Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

RE: Ransomfree

This is a discussion on RE: Ransomfree within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Are these Ransomfree files? It's one of two folders. Just wondering because I have not seen bait files in the


Closed Thread
 
Thread Tools Search this Thread
Old 07-25-2018, 02:48 AM   #1
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Are these Ransomfree files? It's one of two folders. Just wondering because I have not seen bait files in the <My Documents> folder before.
https://i65.tinypic.com/295qr83.png

For some reason, our office techs cannot get Sophos running on my machine so I had to rely on Sandboxie and MBAM, and browsing best practices. While lurking in this forum, I ran across the Ransomfree thread a while back, so I installed that too. But after seeing these folders today, I decided to install free Avast.

Neither Avast, MBAM, nor Adware Cleaner find any virus or malware. Can I assume my machine is clean? TIA.
blaaargh is offline  
Sponsored Links
Advertisement
 
Old 07-25-2018, 02:58 AM   #2
Moderator, Editor, Articles Team
 
Deejay100six's Avatar
 
Join Date: Nov 2007
Location: Doncaster, Great Britain
Posts: 11,805
OS: Windows 7 Professional SP1

My System


Hi,

Please follow the instructions here > NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

Follow the instructions carefully and if you have any problems with them, let the analyst know in your thread.

Post your logs as per the instructions in the Virus/Trojan/Spyware Help forum........not here.

Be advised that this part of the forum is usually very busy so some patience will be required but someone will be along to assist you when they can.

If you have no response within 72 hours, you may reply to your own thread with 'Bump please', this will result in your thread moving to the top of the forum making it more visible.

Good luck.
__________________
Regards, Dave.


Submit New Articles Here

Help us to help you by posting your System Specs
Deejay100six is offline  
Old 07-25-2018, 03:22 AM   #3
Moderator
Windows Tech Team
Hardware Tech Team
 
Join Date: Aug 2008
Location: INDIA
Posts: 2,976
OS: Windows 10 | CentOS | Manjaro



I can't navigate to that URL,hopefully someone else can and suggest..
__________________


tristar is offline  
Sponsored Links
Advertisement
 
Old 07-25-2018, 03:27 AM   #4
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



My bad. I could have sworn I was posting in that forum.

