Fair ransomware removal assistance and guide

Status
Not open for further replies.

Magen

New Member
Thread author
Jan 14, 2021
6
hai everyone, my server is infected by fair ransomware, need advise and guide to remove the ransomware and recover the infected file. Thanks in advance
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply
-------------------------------------------------------------------

Based on the file extension it seems your server has been encrypted by Makop ransomware. I would like to verify this assumption, though. Can you please upload an encrypted file and a ransom note to id-ransomware and tell me the result?

What operating system does your server have? I can only help with Windows infections as I am not familiar enough with Linux or Unix based malware. If it is Windows proceed with the following:

Farbar Recovery Scan Tool (FRST) Scan
  • Please download Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Double-click FRST64.exe to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.
 
  • Like
Reactions: Nevi

Magen

New Member
Thread author
Jan 14, 2021
6
this is first.txt
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-01-2021
Ran by Administrator (administrator) on SERVER (HP ProLiant ML10 v2) (21-01-2021 14:12:26)
Running from C:\Users\Administrator\Downloads
Loaded Profiles: Administrator
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation - Software and Firmware Products -> Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Privacy\MBVPNService.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\alg.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\DeviceDisplayObjectProvider.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\Locator.exe
(Mozilla Corporation -> Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe <6>
(Software Security System) [File not signed] C:\Program Files\Stellar Data Recovery\DR\Ekag20nt.exe
(Stellar Information Technology Private Limited -> ) C:\Program Files\Stellar Data Recovery\DR\StellarDataRecovery.exe
(TeamViewer Germany GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer Germany GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(TeamViewer Germany GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(TeamViewer Germany GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer Germany GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
Failed to access process -> csrss.exe
Failed to access process -> csrss.exe
Failed to access process -> WmiPrvSE.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [296216 2015-06-15] (Intel Corporation - Software and Firmware Products -> Intel Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Print\Monitors\rica6Hlm: C:\Windows\system32\rica6Hlm.dll [28160 2013-12-27] (RICOH CO.,Ltd.) [File not signed]
HKLM\Software\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\System32\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -> "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> C:\Windows\SysWOW64\iesetup.dll [2019-12-17] (Microsoft Windows -> Microsoft Corporation)
Lsa: [Notification Packages] scecli rassfm
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {285D5C5B-2A7B-44B0-86DA-ABAFF6BC2CD2} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1349200 2020-11-04] (Adobe Inc. -> Adobe Inc.)
Task: {52A251F0-AED1-4C43-97CF-59A1E20493B0} - System32\Tasks\{A5544286-01AF-47CF-91EA-0625C7BDB90C} => E:\TL-WN822N(EUUS)_V5_181022_Win\Setup.exe
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [152064 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [252416 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {7F631D32-3578-4BE5-B024-DFBC17DEEB71} - System32\Tasks\{76FE27E3-CCD5-49E5-A8EB-52D503816D46} => E:\TL-WN822N(EUUS)_V5_181022_Win\Setup.exe
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [39424 2010-11-21] (Microsoft Windows -> Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [252416 2010-11-21] (Microsoft Windows -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\..\Interfaces\{3EFB41FA-7807-453E-ADD6-18D981BDA20E}: [NameServer] 192.168.1.8,8.8.4.4
Tcpip\..\Interfaces\{7ADEE6CB-88FE-43C4-A5E8-CA7474D9BF4C}: [DhcpNameServer] 192.168.0.1
HKLM\System\...\Parameters\PersistentRoutes: [0.0.0.0,0.0.0.0,192.168.1.1,-1]

FireFox:
========
FF DefaultProfile: hir2vgw2.default
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\hir2vgw2.default [2021-01-21]
FF Extension: (Malwarebytes Browser Guard) - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\hir2vgw2.default\Extensions\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi [2021-01-14]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2020-12-08] (Adobe Inc. -> Adobe Systems Inc.)

