.mpal virus

[mohammad mahdi]

Hello
I have a .mpal virus
I cleared my files with two antivirus software
But from time to time, the Windows 10 antivirus sends a message identifying trojans
With the same conditions, I used the decrypt_STOPDjvu software and received this message: this ID appears to be an online ID, decryption is impossible
I have two questions:
1- With these conditions, is there still a possibility of decrypting the files by trying to remove the virus again with other software and then trying to decrypt it?
2- I have two restore points, which are for some time now
But when I use them, I finally get the message:
system restore failed while restoring directory from the restore point
error cod: 0x800705aa

Is this also due to a virus?
What should I do now?
I can also reinstall Windows


i'm not goof at english
I got help from Google Translate

 

[mohammad mahdi]

ID Ransomware

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

===

These is nothing we can do to restore your files.
Post the logs from running the Farbar program.
I will review them and suggest some remedial action.

 

[mohammad mahdi]

frst

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-05-2020
Ran by gholamreza (administrator) on KHANE (ASUS All Series) (03-05-2020 18:58:05)
Running from F:\mohammadmahdi
Loaded Profiles: gholamreza (Available Profiles: gholamreza)
Platform: Windows 10 Pro Version 1903 18362.418 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() [File not signed] C:\Windows.old\Users\gholamreza\AppData\Roaming\Kerio Maker\SmartConnection.exe
(Adobe Inc. -> Adobe Inc) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\IPCBox\AdobeIPCBroker.exe
(Adobe Inc. -> Adobe Systems Incorporated) C:\Program Files\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe
(Adobe Systems, Incorporated -> Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(Arvato Digital Services Canada Inc -> arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Arvato Digital Services Canada Inc -> arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(ASUSTeK Computer Inc. -> ) C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
(Eitaa Messenger) [File not signed] E:\Users\gholamreza\AppData\Roaming\Eitaa Desktop\Eitaa.exe
(Enigma Software Group USA, LLC -> Enigma Software Group USA, LLC.) [File not signed] E:\Program Files (x86)\SpyHunter Malware Security Suite\SpyHunter4.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
(iGram Messenger LLP) [File not signed] G:\Users\gholamreza\AppData\Roaming\iGram Desktop\iGram.exe
(Leosoft EOOD -> ) C:\Program Files (x86)\Eye Saver\Eye Saver.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Users\gholamreza\AppData\Local\Microsoft\OneDrive\OneDrive.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <3>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SecurityHealthHost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1911.3-0\MsMpEng.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1911.3-0\NisSrv.exe
(Mozilla Corporation -> Mozilla Corporation) E:\Program Files\Mozilla Firefox\firefox.exe <7>
(Node.js Foundation -> Node.js) C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe <2>
(Open Source Developer, Robin Krom -> Greenshot) E:\Program Files\Greenshot\Greenshot.exe
(philandro Software GmbH -> philandro Software GmbH) C:\Program Files (x86)\AnyDesk\AnyDesk.exe
(QuestSoft) [File not signed] E:\Program Files (x86)\QTranslate\QTranslate.exe
(Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Tonec Inc. -> Tonec Inc.) [File not signed] E:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Tonec Inc. -> Tonec Inc.) E:\Program Files (x86)\Internet Download Manager\IEMonitor.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8465112 2015-04-14] (Realtek Semiconductor Corp -> Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [509936 2018-04-11] (Adobe Systems Incorporated -> Adobe Systems Incorporated)
HKLM\...\Run: [Greenshot] => e:\Program Files\Greenshot\Greenshot.exe [527792 2017-08-09] (Open Source Developer, Robin Krom -> Greenshot)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-12-03] (Adobe Systems, Incorporated -> Adobe Systems Incorporated)
HKU\S-1-5-21-821111126-3065462664-3862307524-1001\...\Run: [IDMan] => E:\Program Files (x86)\Internet Download Manager\IDMan.exe [4172656 2020-02-15] (Tonec Inc. -> Tonec Inc.) [File not signed]
HKU\S-1-5-21-821111126-3065462664-3862307524-1001\...\Run: [CCXProcess] => C:\Program Files\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe [597640 2020-02-07] (Adobe Inc. -> Adobe Systems Incorporated)
HKU\S-1-5-21-821111126-3065462664-3862307524-1001\...\Run: [Eye Saver] => C:\Program Files (x86)\Eye Saver\Eye Saver.exe [1675576 2018-02-20] (Leosoft EOOD -> )
HKU\S-1-5-21-821111126-3065462664-3862307524-1001\...\RunOnce: [Application Restart #2] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --window-position=0,-5000 --user-data-dir="C:\Users\GHOLAM~1\AppData\Local\Temp\1588404207486" --flag-switches-begin --flag-switches-end -- (the data entry has 91 more characters). <==== ATTENTION
HKU\S-1-5-21-821111126-3065462664-3862307524-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Bubbles.scr [807936 2019-03-19] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.129\Installer\chrmstp.exe [2020-04-30] (Google LLC -> Google LLC)
Lsa: [Authentication Packages] msv1_0 SshdPinAuthLsa
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {01FDF992-7F2F-47E1-81C1-2EF5BC2D731A} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\SystemInfo => C:\Users\gholamreza\AppData\Roaming\\systemdiag\\sysinfo.exe <==== ATTENTION
Task: {07CDE8EC-4C07-4847-8B60-975ED2EBD885} - \Time Trigger Task -> No File <==== ATTENTION
Task: {15BC5E92-B804-427F-ACD7-45A4FBF7B1A3} - System32\Tasks\CorelUpdateHelperTaskCore => C:\Program Files (x86)\Corel\CUH\v2\CUH.exe [1660664 2018-08-31] (Corel Corporation -> Corel Corporation)
Task: {1FC36977-D1FF-431A-B6C2-76CC3EB82740} - System32\Tasks\CorelUpdateHelperTask-2033224D593C34F06555ED3BCCFAEF13 => C:\Program Files (x86)\Corel\CUH\v2\CUH.exe [1660664 2018-08-31] (Corel Corporation -> Corel Corporation)
Task: {280ACBAD-4C3D-4225-9D61-55CFCD5CFE74} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2020-02-11] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {2D119E93-69F4-4225-A337-5C17789BDFC5} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-03-01] (Google LLC -> Google LLC)
Task: {56C0008A-CEF7-4B97-9A45-AAAB6327815B} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe
Task: {791FA301-028E-460F-ABA1-39173B92F2C6} - System32\Tasks\Microsoft Office 15 Sync Maintenance for KHANE-gholamreza khane => E:\Program Files\Microsoft Office\Office15\MsoSync.exe [470720 2014-01-24] (Microsoft Corporation -> Microsoft Corporation)
Task: {8B618D69-464B-4ED5-8771-68D4DD9CF5F5} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe
Task: {98439FB5-E676-4DC7-A87C-0BDE176F3D6E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2020-02-11] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {AE5BCCCB-1763-45EA-AEC1-A1FED9CA4685} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-03-01] (Google LLC -> Google LLC)
Task: {BAD3267A-102D-4E85-B7B1-DF7DF5D843F1} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [1626328 2014-01-24] (Microsoft Corporation -> Microsoft Corporation)
Task: {CCC9A90C-C635-48C2-85E3-49E6E533B021} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2020-02-11] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {D7929EE3-6C4D-4FBD-8B6E-6F67642844DF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2020-02-11] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {DAA9103E-FD91-4BA3-A5CA-AC482805EE2D} - \Opera scheduled Autoupdate 711520318 -> No File <==== ATTENTION
Task: {DC927738-5F90-43D7-A0B0-9B2F23DF25C4} - System32\Tasks\Mozilla\Firefox Default Browser Agent BD98F1778D21A581 => E:\Program Files\Mozilla Firefox\default-browser-agent.exe [126152 2020-04-07] (Mozilla Corporation -> Mozilla Foundation)
Task: {FCD185D1-F6EF-4ACF-A001-F5B6C607106A} - System32\Tasks\NCH Software\ScribeSevenDays => C:\Program Files (x86)\NCH Software\Scribe\Scribe.exe [1985144 2020-04-16] (NCH Software, Inc. -> NCH Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 5.200.200.200 217.218.127.127
Tcpip\..\Interfaces\{2d1b8acf-3380-445b-b889-379ab24817b2}: [DhcpNameServer] 5.200.200.200 217.218.127.127
Tcpip\..\Interfaces\{57ada970-c1f9-44a4-bbc0-2a88748601ed}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{5902d2ff-1ea3-45ff-b8a9-ae1484bfba36}: [DhcpNameServer] 192.168.42.129