In any case, here are the files requested.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.18858
Run by cong at 6:04:59 on 2018-07-25
Microsoft Windows 7 Professional 6.1.7601.1.1252.63.1033.18.3570.1015 [GMT -4:00]
.
AV: Avast Antivirus *Enabled/Updated* {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Avast Antivirus *Enabled/Updated* {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe
c:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Windows\system32\SAsrv.exe
C:\Program Files\Sophos\Clean\Clean.exe
C:\Program Files\Sophos\Sophos File Scanner\SophosFS.exe
C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe
C:\Program Files\Sophos\Health\Health.exe
C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe
C:\Program Files\Sophos\Management Communications System\Endpoint\McsAgent.exe
C:\Program Files\Sophos\Management Communications System\Endpoint\McsClient.exe
C:\Program Files\Sophos\Safestore\Safestore32.exe
C:\Program Files\Sophos\Endpoint Defense\SSPService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\CNAB4RPK.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Cybereason\RansomFree\CybereasonRansomFree.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVAST Software\Avast\aswidsagent.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe
C:\Program Files\Sophos\Sophos UI\Sophos UI.exe
C:\Program Files\Conexant\SAII\SmartAudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.10228.20134\OfficeClickToRun.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\cong\Documents\blargh!\[ apps ]\krypton\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uProxyServer = hxxp://someonequalfoncebu.com:8080
uProxyOverride = *.qualfonuniversity.*;*.moodle.*;*.google.*;*.qualfon.*;*.qualfoncebu.*;*.mindleaders.*;*.wix.*;*.googleapis.*;*.vidyard.*;*.edgecastcdn.*;*.icmi.*;*.youtube.*;*.skillport.*;*.symantecliveupdate.*;*.symantec.*;*.webex.*;learnshare.*;*.learnshare.*;*.sourceforget.*;moodle.*;172.28.*.*;*.cloudfront.*;*.aspnetcdn.*;*.learnshare.*;*.adobe.*;*.sixsigma-institute.*;*.redbooth.*;*.google-analytics.*;*.googletagmanager.*;*.redbooth.*;redbooth.com;*.sysaidit.*;*.gotomeeting.*;*.gotowebinar.*;*.runexam.*;runexam.*;*.imminc.*;*.office.*;*.microsoftonline.*;*.microsoft.*;*.live.*;*.office.*;*.microsoftonline-p.*;*.lynda.*;microsoftonline.*;*.bbcollab.*;*.skype.*;*.msn.*;*.powerbi.*;*.zoom.*;*outlook.*;209.200.*;*.lunariffic.*;*.outlook.*
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\root\office16\OCHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe Acrobat Create PDF Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - c:\program files\microsoft office\office15\GROOVEEX.DLL
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [cAudioFilterAgent] c:\program files\conexant\caudiofilteragent\cAudioFilterAgent.exe
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [Sophos UI.exe] "c:\program files\sophos\sophos ui\Sophos UI.exe" /hidden
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvLaunch.exe" /gui
uExplorerRun: [1] \\qpi.local\SYSVOL\QPI.LOCAL\scripts\Jpeglogon.bat
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\canonl~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CNAB4LAK.EXE
uPolicies-Explorer: NoDrives = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: NoWinKeys = dword:1
uPolicies-Explorer: NoWelcomeScreen = dword:1
uPolicies-Explorer: NoNetworkConnections = dword:1
uPolicies-Explorer: NoSMMyPictures = dword:1
uPolicies-Explorer: NoStartMenuNetworkPlaces = dword:1
uPolicies-Explorer: ForceActiveDesktopOn = dword:1
uPolicies-Explorer: NoComputersNearMe = dword:1
uPolicies-Explorer: NoWindowsUpdate = dword:1
uPolicies-Explorer: NoCommonGroups = dword:1
uPolicies-Explorer: NoSetFolders = dword:1
uPolicies-Explorer: NoFavoritesMenu = dword:1
uPolicies-Explorer: NoSMHelp = dword:1
uPolicies-Explorer: NoStartMenuMyMusic = dword:1
uPolicies-Explorer: NoTaskGrouping = dword:1
uPolicies-Explorer: NoAutoTrayNotify = dword:1
uPolicies-Explorer: NoSMBalloonTip = dword:1
uPolicies-Explorer: NoStartMenuPinnedList = dword:1
uPolicies-Explorer: NoStartMenuMorePrograms = dword:1
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
uPolicies-Explorer: NoRecentDocsNetHood = dword:1
uPolicies-Explorer: DisablePersonalDirChange = dword:1
uPolicies-Explorer: NoToolbarsOnTaskbar = dword:1
uPolicies-Explorer: NoActiveDesktopChanges = dword:1
uPolicies-System: DisableRegistryTools = dword:1
uPolicies-System: Wallpaper = \\qualfoncenter.local\CEBDesktopSvr\WALLPAPERLOGO\wallpaperoriginal.bmp
uPolicies-System: WallpaperStyle = 2
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office15\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\root\office16\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office15\ONBttnIELinkedNotes.dll
TCP: Interfaces\{1E0E5EEB-BF13-4D47-A93D-74C15E7DCA97} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{A8EDE12C-0BDD-4FA1-AF91-8DB9A0F9CA4D} : NameServer = 172.28.2.200,172.28.2.201
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office15\MSOXMLMF.DLL
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - c:\program files\microsoft office\root\office16\MSOSB.DLL
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - c:\program files\microsoft office\root\office16\MSOSB.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - c:\program files\microsoft office\office15\MSOSB.DLL
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - c:\program files\microsoft office\root\office16\MSOSB.DLL
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - c:\program files\microsoft office\root\office16\MSOSB.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
Hosts: 172.28.4.212 autodiscover.qualfon.com
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cong\appdata\roaming\mozilla\firefox\profiles\8g9fy7dc.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxps://hriscebu.qualfon.com/ceb/index.php
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\program files\adobe\acrobat 11.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\acrobat reader dc\reader\air\nppdf32.dll
FF - plugin: c:\program files\intel\intel(r) management engine components\ipt\npIntelWebAPIIPT.dll
FF - plugin: c:\program files\intel\intel(r) management engine components\ipt\npIntelWebAPIUpdater.dll
FF - plugin: c:\program files\microsoft office\root\office16\NPSPWRAP.DLL
FF - plugin: c:\program files\microsoft office\root\vfs\programfilesx86\mozilla firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.50907.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\cong\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_30_0_0_134.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswbidsh;aswbidsh;c:\windows\system32\drivers\aswbidshx.sys [2018-7-25 164944]
R0 aswblog;aswblog;c:\windows\system32\drivers\aswblogx.sys [2018-7-25 284328]
R0 aswbuniv;aswbuniv;c:\windows\system32\drivers\aswbunivx.sys [2018-7-25 57976]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2018-7-25 71848]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2018-7-25 310784]
R0 Sophos Endpoint Defense;Sophos Endpoint Defense Mini-Filter Driver;c:\windows\system32\drivers\SophosED.sys [2018-5-24 575648]
R1 aswArPot;aswArPot;c:\windows\system32\drivers\aswArPot.sys [2018-7-25 167552]
R1 aswbidsdriver;aswbidsdriver;c:\windows\system32\drivers\aswbidsdriverx.sys [2018-7-25 188352]
R1 aswHdsKe;aswHdsKe;c:\windows\system32\drivers\aswHdsKe.sys [2018-7-25 189240]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2018-7-25 784120]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2018-7-25 396352]
R2 AGSService;Adobe Genuine Software Integrity Service;c:\program files\common files\adobe\adobegcclient\AGSService.exe [2015-8-20 1843392]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-12-19 219136]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2018-7-25 133680]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2018-7-25 162704]
R2 avast! Antivirus;Avast Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2018-7-25 322464]
R2 ClickToRunSvc;Microsoft Office Click-to-Run Service;c:\program files\common files\microsoft shared\clicktorun\OfficeClickToRun.exe [2017-12-7 5096624]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2017-10-4 107624]
R2 CybereasonRansomFree;Cybereason RansomFree Engine;c:\program files\cybereason\ransomfree\CybereasonRansomFreeServiceHost.exe [2017-11-20 13824]
R2 DiagTrack;Diagnostics Tracking Service;c:\windows\system32\svchost.exe -k utcsvc [2009-7-13 20992]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\intel\icls client\HeciServer.exe [2012-2-2 458464]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files\intel\intel(r) management engine components\dal\Jhi_service.exe [2013-2-14 161560]
R2 MBAMService;Malwarebytes Service;c:\program files\malwarebytes\anti-malware\MBAMService.exe [2017-12-8 4753104]
R2 SAService;Conexant SmartAudio service;c:\windows\system32\SASrv.exe [2013-2-14 446592]
R2 Sophos Clean Service;Sophos Clean;c:\program files\sophos\clean\Clean.exe [2018-5-24 3725376]
R2 Sophos File Scanner Service;Sophos File Scanner Service;c:\program files\sophos\sophos file scanner\SophosFS.exe [2018-5-24 1127936]
R2 Sophos Health Service;Sophos Health Service;c:\program files\sophos\health\Health.exe [2017-12-5 1720648]
R2 Sophos MCS Agent;Sophos MCS Agent;c:\program files\sophos\management communications system\endpoint\McsAgent.exe [2018-3-14 1314440]
R2 Sophos MCS Client;Sophos MCS Client;c:\program files\sophos\management communications system\endpoint\McsClient.exe [2018-3-14 1723840]
R2 Sophos Safestore Service;Sophos Safestore;c:\program files\sophos\safestore\Safestore32.exe [2018-5-24 1522184]
R2 Sophos System Protection Service;Sophos System Protection Service;c:\program files\sophos\endpoint defense\SSPService.exe [2018-5-24 8337984]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2013-2-14 363800]
R3 aswbIDSAgent;aswbIDSAgent;c:\program files\avast software\avast\aswidsagent.exe [2018-7-25 6341888]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-11-6 84992]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2018-7-25 220896]
R3 MEI;Intel(R) Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2013-2-15 46080]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2013-2-15 394856]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2017-6-5 179336]
S3 aswHwid;aswHwid;c:\windows\system32\drivers\aswHwid.sys [2018-7-25 42808]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2017-12-13 104960]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2013-2-15 280576]
S3 netvsc;netvsc;c:\windows\system32\drivers\netvsc60.sys [2010-11-20 126464]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-4-13 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-4-13 11104]
S3 rimvndis;BlackBerry Virtual Private Network;c:\windows\system32\drivers\rimvndis6.sys [2014-6-23 14336]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SynthVid;SynthVid;c:\windows\system32\drivers\VMBusVideoM.sys [2010-11-20 19456]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\drivers\usb80236.sys [2013-4-16 15872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-4-16 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 AdobeFlashPlayerFeedbackSvc;Adobe Flash Player Feedback Service;c:\windows\system32\macromed\flash\FlashPlayerFeedbackService.exe [2017-3-14 479744]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\notepad++.exe="c:\program files\notepad++\notepad++.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2018-07-25 09:33:20 -------- d-----w- C:\Xversion85
2018-07-25 09:33:19 -------- d-----w- C:\Acsystem173
2018-07-25 09:12:44 220896 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2018-07-25 08:50:48 -------- d-----w- c:\users\cong\appdata\local\Google
2018-07-25 08:45:05 -------- d-----w- c:\users\cong\appdata\roaming\AVAST Software
2018-07-25 08:45:04 -------- d-----w- c:\users\cong\appdata\local\AVAST Software
2018-07-25 08:34:13 -------- d-----w- c:\program files\AVAST Software
2018-07-25 08:33:31 -------- d-----w- c:\programdata\AVAST Software
2018-07-23 04:18:33 12068304 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9e1f9778-7c35-46d8-b0c4-6761e62784a9}\mpengine.dll
2018-07-20 14:42:00 -------- d-----w- c:\users\cong\appdata\local\{5CBBDFB5-5D85-483D-AA29-B497AA6417E4}
2018-07-12 10:18:14 900288 ----a-w- c:\program files\common files\microsoft shared\clicktorun\updates\16.0.10228.20080\ucrtbase.dll
2018-07-11 03:55:59 619520 ----a-w- c:\windows\system32\generaltel.dll
2018-07-11 03:55:59 554496 ----a-w- c:\windows\system32\aeinv.dll
2018-07-11 03:55:59 517120 ----a-w- c:\windows\system32\devinv.dll
2018-07-11 03:55:59 358912 ----a-w- c:\windows\system32\invagent.dll
2018-07-11 03:55:59 353792 ----a-w- c:\windows\system32\centel.dll
2018-07-11 03:55:59 2703872 ----a-w- c:\windows\system32\aitstatic.exe
2018-07-11 03:55:59 246272 ----a-w- c:\windows\system32\acmigration.dll
2018-07-11 03:55:59 202752 ----a-w- c:\windows\system32\aepic.dll
2018-07-11 03:55:59 1359360 ----a-w- c:\windows\system32\appraiser.dll
2018-07-11 03:55:59 122560 ----a-w- c:\windows\system32\CompatTelRunner.exe
2018-07-04 22:09:23 480888 ------w- c:\windows\system32\MpSigStub.exe
2018-06-29 14:56:16 244208 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2018-06-29 03:58:27 -------- d-----w- c:\users\cong\appdata\roaming\Cybereason
2018-06-29 03:58:01 -------- d-----w- c:\programdata\Cybereason
2018-06-29 03:57:55 -------- d-----w- c:\program files\Cybereason
2018-06-27 0622 -------- d-----w- c:\users\cong\appdata\local\Programs
.
==================== Find3M ====================
.
2018-07-25 08:39:14 162704 ----a-w- c:\windows\system32\drivers\aswStm.sys
2018-07-25 08:39:13 71848 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2018-07-25 08:39:13 42808 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2018-07-25 08:39:13 310784 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2018-07-25 08:39:13 167552 ----a-w- c:\windows\system32\drivers\aswArPot.sys
2018-07-25 08:39:13 133680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2018-07-25 08:39:13 101056 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2018-07-25 08:39:12 1142072 ----a-w- c:\windows\ucrtbase.dll
2018-07-25 08:38:55 784120 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2018-07-25 08:38:51 189240 ----a-w- c:\windows\system32\drivers\aswHdsKe.sys
2018-07-25 08:38:50 57976 ----a-w- c:\windows\system32\drivers\aswbunivx.sys
2018-07-25 08:38:50 284328 ----a-w- c:\windows\system32\drivers\aswblogx.sys
2018-07-25 08:38:50 188352 ----a-w- c:\windows\system32\drivers\aswbidsdriverx.sys
2018-07-25 08:38:50 164944 ----a-w- c:\windows\system32\drivers\aswbidshx.sys
2018-07-20 06:28:19 846848 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2018-07-20 06:28:19 175616 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2018-07-12 08:59:40 129248 ----a-w- c:\windows\system32\drivers\mbae.sys
.
============= FINISH: 646.20 ===============
Attached Files
File Type: txt attach.txt (10.7 KB, 9 views)
blaaargh is offline  
Old 07-25-2018, 03:29 AM   #5
Microsoft-Team Manager
Hardware - Team Manager
 