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]
CHR HKLM-x32\...\Chrome\Extension: [ihcjicgdanjaechkgeegckofjjedodee]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [170056 2020-11-04] (Adobe Inc. -> Adobe Inc.)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7456464 2021-01-13] (Malwarebytes Inc -> Malwarebytes)
R2 MBVpnService; C:\Program Files\Malwarebytes\Privacy\MBVpnService.exe [3313112 2021-01-13] (Malwarebytes Inc -> Malwarebytes)
S3 MBVpnTunnelService; C:\Program Files\Malwarebytes\Privacy\MBVpnTunnelService.exe [2239312 2021-01-13] (Malwarebytes Inc -> Malwarebytes)
S4 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.2023\McCHSvc.exe [408192 2020-11-23] (McAfee, LLC -> McAfee, LLC)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
S4 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [153312 2021-01-13] (Malwarebytes Corporation -> Malwarebytes)
R3 G200eH; C:\Windows\System32\DRIVERS\g200eHm.sys [240128 2012-04-12] (Microsoft Windows Hardware Compatibility Publisher -> Matrox Graphics Inc.)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-11] (Microsoft Windows -> Intel Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [220160 2021-01-14] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [197792 2021-01-14] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [77496 2021-01-14] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [127088 2021-01-14] (Malwarebytes Inc -> Malwarebytes)
R3 q57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [476472 2016-09-21] (Broadcom Corporation -> Broadcom Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-01-21 14:12 - 2021-01-21 14:13 - 000009997 _____ C:\Users\Administrator\Downloads\FRST.txt
2021-01-21 14:11 - 2021-01-21 14:13 - 000000000 ____D C:\FRST
2021-01-21 14:10 - 2021-01-21 14:10 - 002295808 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
2021-01-14 15:31 - 2021-01-14 15:31 - 000001035 _____ C:\Users\Administrator\Desktop\Stellar Data Recovery.lnk
2021-01-14 15:31 - 2021-01-14 15:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stellar Data Recovery
2021-01-14 15:31 - 2021-01-14 15:31 - 000000000 ____D C:\Program Files\Stellar Data Recovery
2021-01-14 15:13 - 2021-01-14 16:05 - 000000000 _RSHD C:\ProgramData\Key-Base
2021-01-14 15:13 - 2021-01-14 15:13 - 000000000 ____D C:\ProgramData\{F14D909D-C3DF-112B-2087-25660B0BAD7C}
2021-01-14 15:12 - 2021-01-14 15:12 - 070678912 _____ (Stellar Information Technology Pvt Ltd. ) C:\Users\Administrator\Downloads\StellarDataRecoveryProfessionalWindows.exe
2021-01-14 15:11 - 2021-01-14 15:11 - 071014536 _____ (Stellar Information Technology Pvt Ltd. ) C:\Users\Administrator\Downloads\StellarDataRecoveryProfessional.exe
2021-01-14 14:55 - 2021-01-14 14:55 - 000197792 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2021-01-14 14:55 - 2021-01-14 14:55 - 000127088 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2021-01-14 14:55 - 2021-01-14 14:55 - 000077496 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2021-01-14 14:54 - 2021-01-14 14:54 - 000220160 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2021-01-14 14:34 - 2021-01-14 14:34 - 000000000 ____D C:\Users\user6\AppData\Local\CrashDumps
2021-01-14 14:03 - 2021-01-14 14:03 - 000001885 _____ C:\Users\Administrator\Desktop\ShadowExplorer.lnk
2021-01-14 14:03 - 2021-01-14 14:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2021-01-14 14:03 - 2021-01-14 14:03 - 000000000 ____D C:\Program Files (x86)\ShadowExplorer
2021-01-14 14:02 - 2021-01-14 14:02 - 000969845 _____ (ShadowExplorer.com ) C:\Users\Administrator\Downloads\ShadowExplorer-0.9-setup.exe
2021-01-14 00:06 - 2021-01-14 00:06 - 000000000 ____D C:\Users\user6\AppData\LocalLow\Adobe
2021-01-14 00:06 - 2021-01-14 00:06 - 000000000 ____D C:\Users\user6\AppData\Local\Adobe
2021-01-13 16:23 - 2021-01-14 14:39 - 000000000 ____D C:\Windows\pss
2021-01-13 15:47 - 2021-01-13 15:47 - 000002263 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Privacy (VPN).lnk
2021-01-13 15:47 - 2021-01-13 15:47 - 000002251 _____ C:\Users\Public\Desktop\Malwarebytes Privacy.lnk
2021-01-13 15:47 - 2021-01-13 15:47 - 000000000 ____D C:\Program Files\MBTunnel
2021-01-13 15:46 - 2021-01-13 15:46 - 000000000 ____D C:\Users\Administrator\AppData\Local\mbam
2021-01-13 15:45 - 2021-01-13 15:45 - 001258456 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBPrivacySetup-2Co.exe