Internet Explorer:
==================
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> E:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2020-01-21] (Tonec Inc. -> Internet Download Manager, Tonec Inc.)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> E:\Program Files\Microsoft Office\Office15\OCHelper.dll [2014-01-24] (Microsoft Corporation -> Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> E:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2014-01-24] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> E:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2020-01-21] (Tonec Inc. -> Internet Download Manager, Tonec Inc.)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2014-01-22] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2014-01-22] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - E:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2014-01-24] (Microsoft Corporation -> Microsoft Corporation)

FireFox:
========
FF DefaultProfile: ne2naia7.default
FF ProfilePath: C:\Users\gholamreza\AppData\Roaming\Mozilla\Firefox\Profiles\ne2naia7.default [2020-05-02]
FF ProfilePath: C:\Users\gholamreza\AppData\Roaming\Mozilla\Firefox\Profiles\nrf4o8z2.default-release [2020-05-03]
FF Notifications: Mozilla\Firefox\Profiles\nrf4o8z2.default-release -> hxxps://web.rubika.ir; hxxps://shadweb.iranlms.ir; hxxps://malwaretips.com
FF HomepageOverride: Mozilla\Firefox\Profiles\nrf4o8z2.default-release -> Disabled: {84c1d4fc-641f-4910-800b-b538d6f7273c}
FF NewTabOverride: Mozilla\Firefox\Profiles\nrf4o8z2.default-release -> Disabled: {84c1d4fc-641f-4910-800b-b538d6f7273c}
FF Extension: (Quick translator) - C:\Users\gholamreza\AppData\Roaming\Mozilla\Firefox\Profiles\nrf4o8z2.default-release\Extensions\da486ed70ee0a721c84734f9aa89c74d964dbaad@temporary-addon.xpi [2020-04-28]
FF Extension: (To Google Translate) - C:\Users\gholamreza\AppData\Roaming\Mozilla\Firefox\Profiles\nrf4o8z2.default-release\Extensions\jid1-93WyvpgvxzGATw@jetpack.xpi [2020-04-06]
FF Extension: (Linkirani) - C:\Users\gholamreza\AppData\Roaming\Mozilla\Firefox\Profiles\nrf4o8z2.default-release\Extensions\{5e271142-7617-4193-a644-7434a28f5fd0}.xpi [2020-03-27]
FF Extension: (Free PDF Master) - C:\Users\gholamreza\AppData\Roaming\Mozilla\Firefox\Profiles\nrf4o8z2.default-release\Extensions\{84c1d4fc-641f-4910-800b-b538d6f7273c}.xpi [2020-02-09]
FF Extension: (Greasemonkey) - C:\Users\gholamreza\AppData\Roaming\Mozilla\Firefox\Profiles\nrf4o8z2.default-release\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2020-03-18]
FF HKU\S-1-5-21-821111126-3065462664-3862307524-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\gholamreza\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\gholamreza\AppData\Roaming\IDM\idmmzcc5 [2020-02-23] [Legacy] [not signed]
FF HKU\S-1-5-21-821111126-3065462664-3862307524-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - E:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - E:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2017-12-21] [Legacy]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> E:\Program Files\Microsoft Office\Office15\NPSPWRAP.DLL [2014-01-24] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.10 -> e:\Program Files\VideoLAN\VLC\npvlc.dll [2020-04-23] (VideoLAN -> VideoLAN)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2014-01-22] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> E:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems, Incorporated -> Adobe Systems Inc.)
StartMenuInternet: Firefox-BD98F1778D21A581 - E:\Program Files\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR Profile: C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default [2020-05-03]
CHR Extension: (Slides) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2020-03-01]
CHR Extension: (Docs) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2020-03-01]
CHR Extension: (Google Drive) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-03-01]
CHR Extension: (YouTube) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2020-03-01]
CHR Extension: (Sheets) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2020-03-01]
CHR Extension: (book_helper) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfapgigiagilmjiemccbcgmipdokhhgb [2020-05-02]
CHR Extension: (سندنگار Google آفلاین) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-04-22]
CHR Extension: (IDM Integration Module) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2020-03-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2020-03-01]
CHR Extension: (Gmail) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2020-03-01]
CHR Extension: (Chrome Media Router) - C:\Users\gholamreza\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-04-22]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - E:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2020-02-23]
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - E:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2020-02-23]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => service could not be unlocked. <==== ATTENTION
HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\WINDOWS\System32\drivers\Wdf06935.sys [6527376 2020-05-02] (Access Denied) [File not signed] <==== ATTENTION (Rootkit!/Locked Service)