joeten's Avatar
 
Join Date: Dec 2008
Location: Glasgow Scotland
Posts: 68,193
OS: win 10 Home



tristar try copy and paste into the browser then remove the s from HTTPS.
__________________






Eliminate all other factors, and the one which remains must be the truth.
joeten is offline  
Old 07-25-2018, 03:39 AM   #6
Moderator
Windows Tech Team
Hardware Tech Team
 
Join Date: Aug 2008
Location: INDIA
Posts: 2,976
OS: Windows 10 | CentOS | Manjaro



Na joeten, the domain is blocked in my network.. Company regulations :P
__________________


tristar is offline  
Old 07-25-2018, 04:46 AM   #7
Microsoft-Team Manager
Hardware - Team Manager
 
joeten's Avatar
 
Join Date: Dec 2008
Location: Glasgow Scotland
Posts: 68,193
OS: win 10 Home



Right got ya.
__________________






Eliminate all other factors, and the one which remains must be the truth.
joeten is offline  
Old 07-25-2018, 08:00 PM   #8
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Quote:
Originally Posted by tristar View Post
I can't navigate to that URL,hopefully someone else can and suggest..
Thank you tristar. Can you recommend a site you can access?
blaaargh is offline  
Old 07-26-2018, 04:26 AM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I cannot access your pic link. Can you just post the pic(s) in your next reply?

Or, just give me the name(s) and full file path(s) for the suspicious file(s)?

Ransomfree files don't reside in the 'My Documents' folder.

------------------------------------------------------

Did you create these folders?

Quote:
C:\Xversion85
C:\Acsystem173
------------------------------------------------------

Are you aware you have no system restore points?

Did you disable System Restore? Can you turn it back on?

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan Now
  • Once the Scan is done, select Clean & Repair
  • When prompted, select Clean & Restart Now
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\Logs\AdwCleaner[C0#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • It also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-26-2018, 11:15 PM   #10
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Thank you chemist.


Quote:
Originally Posted by chemist View Post
I cannot access your pic link. Can you just post the pic(s) in your next reply?

Or, just give me the name(s) and full file path(s) for the suspicious file(s)?

Ransomfree files don't reside in the 'My Documents' folder.
Attached as requested. It's the contents of the folder.

