My files encrypted by .neer.babyk ransomware

[krist]

Hello,
my laptop attacked by .neer.babyk ransomeware and all files are encrypted with .neer.babyk extension. Can anybody help me how to decrypt/fix the files get back to normal extension?
See attached a instruction from the ransomeware. I'm so sad

Thanks,
krist.

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

The Neer virus is a STOP/DJVU family of ransomware-type infections

Navigate to this topic.

ID Ransomware

Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.

id-ransomware.malwarehunterteam.com

Submit a sample of the compromised files for their review.
They will reply and let you know what you are dealing with.

From what we know now, your files are not recoverable.
Your only solution would be to restore the files from a good backup if you have one.

The compromised files can be transferred to a CD or Flash drive.
Should a solution be found in the future you may be able to restore them.

It's never to late to use common sense to guard against being infected.
Tips on how to prevent ransomware attacks

How to Protect Yourself from Ransomware

What does ransomware do and how can I protect myself? Learn how to protect your computer with ransomware scanners

www.kaspersky.com

Good luck.
<<<>>>

If you have any other issues with this computer please run this scan.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====

 

[krist]

Dear nasdaq,

see attached files.

 

[krist]

Dear nasdaq,

I also found these 2 malware that can not be removed by anti malware. Do you know how to remove them?

Tks and best regards
krist.

 

[nasdaq]

Hi,

This program in bold was previously installed and deleted.
If possible remove it via the Control Panel.

Remove this program in bold using the Control Panel > Programs > Programs and Features.
GridinSoft Anti-Malware (HKLM\...\GridinSoft Anti-Malware) (Version: 4.1.36 - Gridinsoft LLC)

If it fails then to remove it manually.
How to Manually Remove Program Entries from the Apps & Features List

How to Manually Remove Program Entries from the Apps & Features List - MajorGeeks

There may come a time when you find that you've uninstalled a program in Apps & Features (Windows 10) or AddRemove Programs (Windows XP, 7, Vista, 8) but the entry is still there. This problem happens when a registry entry wasn't correctly removed during the uninstall.

www.majorgeeks.com

===

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Let find out what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
Antimalware
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====


Please post the logs and let me know what problem persists.

 

[krist]

Hi,

This program in bold was previously installed and deleted.
If possible remove it via the Control Panel.

Remove this program in bold using the Control Panel > Programs > Programs and Features.
GridinSoft Anti-Malware (HKLM\...\GridinSoft Anti-Malware) (Version: 4.1.36 - Gridinsoft LLC)

If it fails then to remove it manually.
How to Manually Remove Program Entries from the Apps & Features List

How to Manually Remove Program Entries from the Apps & Features List - MajorGeeks

There may come a time when you find that you've uninstalled a program in Apps & Features (Windows 10) or AddRemove Programs (Windows XP, 7, Vista, 8) but the entry is still there. This problem happens when a registry entry wasn't correctly removed during the uninstall.

www.majorgeeks.com

===

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Let find out what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
Antimalware
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====


Please post the logs and let me know what problem persists.

Hi,

This program in bold was previously installed and deleted.
If possible remove it via the Control Panel.

Remove this program in bold using the Control Panel > Programs > Programs and Features.
GridinSoft Anti-Malware (HKLM\...\GridinSoft Anti-Malware) (Version: 4.1.36 - Gridinsoft LLC)

If it fails then to remove it manually.
How to Manually Remove Program Entries from the Apps & Features List

How to Manually Remove Program Entries from the Apps & Features List - MajorGeeks

There may come a time when you find that you've uninstalled a program in Apps & Features (Windows 10) or AddRemove Programs (Windows XP, 7, Vista, 8) but the entry is still there. This problem happens when a registry entry wasn't correctly removed during the uninstall.

www.majorgeeks.com

===

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Let find out what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
Antimalware
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====


Please post the logs and let me know what problem persists.