R2 AnyDesk; C:\Program Files (x86)\AnyDesk\AnyDesk.exe [3153872 2019-12-18] (philandro Software GmbH -> philandro Software GmbH)
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-07-04] (ASUSTeK Computer Inc. -> )
S3 KVPNCSvc; C:\Windows.old\Users\gholamreza\AppData\Roaming\Kerio Maker\\Services\Kerio\kvpncsvc.exe [2105688 2017-01-23] (Kerio Technologies, Inc. -> Kerio Technologies Inc.)
R2 PSI_SVC_2; C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2014-05-01] (Arvato Digital Services Canada Inc -> arvato digital services llc)
R2 PSI_SVC_2_x64; C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [337776 2014-05-01] (Arvato Digital Services Canada Inc -> arvato digital services llc)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5796168 2019-09-14] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 sshd; C:\WINDOWS\System32\OpenSSH\sshd.exe [974848 2019-07-26] (Microsoft Windows -> )
S3 SshdBroker; C:\WINDOWS\System32\SshdBroker.dll [290816 2019-10-05] (Microsoft Windows -> Microsoft Corporation)
S3 uSHAREitSvc; e:\Program Files (x86)\SHAREit Technologies\SHAREit\SHAREit.Service.exe [33224 2017-09-11] (SHAREit Technologies Co.Ltd -> SHAREit Technologies Co.Ltd)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\NisSrv.exe [3206472 2020-02-11] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MsMpEng.exe [103376 2020-02-11] (Microsoft Windows Publisher -> Microsoft Corporation)
U3 wuauserv; C:\WINDOWS\system32\svchost.exe [53744 2019-03-19] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
U3 wuauserv; C:\WINDOWS\SysWOW64\svchost.exe [45448 2019-03-19] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S2 zcohskx; C:\WINDOWS\SysWOW64\zcohskx\baoqebcu.exe [11368448 2020-05-02] () [File not signed]
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
S4 wampapache64; "e:\wamp64\bin\apache\apache2.4.39\bin\httpd.exe" -k runservice [X]
S4 wampmariadb64; e:\wamp64\bin\mariadb\mariadb10.3.14\bin\mysqld.exe wampmariadb64 [X]
S4 wampmysqld64; e:\wamp64\bin\mysql\mysql5.7.26\bin\mysqld.exe wampmysqld64 [X]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AppleKmdfFilter; C:\WINDOWS\System32\drivers\AppleKmdfFilter.sys [20640 2018-05-11] (WDKTestCert build,131474841775766162 -> Apple Inc.)
S3 AppleLowerFilter; C:\WINDOWS\System32\drivers\AppleLowerFilter.sys [35560 2018-05-11] (WDKTestCert build,131474841775766162 -> Apple Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2013-07-04] (ASUSTeK Computer Inc. -> )
S3 dg_ssudbus; C:\WINDOWS\System32\drivers\ssudbus.sys [135520 2019-07-09] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.)
S3 esgiguard; E:\Program Files (x86)\SpyHunter Malware Security Suite\esgiguard.sys [16432 2017-04-03] (Enigma Software Group USA, LLC -> Enigma Software Group USA, LLC.)
S3 GridinSoftInetSecurityDriver; C:\WINDOWS\system32\DRIVERS\gsInetSecurity.sys [107784 2020-01-16] (GridinSoft, LLC -> GridinSoft LLC)
R3 kvnet; C:\WINDOWS\System32\drivers\kvnet.sys [30208 2017-01-23] (Microsoft Windows Hardware Compatibility Publisher -> Kerio Technologies Inc.)
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_db678424d2641c3d\nvlddmkm.sys [22094728 2019-10-05] (NVIDIA Corporation -> NVIDIA Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [1139848 2018-12-19] (Realtek Semiconductor Corp. -> Realtek )
S3 ScpVBus; C:\WINDOWS\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Bruce James -> Scarlet.Crush Productions)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [166752 2019-07-09] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.)
S3 ssudqcfilter; C:\WINDOWS\System32\drivers\ssudqcfilter.sys [64864 2019-07-09] (Samsung Electronics Co., Ltd. -> QUALCOMM Incorporated)
R3 tap0901; C:\WINDOWS\System32\drivers\tap0901.sys [27136 2016-04-21] (OpenVPN Technologies, Inc. -> The OpenVPN Project)
S3 TrojanKillerDriver; C:\WINDOWS\System32\DRIVERS\gtkdrv.sys [38216 2020-01-16] (GridinSoft, LLC -> GridinSoft LLC)
S3 usbrndis6; C:\WINDOWS\System32\drivers\usb80236.sys [24576 2019-09-14] (Microsoft Windows -> Microsoft Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [45664 2020-02-11] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [355760 2020-02-11] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [54192 2020-02-11] (Microsoft Windows -> Microsoft Corporation)
S1 awoosjag; \??\C:\WINDOWS\system32\drivers\awoosjag.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-05-03 18:57 - 2020-05-03 18:59 - 000000000 ____D C:\FRST