2021-01-13 15:43 - 2021-01-13 15:43 - 000001960 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2021-01-13 15:43 - 2021-01-13 15:43 - 000001948 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2021-01-13 15:43 - 2021-01-13 15:42 - 000153312 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2021-01-13 15:42 - 2021-01-13 15:47 - 000000000 ____D C:\ProgramData\Malwarebytes
2021-01-13 15:41 - 2021-01-13 15:41 - 002086424 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup-2Co.2Co(1).exe
2021-01-13 15:40 - 2021-01-13 15:46 - 000000000 ____D C:\Program Files\Malwarebytes
2021-01-13 15:38 - 2021-01-13 15:38 - 002086424 _____ (Malwarebytes) C:\Users\Administrator\Downloads\MBSetup-2Co.2Co.exe
2021-01-13 14:31 - 2021-01-14 14:03 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\www.shadowexplorer.com
2021-01-13 14:31 - 2021-01-13 14:31 - 000000000 ____D C:\Users\Administrator\Downloads\ShadowExplorer-0.9-portable
2021-01-13 13:48 - 2019-12-17 08:35 - 000087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2021-01-13 13:48 - 2019-12-17 08:14 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2021-01-13 13:47 - 2020-01-03 11:37 - 000709856 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2021-01-13 13:47 - 2020-01-03 11:37 - 000627424 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2021-01-13 13:47 - 2019-12-17 09:18 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2021-01-13 13:47 - 2019-12-17 09:04 - 000417280 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2021-01-13 13:47 - 2019-12-17 08:49 - 002724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2021-01-13 13:47 - 2019-12-17 08:36 - 000341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2021-01-13 13:47 - 2019-12-17 08:14 - 002132992 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2021-01-13 13:47 - 2019-12-17 08:01 - 002058752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2021-01-13 13:47 - 2019-11-15 10:32 - 000311008 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2021-01-13 13:47 - 2019-11-15 10:25 - 000385248 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2021-01-13 13:47 - 2019-11-15 10:21 - 000046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2021-01-13 13:47 - 2019-11-15 09:59 - 000034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2021-01-13 12:53 - 2021-01-13 16:03 - 000000000 ____D C:\ProgramData\Outbyte
2021-01-13 11:54 - 2019-04-16 21:15 - 000419648 _____ C:\Windows\SysWOW64\locale.nls
2021-01-13 11:54 - 2019-04-16 21:15 - 000419648 _____ C:\Windows\system32\locale.nls
2021-01-13 11:53 - 2019-02-16 14:02 - 000443904 _____ (Microsoft Corporation) C:\Windows\system32\winspool.drv
2021-01-13 11:53 - 2019-02-16 13:50 - 000321536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winspool.drv
2021-01-13 11:53 - 2018-12-08 11:08 - 000060928 _____ (Microsoft Corporation) C:\Windows\system32\ndptsp.tsp
2021-01-13 11:53 - 2018-12-08 11:08 - 000047104 _____ (Microsoft Corporation) C:\Windows\system32\kmddsp.tsp
2021-01-13 11:53 - 2018-12-08 10:56 - 000050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ndptsp.tsp
2021-01-13 11:53 - 2018-12-08 10:41 - 000038912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kmddsp.tsp
2021-01-13 11:42 - 2021-01-13 11:44 - 302567189 _____ C:\Users\Administrator\Downloads\windows6.1-kb4516065-x64_40a6dff87423268e55a909d40a310ac66386be0d.msu
2021-01-13 11:39 - 2021-01-13 11:39 - 009543846 _____ C:\Users\Administrator\Downloads\windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
2021-01-13 11:34 - 2021-01-13 11:35 - 055853327 _____ C:\Users\Administrator\Downloads\windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
2021-01-13 11:32 - 2021-01-13 12:50 - 000000000 ____D C:\Program Files\Mozilla Firefox
2021-01-13 04:53 - 2021-01-13 04:53 - 000000000 ____D C:\YOUR_FILES_ARE_ENCRYPTED
2021-01-13 04:52 - 2021-01-13 04:52 - 000001699 _____ C:\Users\user3\Downloads\readme-warning.txt
2021-01-13 04:52 - 2021-01-13 04:52 - 000001699 _____ C:\Users\user3\Desktop\readme-warning.txt
2021-01-13 04:52 - 2021-01-13 04:52 - 000001699 _____ C:\Users\user3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\readme-warning.txt
2021-01-13 04:51 - 2021-01-13 04:51 - 000001699 _____ C:\Users\user3\AppData\Local\readme-warning.txt
2021-01-13 02:40 - 2021-01-13 04:52 - 000000260 _____ C:\Users\user3\Desktop\ClearLock.ini.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 01:58 - 2021-01-13 04:37 - 000112548 _____ C:\Users\user3\AppData\Local\GDIPFONTCACHEV1.DAT.[88838EA2].[fairexchange@qq.com].fair