Quote:
Did you create these folders?
No

Quote:
Are you aware you have no system restore points?

Did you disable System Restore? Can you turn it back on?
Yes and no. Admin set it up that way. Don't know why though.

Also attached is the result you requested.
Attached Thumbnails
Click image for larger version

Name:	295qr83.jpg.png
Views:	26
Size:	38.4 KB
ID:	320950  
Attached Files
File Type: txt Addition.txt (39.6 KB, 11 views)
blaaargh is offline  
Old 07-26-2018, 11:16 PM   #11
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21.07.2018
Ran by cong (administrator) on QUNIVERSITY03 (27-07-2018 01:38:56)
Running from C:\Users\cong\Downloads
Loaded Profiles: cong (Available Profiles: Administrator & sysad & cong)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Adobe Systems, Incorporated) C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Cybereason) C:\Program Files\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Conexant Systems, Inc.) C:\Windows\System32\SASrv.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\winvnc4.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\winvnc4.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(CANON INC.) C:\Windows\System32\CNAB4RPK.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\aswidsagent.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Cybereason) C:\Program Files\Cybereason\RansomFree\CybereasonRansomFree.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe
(Conexant Systems, Inc) C:\Program Files\CONEXANT\SAII\SmartAudio.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Don HO [email protected]) C:\Program Files\Notepad++\notepad++.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieRpcSs.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe [520320 2011-12-15] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [310912 2011-06-24] (Conexant Systems, Inc.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [242904 2018-07-25] (AVAST Software)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer\Run: [1] => \qpi.local\SYSVOL\QPI.LOCAL\scripts\Jpeglogon.bat
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\system: [DisableRegistryTools] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\system: [Wallpaper] \\qualfoncenter.local\CEBDesktopSvr\WALLPAPERLOGO\wallpaperoriginal.bmp
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoDrives] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoWinKeys] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoNetHood] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoNetworkConnections] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoStartMenuNetworkPlaces] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [ForceActiveDesktopOn] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoComputersNearMe] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoWindowsUpdate] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoCommonGroups] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoRecentDocsMenu] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoSetFolders] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoFavoritesMenu] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoSMHelp] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoStartMenuMyMusic] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoRecentDocsHistory] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [Intellimenus] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoTaskGrouping] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoSMBalloonTip] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoStartMenuPinnedList] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoStartMenuMFUprogramsList] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoStartMenuMorePrograms] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [DisablePersonalDirChange] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\...\Policies\Explorer: [NoToolbarsOnTaskbar] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP2900 Status Window.lnk [2018-05-12]
ShortcutTarget: Canon LBP2900 Status Window.lnk -> C:\Windows\System32\spool\drivers\w32x86\3\CNAB4LAK.EXE (CANON INC.)
CHR HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 172.28.2.185:8080
AutoConfigURL: [.DEFAULT] => 172.28.2.185:8080
ProxyServer: [S-1-5-21-866989730-1103564005-1629601542-9231] => https://someonequalfoncebu.com:8080
AutoConfigURL: [S-1-5-21-866989730-1103564005-1629601542-9231] => hxxp://someonequalfoncebu.com:8080
Hosts: 172.28.4.212 autodiscover.qualfon.com
Tcpip\..\Interfaces\{1E0E5EEB-BF13-4D47-A93D-74C15E7DCA97}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{A8EDE12C-0BDD-4FA1-AF91-8DB9A0F9CA4D}: [NameServer] 172.28.2.200,172.28.2.201