2020-05-03 18:56 - 2020-05-03 18:56 - 002283008 _____ (Farbar) C:\Users\gholamreza\Downloads\FRST64.exe
2020-05-03 17:08 - 2020-05-03 17:08 - 000001570 _____ C:\Users\gholamreza\Downloads\TakeOwnership.zip
2020-05-03 17:08 - 2020-05-03 17:08 - 000000000 ____D C:\Users\gholamreza\Downloads\TakeOwnership
2020-05-03 15:00 - 2020-05-03 15:05 - 000000000 ____D C:\Program Files\Restoro
2020-05-03 14:59 - 2020-05-03 15:05 - 000000140 _____ C:\WINDOWS\restoro.ini
2020-05-03 14:59 - 2020-05-03 14:59 - 000931056 _____ (Restoro) C:\Users\gholamreza\Downloads\Restoro.exe
2020-05-03 10:43 - 2020-05-03 10:48 - 000000000 ____D C:\Users\gholamreza\Downloads\Eitaa Desktop
2020-05-03 10:42 - 2020-05-03 10:42 - 000001044 _____ C:\Users\gholamreza\Desktop\Eitaa.lnk
2020-05-03 10:41 - 2020-05-03 10:41 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Eitaa Desktop
2020-05-03 10:40 - 2020-05-03 10:40 - 000000000 ____D C:\Users\gholamreza\Downloads\Eitaa-win-3.7.3
2020-05-03 10:38 - 2020-05-03 10:39 - 020948462 _____ C:\Users\gholamreza\Downloads\Eitaa-win-3.7.3.zip
2020-05-03 10:36 - 2020-05-03 10:36 - 000000789 _____ C:\Users\Public\Desktop\jetAudio.lnk
2020-05-03 10:36 - 2020-05-03 10:36 - 000000789 _____ C:\ProgramData\Desktop\jetAudio.lnk
2020-05-03 10:36 - 2020-05-03 10:36 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2020-05-03 10:35 - 2020-05-03 10:35 - 000000000 ____D C:\Users\gholamreza\Downloads\JetAudio.8.1.7.20702.Plus.VX.Retail
2020-05-03 10:31 - 2020-05-03 10:32 - 068572694 _____ C:\Users\gholamreza\Downloads\JetAudio.8.1.7.20702.Plus.VX.Retail.rar
2020-05-02 22:49 - 2020-05-02 22:49 - 017563648 ____N C:\WINDOWS\system32\config\SYSTEM
2020-05-02 20:43 - 2020-05-02 20:43 - 000194485 _____ C:\Users\gholamreza\Desktop\1.txt
2020-05-02 19:16 - 2020-05-02 19:16 - 001162528 _____ (Emsisoft Ltd.) C:\Users\gholamreza\Downloads\decrypt_STOPDjvu(1).exe
2020-05-02 19:02 - 2020-05-02 19:02 - 001162528 _____ (Emsisoft Ltd.) C:\Users\gholamreza\Downloads\decrypt_STOPDjvu.exe
2020-05-02 18:43 - 2020-05-02 18:43 - 000000802 _____ C:\Users\Public\Desktop\GridinSoft Anti-Malware.lnk
2020-05-02 18:43 - 2020-05-02 18:43 - 000000802 _____ C:\ProgramData\Desktop\GridinSoft Anti-Malware.lnk
2020-05-02 18:42 - 2020-05-02 18:42 - 000000000 ____D C:\Users\gholamreza\Downloads\GridinSoft.Anti-Malware.4.1.43.4930
2020-05-02 18:42 - 2020-05-02 18:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware
2020-05-02 18:42 - 2020-05-02 18:42 - 000000000 ____D C:\ProgramData\GridinSoft
2020-05-02 18:41 - 2020-05-02 18:42 - 095314001 _____ C:\Users\gholamreza\Downloads\GridinSoft.Anti-Malware.4.1.43.4930.rar
2020-05-02 17:16 - 2020-05-02 17:16 - 000000922 _____ C:\Users\gholamreza\Desktop\Stellar Data Recovery.lnk
2020-05-02 17:16 - 2020-05-02 17:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stellar Data Recovery
2020-05-02 17:15 - 2020-05-02 17:15 - 000000000 ____D C:\Users\gholamreza\Downloads\Stellar.Windows.Data.Recovery.Technician.9.0.0.3
2020-05-02 17:13 - 2020-05-02 17:13 - 055604547 _____ C:\Users\gholamreza\Downloads\Stellar.Windows.Data.Recovery.Technician.9.0.0.3.rar
2020-05-02 17:09 - 2020-05-02 17:29 - 000000000 _RSHD C:\ProgramData\Key-Base
2020-05-02 17:09 - 2020-05-02 17:09 - 000000000 ____D C:\ProgramData\{BEC3D076-FED9-025B-77D6-F6A78675D70D}
2020-05-02 16:57 - 2017-04-03 04:55 - 000025768 _____ C:\WINDOWS\SysWOW64\sh4native.exe
2020-05-02 16:55 - 2020-05-02 16:55 - 000006493 _____ C:\spyhunter.fix
2020-05-02 16:55 - 2020-05-02 16:55 - 000000000 ___HD C:\FJniLyATdvV7RzYn
2020-05-02 16:11 - 2020-05-02 16:11 - 000000923 _____ C:\Users\Public\Desktop\SpyHunter.lnk
2020-05-02 16:11 - 2020-05-02 16:11 - 000000923 _____ C:\ProgramData\Desktop\SpyHunter.lnk
2020-05-02 16:11 - 2020-05-02 16:11 - 000000000 ____D C:\Users\gholamreza\Downloads\SpyHunter.4.25.6.4782
2020-05-02 16:11 - 2020-05-02 16:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpyHunter Malware
2020-05-02 15:58 - 2020-05-02 16:04 - 065181405 _____ C:\Users\gholamreza\Downloads\SpyHunter.4.25.6.4782.rar
2020-05-02 15:47 - 2020-05-02 15:47 - 006455520 _____ (EnigmaSoft Limited) C:\Users\gholamreza\Downloads\SpyHunter-Installer.exe
2020-05-02 14:41 - 2020-05-02 21:15 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2020-05-02 13:36 - 2020-05-02 13:36 - 000000000 ____D C:\WINDOWS\pss
2020-05-02 12:48 - 2020-05-02 12:48 - 000000384 _____ C:\ProgramData\FOCML6D495.exe
2020-05-02 12:48 - 2020-05-02 12:48 - 000000000 ____D C:\ProgramData\DZ4SITBEF9ESBRG7TLSSHTNCM