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-01-21 14:12 - 2018-12-18 08:51 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Mozilla
2021-01-21 14:09 - 2019-02-21 01:14 - 000000000 ____D C:\ProgramData\Mozilla
2021-01-21 10:17 - 2009-07-14 12:49 - 000031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2021-01-21 10:17 - 2009-07-14 12:49 - 000031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2021-01-15 15:15 - 2020-01-15 01:54 - 000000000 ____D C:\Users\Administrator\Desktop\SCAN
2021-01-15 13:48 - 2018-12-18 08:51 - 000001105 _____ C:\Users\Public\Desktop\Firefox.lnk
2021-01-14 16:13 - 2020-12-18 09:04 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\TeamViewer
2021-01-14 16:09 - 2011-03-22 00:09 - 000698230 _____ C:\Windows\system32\perfh019.dat
2021-01-14 16:09 - 2011-03-22 00:09 - 000139600 _____ C:\Windows\system32\perfc019.dat
2021-01-14 16:09 - 2011-03-22 00:02 - 000632710 _____ C:\Windows\system32\perfh01F.dat
2021-01-14 16:09 - 2011-03-22 00:02 - 000129750 _____ C:\Windows\system32\perfc01F.dat
2021-01-14 16:09 - 2011-03-21 23:50 - 000714820 _____ C:\Windows\system32\perfh015.dat
2021-01-14 16:09 - 2011-03-21 23:50 - 000145444 _____ C:\Windows\system32\perfc015.dat
2021-01-14 16:09 - 2011-03-21 23:43 - 000644964 _____ C:\Windows\system32\perfh005.dat
2021-01-14 16:09 - 2011-03-21 23:43 - 000131978 _____ C:\Windows\system32\perfc005.dat
2021-01-14 16:09 - 2011-03-21 23:37 - 000415888 _____ C:\Windows\system32\perfh012.dat
2021-01-14 16:09 - 2011-03-21 23:37 - 000112194 _____ C:\Windows\system32\perfc012.dat
2021-01-14 16:09 - 2011-03-21 23:20 - 000403826 _____ C:\Windows\system32\perfh011.dat
2021-01-14 16:09 - 2011-03-21 23:20 - 000113910 _____ C:\Windows\system32\perfc011.dat
2021-01-14 16:09 - 2011-03-21 23:14 - 000688490 _____ C:\Windows\system32\prfh0416.dat
2021-01-14 16:09 - 2011-03-21 23:14 - 000137578 _____ C:\Windows\system32\prfc0416.dat
2021-01-14 16:09 - 2011-03-21 23:08 - 000714084 _____ C:\Windows\system32\perfh010.dat
2021-01-14 16:09 - 2011-03-21 23:08 - 000137130 _____ C:\Windows\system32\perfc010.dat
2021-01-14 16:09 - 2011-03-21 22:57 - 000720478 _____ C:\Windows\system32\perfh00C.dat
2021-01-14 16:09 - 2011-03-21 22:57 - 000139442 _____ C:\Windows\system32\perfc00C.dat
2021-01-14 16:09 - 2011-03-21 22:52 - 000718564 _____ C:\Windows\system32\perfh00A.dat
2021-01-14 16:09 - 2011-03-21 22:52 - 000147700 _____ C:\Windows\system32\perfc00A.dat
2021-01-14 16:09 - 2011-03-21 22:47 - 000669268 _____ C:\Windows\system32\perfh007.dat
2021-01-14 16:09 - 2011-03-21 22:47 - 000138012 _____ C:\Windows\system32\perfc007.dat
2021-01-14 16:09 - 2009-07-14 13:10 - 009148866 _____ C:\Windows\system32\PerfStringBackup.INI
2021-01-14 16:09 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\inf
2021-01-14 14:55 - 2020-01-03 02:26 - 000000374 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2021-01-14 14:53 - 2009-07-14 13:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2021-01-14 12:44 - 2020-02-29 06:32 - 000000709 _____ C:\Windows\ABSSV2.INI
2021-01-14 12:44 - 2020-02-29 06:32 - 000000052 _____ C:\Windows\ABSS.INI
2021-01-14 00:06 - 2018-12-18 09:17 - 000000000 ____D C:\Users\user6\AppData\Roaming\Adobe
2021-01-13 20:12 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\rescache
2021-01-13 16:32 - 2018-12-14 21:53 - 135062968 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2021-01-13 16:11 - 2009-07-14 12:49 - 000430056 _____ C:\Windows\system32\FNTCACHE.DAT
2021-01-13 16:10 - 2018-12-18 08:51 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2021-01-13 16:05 - 2018-12-15 00:05 - 000000000 ___SD C:\Windows\system32\CompatTel
2021-01-13 16:05 - 2018-12-15 00:05 - 000000000 ____D C:\Windows\system32\appraiser
2021-01-13 16:05 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\PolicyDefinitions
2021-01-13 13:43 - 2020-12-18 09:13 - 000000000 ____D C:\ProgramData\McAfee Security Scan
