\TeamViewer
2020-03-25 05:02 - 2013-10-10 22:01 - 000000000 ____D C:\Windows\Panther
2020-03-24 20:34 - 2019-11-11 18:00 - 000000000 ____D C:\Program Files (x86)\AnyDesk
2020-03-24 17:06 - 2009-07-14 08:06 - 000032548 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2020-03-24 17:01 - 2015-05-20 22:08 - 000000000 ____D C:\Program Files (x86)\Google

==================== Files in the root of some directories ========

2020-04-17 00:53 - 2020-04-17 00:33 - 000011915 _____ () C:\Users\Administrator\WMILister_20.vbs
2020-04-01 02:43 - 2020-04-01 02:44 - 000020014 _____ () C:\Users\Administrator\AppData\Local\dd_HelpSetup_UI6A84.txt
2020-02-22 19:18 - 2020-02-22 19:18 - 000007605 _____ () C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg

==================== SigCheckExt =========================

2018-03-01 21:27 - 2016-02-10 16:33 - 000153088 _____ (CANON INC.) C:\Windows\system32\CNCENPM6.dll
2018-03-01 21:27 - 2013-01-31 21:21 - 000195584 _____ (CANON INC.) C:\Windows\system32\CNCENPR6.dll
2018-03-01 21:27 - 2013-01-31 21:21 - 000105984 _____ (CANON INC.) C:\Windows\system32\CNCENPU6.dll
2011-01-19 15:46 - 2011-01-19 15:46 - 000051200 _____ (Hewlett-Packard Company) C:\Windows\system32\cpqnimsg.dll
2011-03-09 03:33 - 2011-03-09 03:33 - 000164864 _____ (Hewlett-Packard Company) C:\Windows\system32\cpqstmsg.dll
2011-03-09 03:33 - 2011-03-09 03:33 - 000030720 _____ C:\Windows\system32\cqstrutl.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000051712 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbmiapi.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000052736 _____ (Hewlett-Packard Company) C:\Windows\system32\hpboid.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000012800 _____ (Hewlett-Packard Company) C:\Windows\system32\hpboidps.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000078848 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbpro.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000013312 _____ (Hewlett-Packard Company) C:\Windows\system32\hpbprops.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000070144 _____ (Hewlett-Packard) C:\Windows\system32\HPBWSDR.DLL
2014-03-18 09:15 - 2014-03-18 09:15 - 000180736 _____ (hp) C:\Windows\system32\hplbddrv.dll
2014-04-28 05:22 - 2014-04-28 05:22 - 000067072 _____ (Hewlett-Packard) C:\Windows\system32\HPZidr12.dll
2014-04-28 05:22 - 2014-04-28 05:22 - 000050688 _____ (Hewlett-Packard) C:\Windows\system32\HPZinw12.dll
2014-04-28 05:22 - 2014-04-28 05:22 - 000066048 _____ (Hewlett-Packard) C:\Windows\system32\HPZipm12.dll
2014-04-28 05:22 - 2014-04-28 05:22 - 000046592 _____ (Hewlett-Packard) C:\Windows\system32\HPZipr12.dll
2014-04-28 05:22 - 2014-04-28 05:22 - 000038400 _____ (Hewlett-Packard) C:\Windows\system32\hpzipt12.dll
2014-04-28 05:22 - 2014-04-28 05:22 - 000024064 _____ (Hewlett-Packard) C:\Windows\system32\hpzisn12.dll
2011-03-09 17:01 - 2011-03-09 17:01 - 000069632 _____ (Compaq) C:\Windows\system32\svrclu.dll
2011-03-09 17:01 - 2011-03-09 17:01 - 000073216 _____ (Compaq) C:\Windows\system32\svrntc.dll
2013-10-22 20:52 - 2005-03-18 14:18 - 000143360 ____R (Zenographics) C:\Windows\apptune1020.exe
2019-06-22 18:00 - 2019-06-22 18:54 - 000796672 _____ (Qsc) C:\Windows\GPInstall.exe
2014-08-29 17:00 - 2007-02-01 15:50 - 000306688 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe
2014-08-29 16:59 - 2009-07-27 16:50 - 000087392 _____ (Twain Working Group) C:\Windows\twain.dll
2014-08-29 16:59 - 2009-07-27 16:50 - 000077312 _____ (Twain Working Group) C:\Windows\twain_32.dll
2014-08-29 16:59 - 2009-07-27 16:50 - 000048560 _____ (Twain Working Group) C:\Windows\twunk_16.exe
2014-08-29 16:59 - 2009-07-27 16:50 - 000069632 _____ (Twain Working Group) C:\Windows\twunk_32.exe
2018-03-01 21:27 - 2016-02-10 16:33 - 000153088 _____ (CANON INC.) C:\Windows\SysWOW64\CNCENPM6.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000055296 _____ (Hewlett-Packard) C:\Windows\SysWOW64\HPZidr12.dll
2014-04-28 05:21 - 2014-04-28 05:21 - 000039424 _____ (Hewlett-Packard) C:\Windows\SysWOW64\HPZipr12.dll
2009-05-21 20:21 - 2009-05-21 20:21 - 000499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2014-08-29 17:01 - 2009-07-27 16:50 - 000401484 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcrtd.dll
2009-05-14 06:22 - 2009-05-14 06:22 - 000082432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml4r.dll
2020-04-05 11:27 - 2020-04-05 11:27 - 000048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\npptools.dll
2019-10-01 12:05 - 2019-10-01 12:05 - 000024576 _____ C:\Windows\SysWOW64\WebbrowsercontrolDialog.dll
2013-10-10 21:30 - 2010-08-27 09:39 - 000053248 _____ (Hewlett Packard) C:\Windows\system32\Drivers\HPTapeDriverVersion.dll
2020-03-28 06:15 - 2020-03-28 06:15 - 001447178 _____ (Igor Pavlov) C:\Users\Administrator\Downloads\7z1900-x64.exe
2020-03-28 03:54 - 2020-03-28 03:54 - 000050688 _____ (Atribune.org) C:\Users\Administrator\Downloads\ATF-Cleaner.exe
2020-04-14 02:42 - 2020-04-14 02:42 - 002281984 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
2020-04-16 08:39 - 2020-04-16 08:39 - 000925696 _____ (Farbar) C:\Users\Administrator\Downloads\FSS.exe

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {2a977a7d-31df-11e3-8479-80c16e6fc700}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows Server 2008 R2
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {2a977a7f-31df-11e3-8479-80c16e6fc700}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {2a977a7d-31df-11e3-8479-80c16e6fc700}
nx                      OptOut
safebootalternateshell  No

Windows Boot Loader
-------------------
identifier              {2a977a7f-31df-11e3-8479-80c16e6fc700}
device                  ramdisk=[C:]\Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\Winre.wim,{2a977a80-31df-11e3-8479-80c16e6fc700}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\Winre.wim,{2a977a80-31df-11e3-8479-80c16e6fc700}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {2a977a7d-31df-11e3-8479-80c16e6fc700}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {2a977a80-31df-11e3-8479-80c16e6fc700}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\2a977a7f-31df-11e3-8479-80c16e6fc700\boot.sdi


LastRegBack: 2020-04-17 00:07
==================== End of FRST.txt ========================

KS.PNG

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

Is the problem solved?

fixlist.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.