2020-05-02 12:09 - 2020-05-02 22:49 - 017563648 _____ C:\WINDOWS\system32\C_32770.NLS
2020-05-02 11:56 - 2020-05-02 11:56 - 000001116 _____ C:\Users\gholamreza\_readme.txt
2020-05-02 11:56 - 2020-05-02 11:56 - 000001116 _____ C:\Users\defaultuser100000\_readme.txt
2020-05-02 11:56 - 2020-05-02 11:56 - 000001116 _____ C:\_readme.txt
2020-05-02 11:55 - 2020-05-02 11:56 - 006527376 ____N C:\WINDOWS\system32\Drivers\Wdf06935.sys
2020-05-02 11:54 - 2020-05-02 12:48 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll
2020-05-02 11:54 - 2020-05-02 12:48 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll
2020-05-02 11:54 - 2020-05-02 11:54 - 000000565 _____ C:\Users\gholamreza\AppData\Local\bowsakkdestx.txt
2020-05-02 11:54 - 2020-05-02 11:54 - 000000384 _____ C:\ProgramData\KF3I8NIC81.exe
2020-05-02 11:54 - 2020-05-02 11:54 - 000000000 ____D C:\WINDOWS\SysWOW64\zcohskx
2020-05-02 11:54 - 2020-05-02 11:54 - 000000000 ____D C:\SystemID
2020-05-02 11:54 - 2020-05-02 11:54 - 000000000 ____D C:\ProgramData\QE14OCLQZE7SQ9P0ZL1DK0MGC
2020-05-02 11:53 - 2020-05-02 15:43 - 000000000 ____D C:\Program Files (x86)\mastouna
2020-05-02 11:53 - 2020-05-02 13:26 - 000000000 ____D C:\Program Files (x86)\Wbxu
2020-05-02 11:53 - 2020-05-02 11:53 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Python
2020-05-02 11:53 - 2020-05-02 11:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DreamTrips
2020-05-02 11:48 - 2020-05-02 16:29 - 000000000 ____D C:\Users\gholamreza\AppData\Local\inetinfoservice
2020-05-02 05:33 - 2020-05-02 05:34 - 000000703 _____ C:\Users\gholamreza\AppData\Roaming\soundyg.dll
2020-05-02 05:33 - 2020-05-02 05:33 - 000000000 ____D C:\Users\gholamreza\Downloads\YouTubeGet.7.3.1.1
2020-05-02 05:33 - 2020-05-02 05:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YouTubeGet
2020-05-02 05:31 - 2020-05-02 05:33 - 044158364 _____ C:\Users\gholamreza\Downloads\YouTubeGet.7.3.1.1.rar
2020-05-01 18:03 - 2020-05-02 18:59 - 000000000 ____D C:\Users\gholamreza\Downloads\InqScribe 2.2.4 Build 262(1)
2020-05-01 17:58 - 2020-05-01 17:59 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\InqScribe
2020-05-01 17:56 - 2020-05-02 15:57 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\SystemDiag
2020-05-01 17:55 - 2020-05-02 16:44 - 000000000 ____D C:\Users\gholamreza\Downloads\InqScribe 2.2.4 Build 262
2020-05-01 17:35 - 2020-05-01 17:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monkey's Audio
2020-05-01 17:35 - 2020-04-26 16:50 - 000484352 _____ (Matthew T. Ashland) C:\WINDOWS\SysWOW64\MACDll.dll
2020-05-01 17:12 - 2020-05-01 17:14 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Eye_Saver
2020-05-01 17:12 - 2020-05-01 17:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eye Saver
2020-05-01 17:12 - 2020-05-01 17:12 - 000000000 ____D C:\ProgramData\Eye Saver
2020-05-01 17:12 - 2020-05-01 17:12 - 000000000 ____D C:\Program Files (x86)\Eye Saver
2020-04-30 18:54 - 2020-04-30 18:54 - 000002091 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Suite.lnk
2020-04-30 18:54 - 2020-04-30 18:54 - 000001227 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Scribe Transcription Software.lnk
2020-04-30 18:54 - 2020-04-30 18:54 - 000000000 ____D C:\WINDOWS\system32\Tasks\NCH Software
2020-04-30 18:54 - 2020-04-30 18:54 - 000000000 ____D C:\Users\gholamreza\NCH Software Suite
2020-04-30 18:54 - 2020-04-30 18:54 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\NCH Software
2020-04-30 18:54 - 2020-04-30 18:54 - 000000000 ____D C:\ProgramData\NCH Software
2020-04-30 18:54 - 2020-04-30 18:54 - 000000000 ____D C:\Program Files (x86)\NCH Software
2020-04-30 17:48 - 2020-05-02 06:21 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\vlc
2020-04-30 16:43 - 2020-05-01 19:19 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Subtitle Edit
2020-04-30 16:43 - 2020-04-30 16:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Subtitle Edit
2020-04-30 16:28 - 2020-04-30 16:28 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\KMP
2020-04-30 16:20 - 2020-04-30 16:20 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KMPlayer 64X
2020-04-29 15:18 - 2020-04-29 15:18 - 000001703 _____ C:\Users\gholamreza\Desktop\Foxit Advanced PDF Editor - Shortcut.lnk
2020-04-29 15:17 - 2020-04-29 15:17 - 000001084 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Advanced PDF Editor.lnk
2020-04-29 15:17 - 2020-04-29 15:17 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Foxit Advanced PDF Editor