Internet Explorer:
==================
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-866989730-1103564005-1629601542-9231 -> DefaultScope {81EBA1D4-D34D-4EDB-A482-B48E656BCFC0} URL =
SearchScopes: HKU\S-1-5-21-866989730-1103564005-1629601542-9231 -> {81EBA1D4-D34D-4EDB-A482-B48E656BCFC0} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2017-12-07] (Microsoft Corporation)
BHO: No Name -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2018-05-15] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2012-09-23] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2012-09-23] (Adobe Systems Incorporated)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-07] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-07] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2017-08-15] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-07] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-07] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 8g9fy7dc.default
FF ProfilePath: C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\8g9fy7dc.default [2018-07-27]
FF Homepage: Mozilla\Firefox\Profiles\8g9fy7dc.default -> hxxps://hriscebu.qualfon.com/ceb/index.php
FF NetworkProxy: Mozilla\Firefox\Profiles\8g9fy7dc.default -> type", 0
FF Extension: (Disconnect) - C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\8g9fy7dc.default\Extensions\[email protected] [2017-04-04]
FF Extension: (uBlock Origin) - C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\8g9fy7dc.default\Extensions\[email protected] [2018-07-20]
FF Extension: (ColorZilla) - C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\8g9fy7dc.default\Extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}.xpi [2017-03-08]
FF Extension: (NoScript) - C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\8g9fy7dc.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-10-14] [Legacy]
FF Extension: (Web of Trust) - C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\8g9fy7dc.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}.xpi [2018-06-27]
FF SearchPlugin: C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\8g9fy7dc.default\searchplugins\duckduckgo.xml [2013-12-17]
FF ProfilePath: C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\38kdm2yf.Default User [2018-07-26]
FF Homepage: Mozilla\Firefox\Profiles\38kdm2yf.Default User -> hxxp://kissasian.ch/
FF NetworkProxy: Mozilla\Firefox\Profiles\38kdm2yf.Default User -> type", 0
FF ProfilePath: C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\ozpcf21l.Blaaargh!-1521961415158 [2018-07-26]
FF Homepage: Mozilla\Firefox\Profiles\ozpcf21l.Blaaargh!-1521961415158 -> hxxps://hriscebu.qualfon.com/ceb/login.php
FF Extension: (NoScript) - C:\Users\cong\AppData\Roaming\Mozilla\Firefox\Profiles\ozpcf21l.Blaaargh!-1521961415158\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2018-03-28]
FF Extension: (WebCompat Reporter) - C:\Program Files\Mozilla Firefox\browser\features\[email protected] [2018-07-06] [Legacy] [not signed]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-01-22] [Legacy] [not signed]
FF Plugin: @Adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_30_0_0_134.dll [2018-07-10] ()
FF Plugin: @Intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin: @Intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-12-07] (Microsoft Corporation)
FF Plugin: @microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-12-07] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2012-09-23] (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-06-29] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\cong\AppData\Roaming\mozilla\plugins\npatgpc.dll [2014-04-10] (Cisco WebEx LLC)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AdobeFlashPlayerFeedbackSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerFeedbackService.exe [479744 2018-07-20] (Adobe Systems Incorporated)
R2 AGSService; C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe [1843392 2015-08-20] (Adobe Systems, Incorporated)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\aswidsagent.exe [6341888 2018-07-25] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [322464 2018-07-25] (AVAST Software)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [5096624 2017-11-22] (Microsoft Corporation)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [276248 2012-02-08] (Intel Corporation)
R2 CybereasonRansomFree; C:\Program Files\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe [13824 2017-11-20] (Cybereason) [File not signed]
R2 Intel(R) Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [458464 2012-02-02] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4753104 2018-05-09] (Malwarebytes)
R2 SAService; C:\Windows\system32\SAsrv.exe [446592 2010-11-19] (Conexant Systems, Inc.)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [154760 2017-06-05] (Sandboxie Holdings, LLC)
S4 Sophos Clean Service; C:\Program Files\Sophos\Clean\Clean.exe [3725376 2018-03-29] (Sophos Limited)
S4 Sophos File Scanner Service; C:\Program Files\Sophos\Sophos File Scanner\SophosFS.exe [1127936 2018-03-07] (Sophos Limited)
S4 Sophos Health Service; C:\Program Files\Sophos\Health\Health.exe [1720648 2017-12-05] (Sophos Limited)
S4 Sophos MCS Agent; C:\Program Files\Sophos\Management Communications System\Endpoint\McsAgent.exe [1314440 2018-03-14] (Sophos Limited)
S4 Sophos MCS Client; C:\Program Files\Sophos\Management Communications System\Endpoint\McsClient.exe [1723840 2018-03-14] (Sophos Limited)
S4 Sophos Safestore Service; C:\Program Files\Sophos\Safestore\Safestore32.exe [1522184 2018-05-24] (Sophos Limited)
S4 Sophos System Protection Service; C:\Program Files\Sophos\Endpoint Defense\SSPService.exe [8337984 2018-03-29] (Sophos Limited)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [1696496 2011-02-04] (RealVNC Ltd)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [167552 2018-07-25] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdriverx.sys [188352 2018-07-25] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidshx.sys [164944 2018-07-25] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswblogx.sys [284328 2018-07-25] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbunivx.sys [57976 2018-07-25] (AVAST Software)
R1 aswHdsKe; C:\Windows\System32\drivers\aswHdsKe.sys [189240 2018-07-25] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [42808 2018-07-25] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [133680 2018-07-25] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [101056 2018-07-25] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [71848 2018-07-25] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [784120 2018-07-25] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [396352 2018-07-25] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [162704 2018-07-25] (AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [310784 2018-07-25] (AVAST Software)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [393368 2017-10-18] (Symantec Corporation)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [220896 2018-07-27] (Malwarebytes)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [46080 2011-11-10] (Intel Corporation)
S3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [16472 2010-04-09] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [11104 2010-04-09] ()
S3 rimvndis; C:\Windows\System32\Drivers\rimvndis6.sys [14336 2014-06-23] (Research in Motion Limited)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [179336 2017-06-05] (Sandboxie Holdings, LLC)
R0 Sophos Endpoint Defense; C:\Windows\System32\DRIVERS\SophosED.sys [575648 2018-03-29] (Sophos Limited)
S3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [15872 2013-02-11] (Microsoft Corporation)
R3 vncmirror; C:\Windows\System32\DRIVERS\vncmirror.sys [4608 2011-02-04] (RealVNC Ltd.)
S3 DrvAgent32; \??\C:\Windows\system32\Drivers\DrvAgent32.sys [X]
S3 GPU-Z; \??\C:\Users\INACCE~1\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
S3 NAVENG; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.1904.0000.105\Data\Definitions\SDSDefs\20170314.001\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.1904.0000.105\Data\Definitions\SDSDefs\20170314.001\NAVEX15.SYS [X]
S3 NPF; system32\drivers\NPF.sys [X]
S3 RimUsb; System32\Drivers\RimUsb.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-27 01:38 - 2018-07-27 01:39 - 000022223 _____ C:\Users\cong\Downloads\FRST.txt
2018-07-27 01:38 - 2018-07-27 01:38 - 000000000 ____D C:\FRST
2018-07-27 00:55 - 2018-07-27 00:55 - 000512999 ____N C:\Users\Aksxapa\hanging_encourage_fourteen.xlsx
2018-07-27 00:55 - 2018-07-27 00:55 - 000503361 ____N C:\Users\xalrt\experimental-newer-financing.xlsx
2018-07-27 00:55 - 2018-07-27 00:55 - 000210953 ____N C:\Users\Aksxapa\polandexplodenorthern.mdb