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-07-2021
Ran by Win7 (15-07-2021 21:59:40) Run:1
Running from C:\Users\Win7\Desktop
Loaded Profiles: Win7
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: G - G:\AutoRun.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {26d3d847-a39f-11e3-924b-9439e5d231c2} - G:\AutoRun.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {26d3d859-a39f-11e3-924b-9439e5d231c2} - G:\AutoRun.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {3cae467e-c7d1-11e4-97e4-9439e5d231c2} - G:\AutoRun.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {44a17760-a603-11e3-9269-9439e5d231c2} - G:\AutoRun.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {44dc09c8-a8ef-11e3-bf42-9439e5d231c2} - G:\AutoRun.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {83da0b8a-ffa3-11e3-98f6-9439e5d231c2} - G:\Setup.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {b398ecb2-e03d-11e4-9912-9439e5d231c2} - H:\AutoRun.exe
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\...\MountPoints2: {da49e92b-c7be-11e4-8c1e-9439e5d231c2} - G:\AutoRun.exe
GroupPolicy\User: Restriction ? <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {CE982151-2E30-41C8-904D-C366BC768B56} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [269000 2015-10-01] (Adobe Systems Incorporated -> Adobe Systems Incorporated)
Task: {F5B9CD8D-3C85-4F1D-860A-1B78AEC3EF1F} - System32\Tasks\{909CF490-D741-4B16-B78F-82135F1A5DD6} => C:\Windows\system32\pcalua.exe -a C:\Users\Win7\AppData\Local\Temp\jre-8u101-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-10-01] (Adobe Systems Incorporated -> )
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-10-01] (Adobe Systems Incorporated -> )
S3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [269000 2015-10-01] (Adobe Systems Incorporated -> Adobe Systems Incorporated)
S2 BavMiniService; "C:\ProgramData\Baidu\Antivirus\BavMSService.exe" -r [X]
S2 jehowesy; C:\Users\Win7\AppData\Roaming\4C4C4544-1425874573-4610-8039-B7C04F425231\jnso79D1.tmp [X]
S2 vowegyhi; C:\Users\Win7\AppData\Roaming\4C4C4544-1425874573-4610-8039-B7C04F425231\nsi32FB.tmpfs [X]
S2 vuqgwgr; C:\Windows\SysWOW64\vuqgwgr\gygvdbfd.exe [X]
S4 Qlssvcmmbpc; no ImagePath
U3 avgbdisk; no ImagePath
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S2 WCMVCAM; system32\DRIVERS\wcmvcam64.sys [X]
S3 WinPhLdrNT; \??\C:\Users\Win7\AppData\Local\Temp\PhLdrX64.SYS [X] <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{6A221957-2D85-42A7-8E19-BE33950D1DEB}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe => No File
CustomCLSID: HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{7DE1BE5C-CEBA-4F1D-ACBC-9CE11EE9A2A1}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe /Automation => No File
CustomCLSID: HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{BD0DEB94-63DB-4392-9420-6EEE05094B1F}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe /Automation => No File
CustomCLSID: HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD 2014\en-US\acadficn.dll => No File
ShellIconOverlayIdentifiers: [BaiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} => -> No File
ShellIconOverlayIdentifiers-x32-x32: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\SysWOW64\AcSignIcon.dll -> No File
ContextMenuHandlers1: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} => C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.114997.0\BavShx64.dll -> No File
ContextMenuHandlers2: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} => C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.114997.0\BavShx64.dll -> No File
ContextMenuHandlers3: [SmadExt] -> {8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} => C:\Program Files (x86)\Smadav\SmadExtc64.dll -> No File
ContextMenuHandlers6: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} => C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.114997.0\BavShx64.dll -> No File
ContextMenuHandlers6: [SmadExt] -> {8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} => C:\Program Files (x86)\Smadav\SmadExtc64.dll -> No File
URLSearchHook: HKU\S-1-5-21-3677881058-545421556-1463432810-1000 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - No File
C:\Windows\Securebootthemes
C:\Wndows\Syswow64\Securebootthemes
CMD: netsh int ip reset
CMD: ipconfig /flushDNS
EmptyTemp:

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => removed successfully
"HKU\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLowDiskSpaceChecks" => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{26d3d847-a39f-11e3-924b-9439e5d231c2} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{26d3d859-a39f-11e3-924b-9439e5d231c2} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3cae467e-c7d1-11e4-97e4-9439e5d231c2} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44a17760-a603-11e3-9269-9439e5d231c2} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44dc09c8-a8ef-11e3-bf42-9439e5d231c2} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{83da0b8a-ffa3-11e3-98f6-9439e5d231c2} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b398ecb2-e03d-11e4-9912-9439e5d231c2} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da49e92b-c7be-11e4-8c1e-9439e5d231c2} => removed successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CE982151-2E30-41C8-904D-C366BC768B56}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CE982151-2E30-41C8-904D-C366BC768B56}" => removed successfully
C:\Windows\System32\Tasks\Adobe Flash Player Updater => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F5B9CD8D-3C85-4F1D-860A-1B78AEC3EF1F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F5B9CD8D-3C85-4F1D-860A-1B78AEC3EF1F}" => removed successfully
C:\Windows\System32\Tasks\{909CF490-D741-4B16-B78F-82135F1A5DD6} => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{909CF490-D741-4B16-B78F-82135F1A5DD6}" => removed successfully
C:\Windows\Tasks\Adobe Flash Player Updater.job => moved successfully
HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer => removed successfully
C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll => moved successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-10-01] (Adobe Systems Incorporated" => not found
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll => moved successfully
HKLM\System\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc => removed successfully
AdobeFlashPlayerUpdateSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\BavMiniService => removed successfully
BavMiniService => service removed successfully
HKLM\System\CurrentControlSet\Services\jehowesy => removed successfully
jehowesy => service removed successfully
HKLM\System\CurrentControlSet\Services\vowegyhi => removed successfully
vowegyhi => service removed successfully
HKLM\System\CurrentControlSet\Services\vuqgwgr => removed successfully
vuqgwgr => service removed successfully
HKLM\System\CurrentControlSet\Services\Qlssvcmmbpc => removed successfully
Qlssvcmmbpc => service removed successfully
HKLM\System\CurrentControlSet\Services\avgbdisk => could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\BprotectEx => removed successfully
BprotectEx => service removed successfully
HKLM\System\CurrentControlSet\Services\clwvd => removed successfully
clwvd => service removed successfully
HKLM\System\CurrentControlSet\Services\ewusbmbb => removed successfully
ewusbmbb => service removed successfully
HKLM\System\CurrentControlSet\Services\ew_hwusbdev => removed successfully
ew_hwusbdev => service removed successfully
HKLM\System\CurrentControlSet\Services\ew_usbenumfilter => removed successfully
ew_usbenumfilter => service removed successfully
HKLM\System\CurrentControlSet\Services\huawei_cdcacm => removed successfully
huawei_cdcacm => service removed successfully
HKLM\System\CurrentControlSet\Services\huawei_enumerator => removed successfully
huawei_enumerator => service removed successfully
HKLM\System\CurrentControlSet\Services\huawei_ext_ctrl => removed successfully
huawei_ext_ctrl => service removed successfully
HKLM\System\CurrentControlSet\Services\huawei_wwanecm => removed successfully
huawei_wwanecm => service removed successfully
HKLM\System\CurrentControlSet\Services\hwdatacard => removed successfully
hwdatacard => service removed successfully
HKLM\System\CurrentControlSet\Services\VGPU => removed successfully
VGPU => service removed successfully
HKLM\System\CurrentControlSet\Services\WCMVCAM => removed successfully
WCMVCAM => service removed successfully
HKLM\System\CurrentControlSet\Services\WinPhLdrNT => removed successfully
WinPhLdrNT => service removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{6A221957-2D85-42A7-8E19-BE33950D1DEB} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{7DE1BE5C-CEBA-4F1D-ACBC-9CE11EE9A2A1} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{BD0DEB94-63DB-4392-9420-6EEE05094B1F} => removed successfully
HKU\S-1-5-21-3677881058-545421556-1463432810-1000_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005} => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\BaiduAntivirusIconLock => removed successfully
ShellIconOverlayIdentifiers-x32-x32: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\SysWOW64\AcSignIcon.dll -> No File => Error: No automatic fix found for this entry.
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\Baidu_Scan => removed successfully
HKLM\Software\Classes\CLSID\{0A93904A-BB1E-4a0c-9753-B57B9AE272CB} => removed successfully
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\Baidu_Scan => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\SmadExt => removed successfully
HKLM\Software\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\Baidu_Scan => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\SmadExt => removed successfully
"HKU\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{D8278076-BC68-4484-9233-6E7F1628B56C}" => removed successfully
C:\Windows\Securebootthemes => moved successfully
"C:\Wndows\Syswow64\Securebootthemes" => not found

========= netsh int ip reset =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10484736 B
Java, Flash, Steam htmlcache => 3436 B
Windows/system/drivers => 24727534 B
Edge => 0 B
Chrome => 752492312 B
Firefox => 1307215293 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 2174 B
Public => 2174 B
ProgramData => 2174 B
systemprofile => 85498 B
systemprofile32 => 368002 B
LocalService => 434230 B
NetworkService => 560386 B
Win7 => 36530440 B