2020-04-29 15:17 - 2020-04-29 15:17 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Foxit Advanced PDF Editor
2020-04-29 15:17 - 2020-04-29 15:17 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Aspell
2020-04-29 15:17 - 2020-04-29 15:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Advanced PDF Editor
2020-04-29 15:17 - 2020-04-29 15:17 - 000000000 ____D C:\ProgramData\Foxit Advanced PDF Editor
2020-04-29 15:17 - 2020-04-29 15:17 - 000000000 ____D C:\ProgramData\Aspell
2020-04-23 14:59 - 2020-04-23 14:59 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified(8)
2020-04-23 14:44 - 2020-04-23 14:45 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified(6)
2020-04-23 14:44 - 2020-04-23 14:44 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified(7)
2020-04-23 10:29 - 2020-04-23 10:34 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified(5)
2020-04-23 10:29 - 2020-04-23 10:34 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified(4)
2020-04-22 21:26 - 2020-04-22 22:18 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified(3)
2020-04-22 21:24 - 2020-04-22 22:18 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified(2)
2020-04-22 14:54 - 2020-04-22 14:54 - 000000000 ____D C:\Users\gholamreza\Downloads\Elementor_Pro_v2.9.3_-_NULLED-_-NULLX.NET
2020-04-21 16:43 - 2020-04-23 10:31 - 000000000 ____D C:\Users\gholamreza\Downloads\tinified
2020-04-19 22:10 - 2020-04-19 22:10 - 000000000 ____D C:\Users\gholamreza\Downloads\111815_jetsmartfilters161
2020-04-19 18:48 - 2020-04-19 18:48 - 000000000 ____D C:\Users\gholamreza\Downloads\advancedcustomfieldspro589-_-NULLX.NET
2020-04-19 15:05 - 2020-05-02 13:29 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Deployment
2020-04-15 18:43 - 2020-05-02 11:56 - 000000000 ____D C:\tmp
2020-04-15 18:40 - 2020-05-02 11:56 - 000000000 ____D C:\Download
2020-04-15 18:33 - 2020-05-02 05:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\K-Lite Codec Pack
2020-04-15 18:33 - 2020-05-02 05:33 - 000000000 ____D C:\Program Files (x86)\K-Lite Codec Pack
2020-04-15 18:30 - 2020-04-15 18:30 - 000000000 ____D C:\Users\gholamreza\Downloads\4k_video_downloader_4.20.6-(www.p30afzar.com)
2020-04-15 17:54 - 2020-04-15 17:54 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Solveig Multimedia
2020-04-15 17:54 - 2020-04-15 17:54 - 000000000 ____D C:\Program Files\Common Files\Solveig Multimedia
2020-04-15 17:40 - 2020-04-15 17:40 - 000000000 ____D C:\Users\gholamreza\AppData\Local\WM Recorder
2020-04-15 17:38 - 2020-04-15 17:38 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\All Alex Inc
2020-04-15 17:38 - 2020-04-15 17:38 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Alex Inc
2020-04-15 17:34 - 2020-04-15 17:34 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Boilsoft
2020-04-15 17:02 - 2020-05-02 11:56 - 000000000 ___HD C:\OneDriveTemp
2020-04-14 16:36 - 2020-04-14 16:36 - 000000000 ____D C:\Users\gholamreza\Downloads\bdthemes-element-pack-v4-7-0-farsi
2020-04-14 15:44 - 2020-04-14 15:44 - 000000000 ____D C:\Users\gholamreza\Downloads\element-pack-v4.7.1
2020-04-14 15:44 - 2020-04-14 15:44 - 000000000 ____D C:\Users\gholamreza\Downloads\CodeCanyon_-_Element_Pack_v4.0.1_-_Addon_for_Elementor_Page_Builder_WordPress_Plugin_-_21177318-_-NULLX.NET
2020-04-13 17:33 - 2020-04-13 17:33 - 000000000 ____D C:\Users\gholamreza\Downloads\Estedad-irfont
2020-04-11 21:53 - 2020-04-11 21:53 - 000000000 ____D C:\Users\defaultuser100000\AppData\Local\ConnectedDevicesPlatform
2020-04-11 21:52 - 2020-05-02 11:56 - 000000000 ____D C:\Users\defaultuser100000
2020-04-11 18:40 - 2020-04-11 18:40 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Xilisoft
2020-04-11 18:13 - 2020-04-11 18:13 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Solveig Multimedia
2020-04-10 22:33 - 2020-04-10 22:33 - 000000600 _____ C:\Users\gholamreza\AppData\Local\PUTTY.RND
2020-04-08 19:02 - 2020-04-08 19:02 - 000000000 ____D C:\WINDOWS\system32\Tasks\Mozilla
2020-04-03 21:17 - 2020-04-03 21:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\idoo
2020-04-03 21:16 - 2020-04-03 21:16 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\idoo
2020-04-03 21:14 - 2020-04-03 21:14 - 000000000 ____D C:\Users\gholamreza\Downloads\1951020_132
2020-04-03 21:09 - 2020-04-03 21:09 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\avidemux
2020-04-03 21:09 - 2020-04-03 21:09 - 000000000 ____D C:\Users\gholamreza\AppData\Local\avidemux
2020-04-03 19:52 - 2020-04-03 19:52 - 000000000 ____D C:\ProgramData\InterAction studios