2021-01-13 13:05 - 2018-12-14 21:53 - 000000000 ____D C:\Windows\system32\MRT
2021-01-13 12:34 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\SysWOW64\Dism
2021-01-13 12:34 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\system32\Dism
2021-01-13 04:52 - 2020-01-31 04:03 - 000000000 ____D C:\Users\user3\AppData\Roaming\AnyDesk
2021-01-13 04:52 - 2019-04-02 03:33 - 000061460 _____ C:\Users\user3\Downloads\maternal mortality copy copy copy(1).pptx.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-04-02 03:32 - 000061444 _____ C:\Users\user3\Downloads\maternal mortality copy copy copy.pptx.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-29 03:17 - 000024260 _____ C:\Users\user3\Desktop\EA_Pin2017_1(1).xlsx.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-29 03:15 - 000024260 _____ C:\Users\user3\Downloads\EA_Pin2017_1(1).xlsx.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-29 03:04 - 000331972 _____ C:\Users\user3\Downloads\Borang_E_2018_1.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-29 03:04 - 000058868 _____ C:\Users\user3\Downloads\FormatCP8D_2018_1.xlsx.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-28 05:38 - 000168404 _____ C:\Users\user3\Downloads\Your itinerary for LakshminarayananAj Mr departing on 15APR2019 for KUALA LUMPUR - SINGAPORE - Locator RE5C2R.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-28 05:34 - 007025188 _____ C:\Users\user3\Downloads\final.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-28 05:32 - 000625300 _____ C:\Users\user3\Downloads\Iklan Kenaikan Pangkat Pegawai Optometri Gred U41 ke U44.compressed.compressed.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-27 00:54 - 000682052 _____ C:\Users\user3\Downloads\BSP.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-27 00:54 - 000682052 _____ C:\Users\user3\Downloads\BSP(1).pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-21 03:37 - 000003796 _____ C:\Users\user3\Downloads\invite(2).ics.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-16 07:41 - 000212836 _____ C:\Users\user3\Downloads\Closing Stock -Paris Gallery2017.PDF.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-16 05:49 - 000017924 _____ C:\Users\user3\Downloads\Meeting with En. Fadilam (Bank Rakyat).eml.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-16 05:46 - 000003700 _____ C:\Users\user3\Downloads\invite(1).ics.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-16 01:05 - 000003684 _____ C:\Users\user3\Downloads\invite.ics.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-13 08:06 - 000085284 _____ C:\Users\user3\Downloads\Staff - 2018.xlsx.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-06 05:17 - 000003732 _____ C:\Users\user3\Desktop\Standard Balance Sheet.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-06 05:17 - 000003636 _____ C:\Users\user3\Desktop\Income Statement [Accrual].pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-06 05:03 - 000755700 _____ C:\Users\user3\Desktop\General Ledger [Detail].pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-05 06:17 - 000452788 _____ C:\Users\user3\Downloads\shanti.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-02 09:11 - 000094100 _____ C:\Users\user3\Downloads\document(1).pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-03-02 09:06 - 000094100 _____ C:\Users\user3\Downloads\document.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-26 07:15 - 001451956 _____ C:\Users\user3\Downloads\DOC-20190221-WA0077.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-24 05:38 - 182545796 _____ C:\Users\user3\Downloads\MYOB MY Premier V18.2 18072016.zip.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-23 02:51 - 003252372 _____ C:\Users\user3\Downloads\DOC-20190221-WA0076.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-22 06:20 - 000968276 _____ C:\Users\user3\Downloads\VARSHA TECHNOLOGIES_CLEARANCE & RESIGNATION LETTER.