2018-07-27 00:55 - 2018-07-27 00:55 - 000203684 ____N C:\Users\xalrt\irrigate-twenty-criticism.mdb
2018-07-27 00:55 - 2018-07-27 00:55 - 000069944 ____N C:\Users\Aksxapa\union-run-drug.xls
2018-07-27 00:55 - 2018-07-27 00:55 - 000065076 ____N C:\Users\xalrt\identifygivinglatelygrade.xls
2018-07-27 00:55 - 2018-07-27 00:55 - 000054568 ____N C:\Users\xalrt\transferredgenerate.pem
2018-07-27 00:55 - 2018-07-27 00:55 - 000050462 ____N C:\Users\Aksxapa\cut.headquarters.discovered.pem
2018-07-27 00:55 - 2018-07-27 00:55 - 000030241 ____N C:\Users\xalrt\rush-arrow-nerves.txt
2018-07-27 00:55 - 2018-07-27 00:55 - 000029200 ____N C:\Users\Aksxapa\geniustypes.txt
2018-07-27 00:55 - 2018-07-27 00:55 - 000026480 ____N C:\Users\xalrt\maybe-cloth-vital.sql
2018-07-27 00:55 - 2018-07-27 00:55 - 000018692 ____N C:\Users\Aksxapa\convincedinnocentlovedsurplus.sql
2018-07-27 00:55 - 2018-07-27 00:55 - 000000000 __SHD C:\Users\cong\Desktop\0K, this directory is for Ransomware detection (just leave it here)
2018-07-27 00:55 - 2018-07-27 00:55 - 000000000 ___HD C:\Users\xalrt
2018-07-27 00:55 - 2018-07-27 00:55 - 000000000 ___HD C:\Users\cong\Documents\Tapplication236
2018-07-27 00:55 - 2018-07-27 00:55 - 000000000 ___HD C:\Users\cong\Documents\Aborganized215
2018-07-27 00:55 - 2018-07-27 00:55 - 000000000 ___HD C:\Users\Aksxapa
2018-07-27 00:55 - 2018-07-27 00:55 - 000000000 ____D C:\Xvalues133
2018-07-27 00:55 - 2018-07-27 00:55 - 000000000 ____D C:\Acmirror152
2018-07-27 00:52 - 2018-07-27 00:52 - 001773056 _____ (Farbar) C:\Users\cong\Downloads\FRST.exe
2018-07-25 06:07 - 2018-07-25 06:12 - 000010943 _____ C:\Users\cong\Desktop\attach.txt
2018-07-25 06:07 - 2018-07-25 06:06 - 000021858 _____ C:\Users\cong\Desktop\dds.txt
2018-07-25 05:12 - 2018-07-27 00:56 - 000220896 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-07-25 04:50 - 2018-07-25 05:01 - 000000000 ____D C:\Users\cong\AppData\Local\Google
2018-07-25 04:50 - 2018-07-25 04:55 - 000000000 ____D C:\Program Files\Google
2018-07-25 04:45 - 2018-07-27 00:58 - 000000000 ____D C:\Users\cong\AppData\Local\AVAST Software
2018-07-25 04:45 - 2018-07-25 04:45 - 000002077 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2018-07-25 04:45 - 2018-07-25 04:45 - 000000000 ____D C:\Users\cong\AppData\Roaming\AVAST Software
2018-07-25 04:45 - 2018-07-25 04:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2018-07-25 04:39 - 2018-07-25 05:29 - 000396352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 001142072 _____ (Microsoft Corporation) C:\Windows\ucrtbase.dll
2018-07-25 04:39 - 2018-07-25 04:39 - 000321752 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2018-07-25 04:39 - 2018-07-25 04:39 - 000310784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 000167552 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 000162704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 000133680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 000101056 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 000071848 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 000042808 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-07-25 04:39 - 2018-07-25 04:39 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-07-25 04:39 - 2018-07-25 04:38 - 000784120 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-07-25 04:39 - 2018-07-25 04:38 - 000284328 _____ (AVAST Software) C:\Windows\system32\Drivers\aswblogx.sys
2018-07-25 04:39 - 2018-07-25 04:38 - 000189240 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHdsKe.sys
2018-07-25 04:39 - 2018-07-25 04:38 - 000188352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdriverx.sys
2018-07-25 04:39 - 2018-07-25 04:38 - 000164944 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidshx.sys
2018-07-25 04:39 - 2018-07-25 04:38 - 000057976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbunivx.sys
2018-07-25 04:34 - 2018-07-25 04:34 - 000000000 ____D C:\Program Files\AVAST Software
2018-07-25 04:33 - 2018-07-25 04:39 - 000000000 ____D C:\ProgramData\AVAST Software
2018-07-25 04:33 - 2018-07-25 04:35 - 007417040 _____ (Malwarebytes) C:\Users\cong\Downloads\adwcleaner_7.2.2.exe
2018-07-25 04:32 - 2018-07-25 04:32 - 000178320 _____ (AVAST Software) C:\Users\cong\Downloads\avast_free_antivirus_setup_online_cnet2.exe
2018-07-20 10:42 - 2018-07-20 10:42 - 000000000 ____D C:\Users\cong\AppData\Local\{5CBBDFB5-5D85-483D-AA29-B497AA6417E4}
2018-07-20 08:37 - 2018-07-20 08:37 - 000023517 _____ C:\Users\cong\AppData\Local\recently-used.xbel
2018-07-10 23:55 - 2018-06-13 13:59 - 000122560 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-07-10 23:55 - 2018-06-13 11:53 - 000554496 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-07-10 23:55 - 2018-06-08 09:05 - 002703872 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-07-10 23:55 - 2018-06-08 09:05 - 001359360 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-07-10 23:55 - 2018-06-08 09:05 - 000619520 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-07-10 23:55 - 2018-06-08 09:05 - 000517120 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-07-10 23:55 - 2018-06-08 09:05 - 000358912 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-07-10 23:55 - 2018-06-08 09:05 - 000353792 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-07-10 23:55 - 2018-06-08 09:05 - 000246272 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-07-10 23:55 - 2018-06-08 09:05 - 000202752 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-07-04 18:09 - 2018-07-16 18:02 - 000480888 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2018-06-28 23:58 - 2018-06-28 23:58 - 000000000 ____D C:\Users\cong\AppData\Roaming\Cybereason
2018-06-28 23:58 - 2018-06-28 23:58 - 000000000 ____D C:\ProgramData\Cybereason
2018-06-28 23:57 - 2018-06-28 23:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cybereason RansomFree
2018-06-28 23:57 - 2018-06-28 23:57 - 000000000 ____D C:\Program Files\Cybereason
2018-06-28 23:52 - 2018-06-28 23:52 - 004198400 _____ C:\Users\cong\Downloads\CybereasonRansomFree.msi
2018-06-27 02:06 - 2018-06-27 02:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-27 01:16 - 2018-05-11 23:57 - 000000000 ____D C:\Users\cong\AppData\LocalLow\Mozilla
2018-07-27 01:16 - 2009-07-14 00:34 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-07-27 01:16 - 2009-07-14 00:34 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-07-27 00:55 - 2013-04-13 16:29 - 000001592 _____ C:\Windows\system32\config\netlogon.ftl
2018-07-27 00:55 - 2009-07-14 00:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-07-27 00:41 - 2014-03-31 15:07 - 000000556 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2824188253-679106425-843667978-3705.job
2018-07-26 23:57 - 2009-07-13 22:37 - 000000000 ____D C:\Windows\inf
2018-07-26 07:35 - 2018-05-15 21:25 - 000000000 ____D C:\Users\cong\AppData\Roaming\Audacity
2018-07-26 07:34 - 2018-05-12 22:33 - 000000000 ____D C:\Users\cong\AppData\Roaming\Media Player Classic
2018-07-26 06:15 - 2018-05-10 06:21 - 000030846 __RSH C:\Users\cong\ntuser.pol
2018-07-26 06:15 - 2018-05-10 06:21 - 000000000 ____D C:\Users\cong
2018-07-26 00:29 - 2018-05-12 14:13 - 000000000 ____D C:\Users\cong\AppData\Roaming\vlc
2018-07-25 22:09 - 2017-05-25 11:10 - 000000000 ___RD C:\Users\cong\Downloads\#tag
2018-07-25 04:40 - 2013-12-26 19:52 - 000000000 ____D C:\Program Files\CCleaner
2018-07-20 11:00 - 2018-05-12 19:16 - 000000000 ____D C:\Users\cong\.gimp-2.8
2018-07-20 02:28 - 2017-03-14 11:29 - 000846848 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2018-07-20 02:28 - 2017-03-14 11:29 - 000175616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2018-07-20 02:28 - 2013-02-14 23:33 - 000000000 ____D C:\Windows\system32\Macromed
2018-07-18 04:37 - 2017-10-07 23:52 - 000010612 _____ C:\Windows\Sandboxie.ini
2018-07-12 04:59 - 2017-12-08 10:18 - 000129248 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae.sys
2018-07-11 00:18 - 2015-04-15 05:16 - 000000000 ____D C:\Windows\system32\appraiser
2018-07-11 00:15 - 2016-07-05 14:14 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2018-07-11 00:14 - 2009-07-13 22:04 - 000000478 _____ C:\Windows\win.ini
2018-07-10 23:34 - 2016-11-18 02:55 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-07-10 23:34 - 2015-06-30 21:29 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-07-10 23:18 - 2013-05-24 15:10 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2018-06-28 23:59 - 2016-07-29 12:40 - 000000000 ____D C:\AdwCleaner
2018-06-28 20:30 - 2018-05-10 07:01 - 000000000 ____D C:\Users\cong\Documents\Modules
2018-06-27 02:33 - 2018-06-22 04:24 - 000007640 _____ C:\Users\cong\AppData\Local\Resmon.ResmonCfg
2018-06-27 02:06 - 2017-12-08 10:18 - 000002022 _____ C:\Users\Public\Desktop\Malwarebytes.lnk