RecycleBin => 25905810 B
EmptyTemp: => 2 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 15-07-2021 22:08:27)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\avgbdisk => could not remove, key could be protected

==== End of Fixlog 22:08:27 ====

 

[krist]

Farbar Recovery Scan Tool (x64) Version: 07-07-2021
Ran by Win7 (15-07-2021 22:20:49)
Running from C:\Users\Win7\Desktop
Boot Mode: Normal

================== Search Registry: "Antimalware" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\2.0 Zemana AntiMalware]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ABB1C11-E261-4CEA-BBB5-3836225689DD}\InprocServer32]
""="C:\Program Files (x86)\Zemana\AntiMalware\AM_ShellExt64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}]
""="AVG IAntimalwareProvider implementation"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\2.0 Zemana AntiMalware]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}]
""="AVG IAntimalwareProvider implementation"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AntiMalware_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AntiMalware_RASMANCS]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
"Inno Setup: App Path"="C:\Program Files (x86)\Zemana\AntiMalware"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
"InstallLocation"="C:\Program Files (x86)\Zemana\AntiMalware\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
"Inno Setup: Icon Group"="Zemana AntiMalware"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
"DisplayName"="Zemana AntiMalware versi 3.2.28"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
"DisplayIcon"="C:\Program Files (x86)\Zemana\AntiMalware\res\2.ico"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
"UninstallString"=""C:\Program Files (x86)\Zemana\AntiMalware\unins000.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
"QuietUninstallString"=""C:\Program Files (x86)\Zemana\AntiMalware\unins000.exe" /SILENT"
[HKEY_LOCAL_MACHINE\SOFTWARE\ZmnGlobalSDK]
"AM_InstallPath"="C:\Program Files (x86)\Zemana\AntiMalware"
[HKEY_LOCAL_MACHINE\SOFTWARE\ZmnGlobalSDK]
"AM_ShellIconPath"="C:\Program Files (x86)\Zemana\AntiMalware\res\2.ico"
[HKEY_LOCAL_MACHINE\SOFTWARE\ZmnGlobalSDK]
"AM_EXEPath"="C:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\AntiMalware]
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware\Zemana AntiMalware.lnk"="1"
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware\Zemana AntiMalware.lnk"="1"
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\SMADΔV\Inforegc]
"Proc12"="C:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe|1|3|taskeng.exe||NA|682008|NA|85FE1C52|85BE3DC8|A5105B07|67E2F70E|75cd10a49f0743fe04b5b282d9f7a5ce|3"
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Zemana\AntiMalware]
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Zemana\AntiMalware\Update]
"InstalledURL"="http://dl12.zemana.com/AntiMalware/3.2.27/AntiMalware_Setup.exe"
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\ZmnGlobalSDK]
"AM_ShellExtText"="Pindai dengan Zemana AntiMalware"

====== End of Search ======

 

[nasdaq]

Hi,

This sould remove all of Zemana's entries.


Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\2.0 Zemana AntiMalware]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ABB1C11-E261-4CEA-BBB5-3836225689DD}\InprocServer32]
""=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\2.0 Zemana AntiMalware]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AntiMalware_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AntiMalware_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4E1F3677-C72E-4F7D-B66E-85467B1A289E}_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\ZmnGlobalSDK]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\AntiMalware]
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware\Zemana AntiMalware.lnk"=-
[HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware\Zemana AntiMalware.lnk"=-
[-HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\SMADΔV\Inforegc]
[-HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Zemana\AntiMalware]
[-HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\Zemana\AntiMalware\Update]
[-HKEY_USERS\S-1-5-21-3677881058-545421556-1463432810-1000\Software\ZmnGlobalSDK]

Restart the computer when completed.

You can delete the fixme.reg file when done.

Is the computer running well?

 

[krist]

Hi,

This sould remove all of Zemana's entries.


Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.



Restart the computer when completed.

You can delete the fixme.reg file when done.

Is the computer running well?

Yes, the computer is running well.

 

[krist]

Yes, the computer is running well.

Has the virus disappeared from my computer?

 

[nasdaq]

Glad we could help.

 

[krist]

Glad we could help.

Thank you for the support and your time. God bless you!