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-22 01:46 - 027918580 _____ C:\Users\user3\Desktop\LifeStyle Accessories Sdn B.myo.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-14 03:27 - 000024244 _____ C:\Users\user3\Downloads\EA_Pin2017_1.xlsx.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-13 01:39 - 000292580 _____ C:\Users\user3\Downloads\REPORT VISMARIN 2018.xls.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-12 03:22 - 001114356 _____ C:\Users\user3\Downloads\Best Global Management Sdn.myo.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-12 02:16 - 000062676 _____ C:\Users\user3\Downloads\Sample Payroll.xls.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-09 01:56 - 000560164 _____ C:\Users\user3\Downloads\SHANTI KA.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-08 09:04 - 000662964 _____ C:\Users\user3\Downloads\20190107161240649.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-08 09:04 - 000137396 _____ C:\Users\user3\Downloads\20190129163009323.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-08 09:03 - 000443364 _____ C:\Users\user3\Downloads\60790017_26200016795_233274914_25122018.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-08 09:02 - 000731892 _____ C:\Users\user3\Downloads\20190201122043270.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-08 08:33 - 000368324 _____ C:\Users\user3\Downloads\BGM2.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-08 08:32 - 000381876 _____ C:\Users\user3\Downloads\BGM1.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-02-08 08:08 - 004819492 _____ C:\Users\user3\Downloads\20190107180811120.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-01-04 02:23 - 000491428 _____ C:\Users\user3\Downloads\img110(1).pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2019-01-04 02:19 - 000491412 _____ C:\Users\user3\Downloads\img110.pdf.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:19 - 000001092 _____ C:\Users\user3\Desktop\Myobp 18 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:18 - 000001092 _____ C:\Users\user3\Desktop\Myobp 16 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:18 - 000001092 _____ C:\Users\user3\Desktop\Myobp 15 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:17 - 000001124 _____ C:\Users\user3\Desktop\Myob 24 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:17 - 000001092 _____ C:\Users\user3\Desktop\Myobp 12 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:16 - 000001188 _____ C:\Users\user3\Desktop\ABSSPrem 20 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:16 - 000001124 _____ C:\Users\user3\Desktop\Myob 23 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:16 - 000001124 _____ C:\Users\user3\Desktop\Myob 21 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-19 06:15 - 000001220 _____ C:\Users\user3\Desktop\ABSSAcct 25 - Shortcut.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:52 - 2018-12-18 08:44 - 000000000 ____D C:\Users\user3\WINDOWS
2021-01-13 04:52 - 2018-12-14 18:57 - 000001652 _____ C:\Users\user3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk.[88838EA2].[fairexchange@qq.com].fair
2021-01-13 04:37 - 2018-12-14 19:02 - 002045204 ____H C:\Users\user3\AppData\Local\IconCache.db.[88838EA2].[fairexchange@qq.com].fair
2021-01-12 17:01 - 2019-03-29 03:58 - 000000000 ____D C:\Users\user4\AppData\Local\Adobe
2021-01-09 15:12 - 2020-01-15 02:02 - 000000218 _____ C:\Windows\system32\ricdb.ini
2021-01-09 14:32 - 2020-02-07 11:26 - 000000000 ____D C:\Program Files\Microsoft Office
2021-01-09 14:32 - 2009-07-14 11:20 - 000000000 ____D C:\Program Files\Common Files\Microsoft Shared
2020-12-30 07:00 - 2020-02-22 08:15 - 000000687 _____ C:\Windows\MYOBP.INI
2020-12-30 07:00 - 2020-02-22 08:15 - 000000042 _____ C:\Windows\MYOB.INI
2020-12-28 05:22 - 2018-12-14 18:29 - 000112320 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2021-01-12 00:27
==================== End of FRST.txt ========================
 