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-05-03 18:53 - 2020-02-09 18:50 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2020-05-03 18:53 - 2019-06-04 09:33 - 000000000 ____D C:\Users\gholamreza\AppData\LocalLow\Mozilla
2020-05-03 17:44 - 2020-02-09 18:37 - 000000000 ____D C:\WINDOWS\system32\FxsTmp
2020-05-03 15:39 - 2020-02-09 18:37 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2020-05-03 12:38 - 2020-03-12 17:13 - 000000000 ____D C:\WINDOWS\Roya
2020-05-03 10:52 - 2020-02-09 19:23 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Packages
2020-05-03 10:36 - 2019-07-06 22:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\jetAudio
2020-05-03 10:31 - 2020-02-09 19:16 - 000840852 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2020-05-03 10:31 - 2020-02-09 18:35 - 000000000 ____D C:\WINDOWS\INF
2020-05-02 22:49 - 2020-02-09 19:12 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2020-05-02 22:49 - 2020-02-09 18:57 - 000000000 ____D C:\ProgramData\NVIDIA
2020-05-02 22:49 - 2020-02-09 18:25 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2020-05-02 22:44 - 2020-02-09 18:37 - 000000000 ____D C:\WINDOWS\registration
2020-05-02 22:31 - 2020-02-23 09:40 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\DMCache
2020-05-02 19:04 - 2019-06-04 22:16 - 000000000 ___RD C:\Users\gholamreza\Desktop\امیر مهدی
2020-05-02 18:29 - 2020-02-09 18:37 - 000000000 ___HD C:\Program Files\WindowsApps.tmp
2020-05-02 18:27 - 2020-02-09 18:37 - 000000000 ___HD C:\Program Files\WindowsApps
2020-05-02 17:14 - 2020-02-29 18:49 - 000000000 ____D C:\Users\gholamreza\AppData\Local\CrashDumps
2020-05-02 13:30 - 2019-06-03 22:42 - 000000000 ___RD C:\Users\gholamreza\OneDrive
2020-05-02 13:20 - 2020-02-09 18:25 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2020-05-02 13:02 - 2020-02-10 22:31 - 000000000 ____D C:\Users\gholamreza\AppData\Local\D3DSCache
2020-05-02 12:09 - 2020-02-09 18:25 - 015466496 _____ C:\WINDOWS\system32\config\BCD00000000
2020-05-02 11:56 - 2020-02-28 19:57 - 000000000 ____D C:\found.000
2020-05-02 11:56 - 2020-02-09 19:23 - 000000000 ____D C:\Users\gholamreza\AppData\Local\VirtualStore
2020-05-02 11:56 - 2020-02-09 19:03 - 000000000 ____D C:\Users\gholamreza
2020-05-02 11:56 - 2020-02-09 18:23 - 000000000 ___HD C:\$SysReset
2020-05-02 11:56 - 2019-12-16 12:40 - 000000000 ____D C:\Modern
2020-05-02 11:56 - 2019-10-19 18:42 - 000000000 ____D C:\wamp64
2020-05-02 11:56 - 2019-06-04 13:25 - 000000000 ____D C:\MyDrivers
2020-05-02 11:56 - 2019-06-03 23:00 - 000000000 ____D C:\temp
2020-05-02 11:55 - 2020-02-09 18:25 - 015257600 _____ C:\WINDOWS\system32\C_3389.NLS
2020-05-01 19:50 - 2020-02-11 00:44 - 000005206 _____ C:\WINDOWS\system32\Tasks\Microsoft Office 15 Sync Maintenance for KHANE-gholamreza khane
2020-05-01 17:05 - 2020-02-10 15:05 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\WhatsApp
2020-05-01 17:05 - 2020-02-10 15:04 - 000000000 ____D C:\Users\gholamreza\AppData\Local\WhatsApp
2020-05-01 17:05 - 2019-09-16 12:10 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhatsApp
2020-04-30 19:13 - 2020-03-12 17:55 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\HandBrake
2020-04-30 17:07 - 2019-06-08 19:39 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2020-04-30 13:24 - 2020-02-09 18:30 - 000000000 ____D C:\WINDOWS\CbsTemp
2020-04-30 11:56 - 2020-02-16 16:15 - 000000000 ____D C:\Users\gholamreza\AppData\Roaming\Rovio
2020-04-30 11:13 - 2020-03-01 16:48 - 000002301 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2020-04-22 17:11 - 2019-10-04 09:56 - 000000000 ____D C:\Users\gholamreza\Downloads\iGram Desktop
2020-04-21 19:14 - 2019-10-04 07:52 - 000000000 ____D C:\Users\gholamreza\Downloads\Telegram Desktop
2020-04-19 15:05 - 2020-02-09 19:23 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Apps\2.0
2020-04-17 14:53 - 2020-02-09 20:37 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Microsoft Help
2020-04-15 17:02 - 2020-02-09 19:28 - 000003368 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-821111126-3065462664-3862307524-1001
2020-04-15 17:02 - 2020-02-09 19:03 - 000002378 _____ C:\Users\gholamreza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2020-04-15 16:56 - 2019-06-14 15:19 - 000000000 ____D C:\Users\gholamreza\Desktop\نرم افزار
2020-04-11 21:53 - 2020-02-09 18:37 - 000000000 ____D C:\WINDOWS\AppReadiness
2020-04-05 15:40 - 2020-02-09 18:50 - 001283712 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2020-04-04 17:46 - 2020-02-28 17:14 - 000000000 ____D C:\Users\gholamreza\AppData\Local\Downloaded Installations
2020-04-03 16:05 - 2020-02-10 15:04 - 000000000 ____D C:\Users\gholamreza\AppData\Local\SquirrelTemp