==================== Files in the root of some directories =======

2018-07-20 08:37 - 2018-07-20 08:37 - 000023517 _____ () C:\Users\cong\AppData\Local\recently-used.xbel
2018-06-22 04:24 - 2018-06-27 02:33 - 000007640 _____ () C:\Users\cong\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
2013-04-05 10:44 - 2013-04-05 10:44 - 000904104 _____ (Oracle Corporation) C:\Users\inaccessible\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
2013-04-17 23:21 - 2013-04-04 12:38 - 000120400 _____ (RealNetworks, Inc.) C:\Users\inaccessible\AppData\Local\Temp\lowproc.exe
2013-04-17 23:21 - 2013-04-04 13:04 - 000090624 _____ (RealNetworks, Inc.) C:\Users\inaccessible\AppData\Local\Temp\stubhelper.dll
2018-05-23 22:50 - 2018-03-09 09:29 - 000320408 _____ (Sophos Limited) C:\Users\qualfontech\AppData\Local\Temp\deleter.dll
2013-07-03 09:11 - 2013-07-03 09:11 - 002754072 _____ (Power Software Ltd) C:\Users\qualfontech\AppData\Local\Temp\nsyC336.tmp.exe
2013-01-25 10:09 - 2013-01-25 10:09 - 002940496 _____ () C:\Users\qualfontech\AppData\Local\Temp\safeguard.exe
2018-05-23 23:51 - 2018-03-09 09:29 - 000320408 _____ (Sophos Limited) C:\Users\sysad-mtejero\AppData\Local\Temp\deleter.dll
2007-01-01 17:22 - 2007-01-01 17:22 - 000069632 _____ () C:\Users\wesupport\AppData\Local\Temp\gtalkwmp1.dll
2014-02-21 17:49 - 2014-02-21 17:49 - 000344984 _____ (Adobe Systems Incorporated) C:\Users\wesupport.QPI\AppData\Local\Temp\AAMHelper.exe
2014-02-21 17:47 - 2013-03-21 05:25 - 002101632 _____ (Adobe Systems Incorporated) C:\Users\wesupport.QPI\AppData\Local\Temp\AdobeApplicationManager.exe
2014-04-12 21:54 - 2014-04-12 21:54 - 000004608 _____ () C:\Users\wesupport.QPI\AppData\Local\Temp\i4jdel0.exe
2014-02-24 17:52 - 2014-02-24 17:52 - 001069920 _____ (Solid State Networks) C:\Users\wesupport.QPI\AppData\Local\Temp\install_reader11_en_gtba_chra_dy_aaa_aih.exe
2013-12-19 13:06 - 2013-12-19 13:06 - 000921512 _____ (Oracle Corporation) C:\Users\wesupport.QPI\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-21 16:27

==================== End of FRST.txt ============================
blaaargh is offline  
Old 07-27-2018, 07:25 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Are you using a proxy server on purpose?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-31-2018, 09:09 PM   #13
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Quote:
Originally Posted by chemist View Post
Are you using a proxy server on purpose?
Yes.
blaaargh is offline  
Old 08-02-2018, 07:27 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello blaaargh. I'm not seeing anything malicious here.

Please enable System Restore. Also, uninstall Symantec Endpoint Protection if you are going to keep Avast.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

https://windows.microsoft.com/en-us/...#1TC=windows-7

Also, if you haven't done so already, create a system repair disc. It's really easy and quick.

https://pcsupport.about.com/od/windo...-windows-7.htm

------------------------------------------------------

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    ShellIconOverlayIdentifiers: [  OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
    ShellIconOverlayIdentifiers: [  OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
    ShellIconOverlayIdentifiers: [  OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
    ShellIconOverlayIdentifiers: [  OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
    ShellIconOverlayIdentifiers: [  OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
    ShellIconOverlayIdentifiers: [  OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
    ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
    ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
    ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
    ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
    ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
    ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
    ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
    AlternateDataStreams: C:\ProgramData\TEMP:8CE646EE [138]
    HKLM\...\Run: [] => [X]
    CHR HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-866989730-1103564005-1629601542-9231 -> DefaultScope {81EBA1D4-D34D-4EDB-A482-B48E656BCFC0} URL =
    SearchScopes: HKU\S-1-5-21-866989730-1103564005-1629601542-9231 -> {81EBA1D4-D34D-4EDB-A482-B48E656BCFC0} URL =
    BHO: No Name -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File
    FF Plugin:   @microsoft.com/GENUINE -> disabled [No File]
    S3 GPU-Z; \??\C:\Users\INACCE~1\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
    Symantec Endpoint Protection (HKLM\...\{0E251D4D-316C-4F8B-A4C5-2722000764BE}) (Version: 12.1.5337.5000 - Symantec Corporation) Hidden
    Folder: C:\Xversion85
    Folder: C:\Acsystem173
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-04-2018, 01:26 AM   #15
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Quote:
Originally Posted by chemist View Post
Hello blaaargh. I'm not seeing anything malicious here.

Please enable System Restore. Also, uninstall Symantec Endpoint Protection if you are going to keep Avast.
I cannot enable restore for some reason. I'll check with local tech team since this is a work machine.