Last edited by a moderator:
  • Like
Reactions: Nevi

Magen

New Member
Thread author
Jan 14, 2021
6
this is addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-01-2021
Ran by Administrator (21-01-2021 14:16:34)
Running from C:\Users\Administrator\Downloads
Windows Server 2008 R2 Standard Service Pack 1 (X64) (2018-12-14 10:27:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-260889861-3864831314-4044543904-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-260889861-3864831314-4044543904-501 - Limited - Enabled)
Shri (S-1-5-21-260889861-3864831314-4044543904-1010 - Limited - Enabled)
user2 (S-1-5-21-260889861-3864831314-4044543904-1002 - Limited - Enabled) => C:\Users\user2
user3 (S-1-5-21-260889861-3864831314-4044543904-1003 - Limited - Enabled) => C:\Users\user3
user4 (S-1-5-21-260889861-3864831314-4044543904-1004 - Limited - Enabled) => C:\Users\user4
user5 (S-1-5-21-260889861-3864831314-4044543904-1005 - Limited - Enabled) => C:\Users\user5
user6 (S-1-5-21-260889861-3864831314-4044543904-1006 - Limited - Enabled) => C:\Users\user6
user7 (S-1-5-21-260889861-3864831314-4044543904-1008 - Limited - Enabled)
Vijaya (S-1-5-21-260889861-3864831314-4044543904-1014 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABSS Accounting v28.3 MY (HKLM-x32\...\{316DBE20-21BC-413C-8588-75DA4F4F9542}) (Version: 28.3.0 - ABSS Pte Ltd)
ABSS ODBC Direct v17.3 MY (HKLM-x32\...\{B9691A8F-615C-4BFC-81E9-5302B3B1322B}) (Version: 17.3.2 - ABSS Pte Ltd)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 20.013.20074 - Adobe Systems Incorporated)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 4.0.0.36 - Intel Corporation)
Malwarebytes Privacy version 2.3.0.462 (HKLM\...\{934873BE-C9BC-4F19-B698-9B3E3F8FF07F}_is1) (Version: 2.3.0.462 - Malwarebytes)
Malwarebytes Privacy VPN Tunnel Driver (HKLM\...\{A71C349D-07BD-42B2-BEA7-4DAE84B5E3BA}) (Version: 1.0.0.0 - Malwarebytes)
Malwarebytes version 4.3.0.98 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.3.0.98 - Malwarebytes)
Matrox Graphics Software (remove only) (HKLM-x32\...\Matrox Graphics Uninstaller) (Version: - )
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.2023.1 - McAfee, LLC)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170) (HKLM-x32\...\{41785C66-90F2-40CE-8CB5-1C94BFC97280}) (Version: 3.5.30730.0 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-260889861-3864831314-4044543904-500\...\OneDriveSetup.exe) (Version: 20.201.1005.0009 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 84.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 84.0.2 (x64 en-US)) (Version: 84.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 64.0 - Mozilla)
MYOB ODBC Direct v10 MY (HKLM-x32\...\{A4EEF4D9-28BA-4187-8C16-725297D27D2C}) (Version: 10.0.1 - MYOB Technology Pty Ltd) Hidden
MYOB ODBC Direct v10 MY (HKLM-x32\...\InstallShield_{A4EEF4D9-28BA-4187-8C16-725297D27D2C}) (Version: 10.0.1 - MYOB Technology Pty Ltd)
MYOB Premier v16 (HKLM-x32\...\{FA7AB90D-9370-4A57-8A48-928EFCD638C2}) (Version: 16 - MYOB Asia Sdn Bhd) Hidden
MYOB Premier v16 (HKLM-x32\...\InstallShield_{FA7AB90D-9370-4A57-8A48-928EFCD638C2}) (Version: 16 - MYOB Asia Sdn Bhd)
ShadowExplorer 0.9 (HKLM-x32\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
SQL Financial Accounting (version 4.2015.773.728) (HKLM-x32\...\SQL Financial Accounting_is1) (Version: 4.2015.773.728 - E Stream Software Sdn Bhd)
Stellar Data Recovery (HKLM\...\Stellar Data Recovery_is1) (Version: 9.0.0.3 - Stellar Information Technology Pvt Ltd.)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.259046 - TeamViewer)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-01-13] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2021-01-13] (Malwarebytes Corporation -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]

==================== Loaded Modules (Whitelisted) =============

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBVpnService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBVpnService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Version 11) (Whitelisted) ==========

HKU\S-1-5-21-260889861-3864831314-4044543904-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 10:34 - 2020-12-18 09:14 - 000000871 _____ C:\Windows\system32\drivers\etc\hosts
0.0.0.1 mssplus.mcafee.com

2020-01-03 02:26 - 2021-01-14 14:55 - 000000374 _____ C:\Windows\system32\drivers\etc\hosts.ics

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-260889861-3864831314-4044543904-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: McComponentHostService => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: sesvc => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\Windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
MSCONFIG\startupreg: MtxHotPlugService => C:\Windows\system32\MtxHotPlugService.exe v

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) C:\Windows\system32\sppsvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) C:\Windows\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{C53058AE-5457-4EC5-B245-5A9EF5CF3106}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{66DD2F15-BECA-42C0-A275-D363EB87395E}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{9F77E3E7-136F-4A87-8B33-F81F95F5F77A}] => (Allow) C:\Users\Administrator\Downloads\AnyDesk.exe (philandro Software GmbH -> philandro Software GmbH)
FirewallRules: [{EFB42664-A5C7-465A-A489-84D6CE2FB2C0}] => (Allow) C:\Users\Administrator\Downloads\AnyDesk.exe (philandro Software GmbH -> philandro Software GmbH)
FirewallRules: [{6A2BB9BE-1F74-4374-BA37-F9D2326C541D}] => (Allow) C:\Users\Administrator\Downloads\AnyDesk.exe (philandro Software GmbH -> philandro Software GmbH)
FirewallRules: [{6AB4CEA0-67D6-4E2C-8300-857FE2C85544}] => (Allow) C:\Users\Administrator\Downloads\AnyDesk.exe (philandro Software GmbH -> philandro Software GmbH)
FirewallRules: [{E1B0A2C6-538B-476A-89C1-1742A9477227}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => No File
FirewallRules: [{0D3EE379-A3AA-4AE7-926A-B55A367978EC}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => No File
FirewallRules: [{2CD508AB-46A7-4FCD-AC3D-EE46AFB69592}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer GmbH)
FirewallRules: [{5F9743A6-105F-44BF-9CED-E9FF4AC7E2CB}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer GmbH)
FirewallRules: [{47650D8B-3808-495F-87B8-3F7A2C0C13F5}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer GmbH)
FirewallRules: [{DAA04305-E5D1-4F54-BDD8-38A2D4FB909E}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer GmbH)
FirewallRules: [{68C22691-02EF-4840-8224-DF1750939FFC}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => No File
FirewallRules: [{5C40704D-9C75-4E30-ADD9-ABBBBF8E946D}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => No File
FirewallRules: [{8A61FF05-755B-4FA0-B50B-613CC280CCDD}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => No File
FirewallRules: [{CB3A41A2-15C4-4048-A7EB-19188F796C30}] => (Allow) C:\Program Files (x86)\AnyDesk\AnyDesk.exe => No File

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:931.41 GB) (Free:384.34 GB) (41%)
Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: ========================

Application errors:
==================
Error: (01/14/2021 02:55:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/14/2021 02:45:06 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/14/2021 02:34:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamtray.exe, version: 4.0.0.865, time stamp: 0x5fc55b58
Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x5f84e8d4
Exception code: 0xc0000005
Fault offset: 0x0000000000219dc5
Faulting process id: 0xfc4
Faulting application start time: 0x01d6e9c46065f1db
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 85b125b0-5632-11eb-a11d-5065f37a77f1

Error: (01/14/2021 09:29:33 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (01/14/2021 04:04:20 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (01/13/2021 04:12:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/13/2021 12:41:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/13/2021 01:58:29 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]


System errors:
=============
Error: (01/14/2021 04:06:38 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (01/14/2021 04:06:37 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (01/14/2021 04:06:37 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (01/14/2021 04:06:36 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (01/14/2021 02:45:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (01/14/2021 02:45:21 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (01/14/2021 02:45:21 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (01/14/2021 02:45:13 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.


==================== Memory info ===========================

BIOS: HP J10 02/02/2015
Processor: Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz
Percentage of memory in use: 39%
Total physical RAM: 12253.49 MB
Available physical RAM: 7440.92 MB
Total Virtual: 24505.13 MB
Available Virtual: 20047.25 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.41 GB) (Free:384.35 GB) NTFS
Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (New Volume) (Fixed) (Total:931.41 GB) (Free:536.22 GB) NTFS
Drive g: (Seagate Expansion Drive) (Fixed) (Total:931.51 GB) (Free:558.03 GB) NTFS
Drive z: (New Volume) (Network) (Total:931.41 GB) (Free:536.22 GB) NTFS

\\?\Volume{22e32ceb-ff89-11e8-bceb-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: E7AF9C92)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

==========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: F8C1F8C1)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

==========================================================
Disk: 2 (Size: 931.5 GB) (Disk ID: 90E1F4E8)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt =======================
 
Last edited by a moderator:
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Unfortunately there is no way to decrypt your files.
These are your options if you have no backup:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software.
2) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this. Emsisoft will update their decrypter if that happens.
3) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

I see you tried recovery already. Currently there is nothing else we can do to get your files back.

-----------------------------------

Your system has several Antivirus programs installed, that are still actively running in the background.

Having more than one Antivirus product on your system will weaken security and slow down your system. AVs need to deeply ingrain into the system in order to fight malware. This and the fact that they carry malware patterns with them for malware detection makes them look like malware for other AV software. Different AVs may recognize each other as malicious and using them at the same time may have unforseen consequences.

For that reason I want you to decide for one AV product that you will keep. I found these AVs on your system:
  1. McAfee
  2. Malwarebytes
  3. and always inbuilt: Windows Defender

Please tell me which one of these you want to keep or enable as your AV.
 
  • Like
Reactions: Nevi and upnorth

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Are you still with me? If you don't reply within 3 days, I will close this thread so I can continue to help others.
 
  • Like
Reactions: Nevi

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Step 1: Farbar Service Scanner Scan
  • Please download Fabar Service Scanner
  • Double-click FSS.exe
  • Click Yes to the disclaimer
  • Place a checkmark on the following entries:
    • System Restore
    • Security Center/Action Center/Action
  • Click on the Scan button and wait for it finish
  • A log FSS.txt will open in notepad. Copy the contents to your next reply.
Step 2: Farbar Recovery Scan Tool (FRST) Search
  • Double click Frst64.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste or Type the following line into the Search: box.
    McAfee
  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.

Step 3: Answer Questions

I noticed that there are several remote access tools on your system, namely AnyDesk and Teamviewer.
Are they there with your consent?

Can you please confirm if these are all users that you recognize and allow to be on your server?
  • Shri
  • user2
  • user3
  • user4
  • user5
  • user6
  • user7
  • Vijaya
 
  • Like
Reactions: upnorth and Nevi
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top