==================== Files in the root of some directories ========

2020-05-02 12:48 - 2020-05-02 12:48 - 000000384 _____ () C:\ProgramData\FOCML6D495.exe
2020-05-02 11:54 - 2020-05-02 11:54 - 000000384 _____ () C:\ProgramData\KF3I8NIC81.exe
2020-05-02 11:54 - 2020-05-02 12:48 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll
2020-05-02 11:54 - 2020-05-02 12:48 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll
2020-02-16 16:32 - 2020-02-16 16:32 - 000000703 _____ () C:\Users\gholamreza\AppData\Roaming\mccodec.dll
2020-05-02 05:33 - 2020-05-02 05:34 - 000000703 _____ () C:\Users\gholamreza\AppData\Roaming\soundyg.dll
2020-05-02 11:54 - 2020-05-02 11:54 - 000000565 _____ () C:\Users\gholamreza\AppData\Local\bowsakkdestx.txt
2020-04-10 22:33 - 2020-04-10 22:33 - 000000600 _____ () C:\Users\gholamreza\AppData\Local\PUTTY.RND

==================== FLock ==============================

2020-05-02 22:49 C:\WINDOWS\system32\config\SYSTEM
2020-05-02 11:56 C:\WINDOWS\system32\Drivers\Wdf06935.sys

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

 

[nasdaq]

Hi,
Remove this program in bold via the Control Panel > Programs > Programs and Features.
SearchNewTab (HKU\S-1-5-21-821111126-3065462664-3862307524-1001\...\SearchNewTab) (Version: - ) <==== ATTENTION
<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

[Gammahertz]

Deleted
nasdaq

 

[Gammahertz]

deleted
nasdaq

 

[Gammahertz]

Removed.
nasdaq

 

[mohammad mahdi]

fixlog

 

[nasdaq]

To @Gammahertz

You must start your own topic in order to get help for your issue.

Navigate to this Forum and follow the instructions.

Someone will be with you in the near future.

Post Attach the FRST.TXT and Addition.txt log in the topic you will create.


To @mohammad mahdi

Can you please run the Farbar program and post fresh logs.
Let me know of any remaining issues.

 

[Gammahertz]

okk thanks

 

[nasdaq]

To @mohammad mahdi

Can you please run the Farbar program and post fresh logs.
Let me know of any remaining issues.

 

[mohammad mahdi]

new FRST

 

[nasdaq]

Hi,

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt
Let me know what problem persists.

 

[mohammad mahdi]

fixlog

 

[nasdaq]

Hi,

Run the Farbar program.

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

 

[mohammad mahdi]

Hi

This file was created but not on the desktop

Fix result of Farbar Recovery Scan Tool (x64) Version: 03-05-2020
Ran by gholamreza (06-05-2020 18:54:08) Run:3
Running from F:\mohammadmahdi
Loaded Profiles: gholamreza (Available Profiles: gholamreza)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 18:54:09 ====

 

[nasdaq]

Hi,

Boot the PC to the Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Navigate to the folder where the Farbar program is parked.
From what is see it's running from F:\mohammadmahdi folder.
Make sure my last Fixlist.txt is located in the folder otherwise it will not run.

Run the Farbar program and select the Fix button.

Exit the Recovery Environment, or restart the computer normally.

Let me know if the problem is solved.

 

[mohammad mahdi]

HI,

I'm sorry, but I didn't understand exactly
After entering the Command Prompt and selecting the F: \ mohammadmahdi folder
How do I run Farbar program in this environment?

I think when I ran the last commands sent in Farbar, I put the fix list in that folder and just put the commands in the text section and clicked on the fix.
Please help a little more

 

[nasdaq]

Hi,

The easy way is to Copy the Farbar program to your C:\Desktop.
Move or copy the Fixlist.txt to the Desktop also.

In the Recovery Environment
Type this command at the PROMPT

cd C:\desktop hit the Enter key

You should see the Farbar program and the fixlist.

Run the Farbar program and select the Fix button.


A Fixlog.txt will be created on the Desktop.

Restart the computer normally.

Post the Fixlog.txt in your next reply.
Let me know if the problem is solved.