I do not see Symantec installed under my list of programs; in case you are referring to Sophos, I disabled it in msconfig when I installed Avast. Will this suffice or do I also need to uninstall it?


Quote:
Originally Posted by chemist View Post
CCleaner
I do not (never) use the registry cleaner. I only use it to clear my cache and temp files. Is this alright?


Quote:
Originally Posted by chemist View Post
fixlist.txt
I truly appreciate your help, but may I ask what this is for?


Thanks again.
blaaargh is offline  
Old 08-05-2018, 12:36 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, blaaargh. You're very welcome. It is always best to uninstall something you no longer use instead of disabling it using msconfig.

Also, you should never have more than one antivirus installed on your machine as they can sometimes conflict with each other and even slow down your machine.

Yes, it is OK to use CCleaner as long as you don't use the reg cleaning feature.

The fixlist.txt is used by FRST to clean up some remaining remnants of entries that no longer exist, and to empty all your temporary folders.

I forgot the Symantec Endpoint Protection entry was hidden so you should see it after running the FRST fix, and then be able to uninstall it.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-06-2018, 02:54 AM   #17
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Quote:
Originally Posted by chemist View Post
I forgot the Symantec Endpoint Protection entry was hidden so you should see it after running the FRST fix, and then be able to uninstall it.
I am unable to uninstall Symantec. It's missing the Sep.msi file. Is there a way to force uninstall the program? Will this work?

Also, Sophos has been removed as recommended.
blaaargh is offline  
Old 08-06-2018, 02:55 AM   #18
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Fix result of Farbar Recovery Scan Tool (x86) Version: 02.08.2018
Ran by cong (06-08-2018 05:36:26) Run:1
Running from C:\Users\cong\Downloads
Loaded Profiles: cong (Available Profiles: (Administrator & sysad & cong)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
createrestorepoint:
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x86.dll -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File
AlternateDataStreams: C:\ProgramData\TEMP:8CE646EE [138]
HKLM\...\Run: [] => [X]
CHR HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-866989730-1103564005-1629601542-9231 -> DefaultScope {81EBA1D4-D34D-4EDB-A482-B48E656BCFC0} URL =
SearchScopes: HKU\S-1-5-21-866989730-1103564005-1629601542-9231 -> {81EBA1D4-D34D-4EDB-A482-B48E656BCFC0} URL =
BHO: No Name -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
S3 GPU-Z; \??\C:\Users\INACCE~1\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
Symantec Endpoint Protection (HKLM\...\{0E251D4D-316C-4F8B-A4C5-2722000764BE}) (Version: 12.1.5337.5000 - Symantec Corporation) Hidden
Folder: C:\Xversion85
Folder: C:\Acsystem173
EmptyTemp:
end
*****************

Error: (0) Failed to create a restore point.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => removed successfully.
HKLM\Software\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => removed successfully.
HKLM\Software\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => removed successfully.
HKLM\Software\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => removed successfully.
HKLM\Software\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => removed successfully.
HKLM\Software\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6" => removed successfully.
HKLM\Software\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco1" => removed successfully.
"HKLM\Software\Classes\CLSID\{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}" => removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco2" => removed successfully.
"HKLM\Software\Classes\CLSID\{853B7E05-C47D-4985-909A-D0DC5C6D7303}" => removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AccExtIco3" => removed successfully.
"HKLM\Software\Classes\CLSID\{42D38F2E-98E9-4382-B546-E24E4D6D04BB}" => removed successfully.
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\AccExt" => removed successfully.
"HKLM\Software\Classes\CLSID\{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4}" => removed successfully.
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\PowerISO" => removed successfully.
HKLM\Software\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => not found
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\AccExt" => removed successfully.
HKLM\Software\Classes\CLSID\{2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => not found
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO" => removed successfully.
HKLM\Software\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => not found
C:\ProgramData\TEMP => ":8CE646EE" ADS removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\" => removed successfully.
"HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Google" => removed successfully.
"HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Policies\Microsoft\Internet Explorer" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => removed successfully.
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => not found
"HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully.
"HKU\S-1-5-21-866989730-1103564005-1629601542-9231\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{81EBA1D4-D34D-4EDB-A482-B48E656BCFC0}" => removed successfully.
HKLM\Software\Classes\CLSID\{81EBA1D4-D34D-4EDB-A482-B48E656BCFC0} => not found
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => removed successfully.
HKLM\Software\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => not found
HKLM\Software\MozillaPlugins\ @microsoft.com/GENUINE => not found
"HKLM\System\CurrentControlSet\Services\GPU-Z" => removed successfully.
GPU-Z => service removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0E251D4D-316C-4F8B-A4C5-2722000764BE}\\SystemComponent" => removed successfully.

========================= Folder: C:\Xversion85 ========================

not found.

====== End of Folder: ======


========================= Folder: C:\Acsystem173 ========================

not found.

====== End of Folder: ======


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 40824846 B
Java, Flash, Steam htmlcache => 1110 B
Windows/system/drivers => 762436 B
Edge => 0 B
Chrome => 0 B
Firefox => 70509494 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 65960 B
LocalService => 16384 B
NetworkService => 109056 B
gquisquisan => 25237150 B
wesupport.QPI => 64746812 B
lrabanes => 0 B
imontecillo => 1231982 B
mtejero => 0 B
jtoledo => 0 B
wesupport => 56504225 B
inaccessible => 516024459 B
powerpoint => 187272128 B
qualfontech => 53752664 B
charcoal => 4260044 B
sysad-mtejero => 54829619 B
cong => 14614824 B

RecycleBin => 0 B
EmptyTemp: => 1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 05:38:09 ====
blaaargh is offline  
Old 08-07-2018, 03:45 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, blaaargh. The Norton(Symantec) Removal Tool should work:

https://www.bleepingcomputer.com/dow...-removal-tool/

After opening the tool, choose Advanced Options > Remove Only then follow the prompts.

Let me know if it worked.

------------------------------------------------------

Please run this online scan to help look for remnants.

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.
  • You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
  • Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
  • Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
  • At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
  • When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
  • Tick the option Enable detection of potentially unwanted applications
  • Click on Advanced settings
  • Make sure that the option Clean threats automatically is unticked.
  • Ensure these options are ticked:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth technology
  • Click Scan
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Please copy/paste the contents of the log in your next reply.
  • To close ESET Online Scanner, select Do not clean then Finish
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 08-08-2018, 03:27 AM   #20
Registered Member
 
Join Date: May 2013
Posts: 150
OS: Win7 SP1, Xubuntu



Symantec removed.

Eset scan did not pick any infections or the like.
blaaargh is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:27 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts