virus VBA/TrojanDownloader.Agent.UFY trojan

kozav100 · Sep 4, 2020

Dear forum Members,

Please help and advise.
I am using Outlook 2010 x64 and Windows 7 x64.
During receipt of my incoming messages in Outlook, the majority of incoming, new messages get marked as follows:

“virus VBA/TrojanDownloader.Agent.UFY trojan”.

Screenshot sample is attached.
Carefully reading your topics and strictly following your recommendations I have made several scans using such tools as: ”MalwareBytes”, “Zemana”, “HitManPro”. They found many infections, cured and deleted them.
Now, after system restart and re-launch of Outlook 2010, everything repeats, all repeats again. In fact the virus and/or Trojan doesn’t go away.
Please suggest how to get rid of this disease.
Many thanks in advance and hope to hear from you soonest.

Brgds

Alexander

nasdaq · Sep 4, 2020

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Let's check further.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====

kozav100 · Sep 4, 2020

nasdaq said:
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Let's check further.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====

Hello and good day to you aswell nasdaq,

I would like to thank you first for paying attention and suddenly reacting to the problem I was facing. Highly appreciated.
For the time being I think that the problem was solved by removing antivirus software namely Eset NOD32.
I have completely uninstalled it from my PC and at least the incoming messages don't get marked anymore as VBA/Trojan....
So, looks like it was the actual problem of the ESET NOD32 and its settings on checking e-mail for viruses.
Now, I do understand that nowadays a PC can't exist and work without any antivirus protection at all thus my intention is to resume work of Eset NOD32 getting back to work.
Will keep you advised.
Brgds
Alexander

nasdaq · Sep 5, 2020

Hi,

What you received might have been a false positive.

I will leave this topic open for 6 days.

kozav100 · Sep 10, 2020

nasdaq said:
Hi,

What you received might have been a false positive.

I will leave this topic open for 6 days.

Maybe you're right, but for the time being I have re-installed NOD 32 Anti-Virus on my PC getting it back to work.
Maybe something went wrong with the settings of the anti virus and it was marking all messages as Trojan virus. But for now all goes well.
Let's give it some time and see. I will report in any case. If the problem will be solved, let's consider the case closed.

nasdaq · Sep 10, 2020

Hi,
Good work.

kozav100 · Sep 15, 2020

nasdaq said:
Hi,
Good work.

A few days passed and regretfully the problem returned.
Same thing - the e-mail messages get marked as "detection VBA/TrojanDownloader.Agent.UFY" and so on...
Following your initial instructions, I have downloaded and launched Farbar Scan Tool, as follows:
QUOTE
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-09-2020
Ran by User (administrator) on KOZUBAYPC (15-09-2020 09:30:10)
Running from C:\Users\Владелец\Downloads
Loaded Profiles: User
Platform: Windows 7 Professional Service Pack 1 (X64) Language: Русский (Россия)
Default browser: Edge
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(DoubleGIS LLC -> ООО ДубльГИС) C:\Program Files (x86)\2gis\3.0\2GISTrayNotifier.exe
(Dropbox, Inc -> Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe <3>
(Dropbox, Inc -> Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Dropbox, Inc -> The Qt Company Ltd.) C:\Program Files (x86)\Dropbox\Client\105.4.651\QtWebEngineProcess.exe <3>
(Google Inc -> Google Inc.) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <34>
(Intel Corporation - Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation - Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation - Software and Firmware Products -> Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Nuance Communications, Inc. -> Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Nuance Communications, Inc. -> Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Oracle America, Inc. -> Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Samsung Electronics CO., LTD. -> ) C:\Windows\SysWOW64\SecUPDUtilSvc.exe
(Skype Software Sarl -> Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe <6>
(Viber Media S.à r.l. -> Viber Media S.Ã r.l.) C:\Users\Владелец\AppData\Local\Viber\Viber.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [9068040 2016-11-09] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2670056 2018-09-10] (Adobe Systems Incorporated -> Adobe Systems, Incorporated)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [296216 2015-09-25] (Intel Corporation - Software and Firmware Products -> Intel Corporation)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [7651840 2020-09-09] (Dropbox, Inc -> Dropbox, Inc.)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc. -> Flexera Software, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-13] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-13] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort14reminder] => C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe [333088 2011-05-16] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
HKLM-x32\...\Run: [2Gis Update Notifier] => C:\Program Files (x86)\2gis\3.0\2GISTrayNotifier.exe [4593384 2016-02-29] (DoubleGIS LLC -> ООО ДубльГИС)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [710264 2020-06-18] (Oracle America, Inc. -> Oracle Corporation)
HKU\S-1-5-21-3247224823-1321410192-2680924528-1000\...\Run: [Skype for Desktop] => C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe [90951544 2020-09-08] (Skype Software Sarl -> Skype Technologies S.A.)
HKU\S-1-5-21-3247224823-1321410192-2680924528-1000\...\Run: [Viber] => C:\Users\Владелец\AppData\Local\Viber\Viber.exe [43141648 2020-09-03] (Viber Media S.à r.l. -> Viber Media S.Ã r.l.)
HKU\S-1-5-21-3247224823-1321410192-2680924528-1000\...\Run: [Discord] => C:\Users\Владелец\AppData\Local\Discord\app-0.0.307\Discord.exe
HKLM\...\Windows x64\Print Processors\HP1006PrintProc: C:\Windows\System32\spool\prtprocs\x64\HP1006PP.dll [65024 2013-04-15] (Microsoft Windows Hardware Compatibility Publisher -> )
HKLM\...\Windows x64\Print Processors\hpcpp170: C:\Windows\System32\spool\prtprocs\x64\hpcpp170.dll [610080 2014-06-17] (Hewlett-Packard Company -> Hewlett-Packard Corporation)
HKLM\...\Windows x64\Print Processors\usp02PC: C:\Windows\System32\spool\prtprocs\x64\usp02pc.dll [43520 2014-02-24] (Windows (R) Codename Longhorn DDK provider) [File not signed]
HKLM\...\Print\Monitors\EPSON L312 Series 64MonitorBE: C:\Windows\system32\E_YLMBN5E.DLL [180224 2014-03-04] (SEIKO EPSON CORPORATION) [File not signed]
HKLM\...\Print\Monitors\HP Universal Print Monitor: C:\Windows\system32\HPMPW081.DLL [74016 2014-06-17] (Hewlett-Packard Company -> Hewlett-Packard)
HKLM\...\Print\Monitors\HP1006LM: C:\Windows\system32\HP1006LM.DLL [198144 2013-04-15] (Microsoft Windows Hardware Compatibility Publisher -> )
HKLM\...\Print\Monitors\HPMLM135: C:\Windows\system32\hpmlm135.dll [237344 2014-06-17] (Hewlett-Packard Company -> Hewlett-Packard Company)
HKLM\...\Print\Monitors\usp02 Langmon: C:\Windows\system32\usp02l.dll [29184 2014-04-16] () [File not signed]
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\85.0.4183.102\Installer\chrmstp.exe [2020-09-11] (Google LLC -> Google LLC)
HKLM\Software\...\Winlogon\GPExtensions: [{C631DF4C-088F-4156-B058-4375F0853CD8}] -> C:\Windows\System32\cscobj.dll [2010-11-21] (Microsoft Windows -> Корпорация Майкрософт)
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {16BA582F-7805-4D2A-A31E-269491A920F9} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-06-27] (Dropbox, Inc -> Dropbox, Inc.)
Task: {1C436866-7F39-4B7A-B179-DA9BFD737095} - System32\Tasks\{A23451A2-C932-4302-8542-336F6F3E33BF} => C:\Windows\system32\pcalua.exe -a "C:\Users\Владелец\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AXZX67GB\JavaUninstallTool.exe" -d C:\Users\Владелец\Desktop
Task: {2C1F5E9C-B6C9-42E9-B38D-95A710F853EF} - System32\Tasks\AdobeGCInvoker-1.0-KOZUBAYPC-User => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2670056 2018-09-10] (Adobe Systems Incorporated -> Adobe Systems, Incorporated)
Task: {3792BD60-DCD2-41A6-913E-48080E365831} - System32\Tasks\Intel PTT EK Recertification => C:\Program Files\Intel\iCLS Client\IntelPTTEKRecertification.exe [855352 2016-02-19] (Intel(R) Trusted Connect Service -> Intel(R) Corporation)
Task: {6E33F0DC-F52C-4033-B847-8399E3146F5C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1336400 2020-07-08] (Adobe Inc. -> Adobe Inc.)
Task: {78C49E5A-8063-4345-AA6A-78BC09366BFA} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-06-27] (Dropbox, Inc -> Dropbox, Inc.)
Task: {9F1507DC-BCB5-4BAA-81C9-A951071BEF05} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154440 2016-06-16] (Google Inc -> Google Inc.)
Task: {B937F1CF-C06A-4ADE-B326-87AA74130672} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [154440 2016-06-16] (Google Inc -> Google Inc.)
Task: {E6B68D6D-7F19-45BA-975E-18EFE8959F8A} - System32\Tasks\{DAFB5FE1-ADD9-4F81-9F25-1D8B42398B9A} => C:\Windows\system32\pcalua.exe -a C:\Users\Владелец\Downloads\qsc_pack.exe -d C:\Users\Владелец\Downloads
Task: {F29619D9-50EA-4B87-AC91-0182EC7BC1A6} - System32\Tasks\{6FE7F2DD-1320-4D17-A6C8-47CF5FEF5E48} => C:\Windows\system32\pcalua.exe -a "C:\Users\Владелец\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CNUDSYVH\JavaSetup8u181.exe" -d C:\Users\Владелец\Desktop

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{02E8C020-25B0-47AF-B0EE-8E00FC5458FE}: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{628A8247-F842-45B1-A58E-365B75477263}: [DhcpNameServer] 192.168.1.1

Edge:
======
Edge DefaultProfile: Default
Edge Profile: C:\Users\Владелец\AppData\Local\Microsoft\Edge\User Data\Default [2020-09-14]

FireFox:
========
FF DefaultProfile: swm9ih20.default
FF ProfilePath: C:\Users\Владелец\AppData\Roaming\Mozilla\Firefox\Profiles\swm9ih20.default [2020-09-15]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-18] (Adobe Systems Incorporated -> )
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.7.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-18] (Adobe Systems Incorporated -> )
FF Plugin-x32: @java.com/DTPlugin,version=11.261.2 -> C:\Program Files (x86)\Java\jre1.8.0_261\bin\dtplugin\npDeployJava1.dll [2020-07-17] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.261.2 -> C:\Program Files (x86)\Java\jre1.8.0_261\bin\plugin2\npjp2.dll [2020-07-17] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2020-08-18] (Adobe Inc. -> Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3247224823-1321410192-2680924528-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Владелец\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies SF -> Unity Technologies ApS)

Chrome:
=======
CHR DefaultProfile: Profile 1
CHR Profile: C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default [2016-10-31]
CHR Notifications: Default -> hxxps://comfy-push.esputnik.com
CHR HomePage: Default -> mail.ru/cnt/11956636?rciguc__PARAM__
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Extension: (Google Презентации) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-16]
CHR Extension: (Диск Google) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-16]
CHR Extension: (YouTube) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-16]
CHR Extension: (Google Таблицы) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-16]
CHR Extension: (Google Документы офлайн) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-17]
CHR Extension: (Платежная система Интернет-магазина Chrome) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-16]
CHR Extension: (Gmail) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-16]
CHR Extension: (Chrome Media Router) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-26]
CHR Profile: C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Profile 1 [2020-09-15]
CHR Notifications: Profile 1 -> hxxps://allo-push.esputnik.com; hxxps://antoshka.ua; hxxps://apteka911.com.ua; hxxps://azbuka-bp.com.ua; hxxps://bigl.ua; hxxps://dev.itmag.ua; hxxps://eldorado.ua; hxxps://epicentrk.ua; hxxps://eva.ua; hxxps://isei.ua; hxxps://izi.ua; hxxps://kyivstar.ua; hxxps://mail.google.com; hxxps://makeup.com.ua; hxxps://metro.zakaz.ua; hxxps://produkty24.com.ua; hxxps://prostor.ua; hxxps://rozetka.com.ua; hxxps://shafa.ua; hxxps://thequestion.ru; hxxps://wahlstore.com.ua; hxxps://web.telegram.org; hxxps://www.add.ua; hxxps://www.alibaba.com; hxxps://www.facebook.com; hxxps://www.foxtrot.com.ua; hxxps://www.giftsandcare.com; hxxps://www.instagram.com; hxxps://www.nl.ua; hxxps://www.rbc.ua; hxxps://www.shaveua.com
CHR HomePage: Profile 1 -> hxxp://www.google.com.ua/
CHR StartupUrls: Profile 1 -> "hxxp://mail.ru/cnt/10445?gp=821268","hxxps://www.google.com/"
CHR Extension: (VK VPN - Разблокировать Вконтакте) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\acjkjigmbpdbehmojceoibdegihpgole [2019-12-09]
CHR Extension: (Диск Google) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-10-19]
CHR Extension: (YouTube) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-13]
CHR Extension: (Платежная система Интернет-магазина Chrome) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-04]
CHR Extension: (Gmail) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-05-02]
CHR Extension: (Chrome Media Router) - C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-09-04]
CHR Profile: C:\Users\Владелец\AppData\Local\Google\Chrome\User Data\System Profile [2020-09-01]
CHR HKLM-x32\...\Chrome\Extension: [ehfjihahbphdpljpiadbkmgmhnfehhgi]

Opera:
=======
OPR Notifications: hxxps://news.rambler.ru

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 2GISUpdateService; C:\Program Files (x86)\2gis\3.0\2GISUpdateService.exe [3772648 2016-02-29] (DoubleGIS LLC -> ООО ДубльГИС)
R2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [169544 2020-07-08] (Adobe Inc. -> Adobe Inc.)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-06-27] (Dropbox, Inc -> Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-06-27] (Dropbox, Inc -> Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [44552 2020-09-09] (Dropbox, Inc -> Dropbox, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2014-04-28] (Hewlett-Packard) [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [138600 2011-08-13] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2014-04-28] (Hewlett-Packard) [File not signed]
R2 SamsungUPDUtilSvc; C:\Windows\SysWOW64\SecUPDUtilSvc.exe [118576 2014-11-26] (Samsung Electronics CO., LTD. -> )
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Windows -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 fiddrv64; no ImagePath
R0 mountmgr; C:\Windows\System32\drivers\mountmgr.sys [94440 2019-06-12] (Microsoft Windows -> Корпорация Майкрософт)
R3 phantomtap; C:\Windows\System32\DRIVERS\phantomtap.sys [39448 2020-07-06] (Avira Operations GmbH & Co. KG -> The OpenVPN Project)
R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [40664 2014-06-20] (OpenVPN Technologies, Inc. -> The OpenVPN Project)
S3 tapnordvpn; C:\Windows\System32\DRIVERS\tapnordvpn.sys [35592 2018-07-24] (TEFINCOM S.A. -> The OpenVPN Project)
R0 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [363752 2017-07-07] (Microsoft Windows -> Корпорация Майкрософт)
S1 amsdk; \??\C:\Windows\system32\drivers\amsdk.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-09-15 09:30 - 2020-09-15 09:30 - 000019995 _____ C:\Users\Владелец\Downloads\FRST.txt
2020-09-15 09:30 - 2020-09-15 09:30 - 000000000 ____D C:\FRST
2020-09-15 09:29 - 2020-09-15 09:29 - 002297856 _____ (Farbar) C:\Users\Владелец\Downloads\FRST64.exe
2020-09-11 16:10 - 2020-09-11 16:10 - 016866381 _____ C:\Users\Владелец\Downloads\IMG_6879.MOV
2020-09-11 16:04 - 2020-09-11 16:04 - 000056038 _____ C:\Users\Владелец\Downloads\QR-SpTH.pdf
2020-09-11 09:41 - 2020-09-11 09:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2020-09-10 10:58 - 2020-09-10 10:58 - 000000000 ____D C:\Users\Владелец\AppData\Local\Viber
2020-09-10 09:59 - 2020-09-10 09:59 - 005504824 _____ (ESET) C:\Users\Владелец\Downloads\eset_nod32_antivirus_live_installer.exe
2020-09-09 14:45 - 2020-09-09 14:45 - 000047600 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-stable.sys
2020-09-09 14:45 - 2020-09-09 14:45 - 000047600 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-dev.sys
2020-09-09 14:45 - 2020-09-09 14:45 - 000047600 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-canary.sys
2020-09-09 14:45 - 2020-09-09 14:45 - 000044552 _____ (Dropbox, Inc.) C:\Windows\system32\DbxSvc.exe
2020-09-07 12:39 - 2020-09-07 12:39 - 004635795 _____ C:\Users\Владелец\Downloads\IMG_6489.MOV
2020-09-07 12:23 - 2020-09-07 12:23 - 009516377 _____ C:\Users\Владелец\Downloads\video (1).mp4
2020-09-04 12:50 - 2020-09-04 12:50 - 000002892 _____ C:\Users\Владелец\Downloads\УКРАИНА+11.zip
2020-09-04 12:49 - 2020-09-04 12:49 - 000002089 _____ C:\Users\Владелец\Downloads\УКРАИНА-5.zip
2020-09-04 12:34 - 2020-09-04 12:34 - 000029103 _____ C:\Users\Владелец\Downloads\IPTVlist.zip
2020-09-04 10:23 - 2020-09-04 10:23 - 000000000 ____D C:\Users\Все пользователи\Malwarebytes
2020-09-04 10:23 - 2020-09-04 10:23 - 000000000 ____D C:\ProgramData\Malwarebytes
2020-09-04 10:22 - 2020-09-04 10:22 - 002040904 _____ (Malwarebytes) C:\Users\Владелец\Downloads\MBSetup (2).exe
2020-09-04 10:04 - 2020-09-04 10:14 - 000000000 ____D C:\Users\Все пользователи\Doctor Web
2020-09-04 10:04 - 2020-09-04 10:14 - 000000000 ____D C:\ProgramData\Doctor Web
2020-09-04 10:04 - 2020-09-04 10:04 - 000000000 ____D C:\Users\Владелец\Doctor Web
2020-09-04 09:59 - 2020-09-04 10:04 - 225791456 _____ C:\Users\Владелец\Downloads\ukhtyh9v.exe
2020-09-03 16:47 - 2020-09-03 16:47 - 000000000 ____D C:\Windows\pss
2020-09-03 16:42 - 2020-09-03 16:45 - 000000000 ____D C:\EEK
2020-09-03 16:42 - 2020-09-03 16:42 - 000000000 ____D C:\Users\Все пользователи\Emsisoft
2020-09-03 16:42 - 2020-09-03 16:42 - 000000000 ____D C:\ProgramData\Emsisoft
2020-09-03 16:36 - 2020-09-03 16:41 - 322858000 _____ C:\Users\Владелец\Downloads\EmsisoftEmergencyKit.exe
2020-09-03 16:32 - 2020-09-03 16:32 - 000002196 _____ C:\Windows\system32\.crusader
2020-09-03 16:29 - 2020-09-03 16:33 - 000000000 ____D C:\Users\Все пользователи\HitmanPro
2020-09-03 16:29 - 2020-09-03 16:33 - 000000000 ____D C:\ProgramData\HitmanPro
2020-09-03 16:29 - 2020-09-03 16:29 - 011429976 _____ (SurfRight B.V.) C:\Users\Владелец\Downloads\HitmanPro_x64.exe
2020-09-03 16:11 - 2020-09-03 16:11 - 002040904 _____ (Malwarebytes) C:\Users\Владелец\Downloads\MBSetup (1).exe
2020-09-03 16:08 - 2020-09-04 09:50 - 000267434 _____ C:\Windows\ZAM.krnl.trace
2020-09-03 16:08 - 2020-09-04 09:50 - 000000000 ____D C:\Users\Владелец\AppData\Local\AMSDK
2020-09-03 16:08 - 2020-09-03 16:08 - 000000000 ____D C:\Users\Владелец\AppData\Local\Zemana
2020-09-03 16:07 - 2020-09-03 16:07 - 012795472 _____ (Zemana Ltd. ) C:\Users\Владелец\Downloads\AntiMalware_Setup.exe
2020-09-03 15:03 - 2020-09-03 15:03 - 000004684 _____ C:\Users\Владелец\Downloads\Auslogics Anti-Malware v1.21.0.4 (RePack & Portable) by TryRooM (x86+x64) [2020, MULTILANG+RUS] [rutracker-5861243] (2).torrent
2020-09-03 15:02 - 2020-09-03 15:02 - 000004684 _____ C:\Users\Владелец\Downloads\Auslogics Anti-Malware v1.21.0.4 (RePack & Portable) by TryRooM (x86+x64) [2020, MULTILANG+RUS] [rutracker-5861243] (1).torrent
2020-09-03 15:00 - 2020-09-14 14:28 - 000000000 ____D C:\Users\Владелец\AppData\Local\CrashDumps
2020-09-03 14:54 - 2020-09-03 14:54 - 000000000 ____D C:\Users\Владелец\Downloads\Auslogics Anti-Malware 1.21.0.4 (RePack & Portable) by TryRooM
2020-09-03 14:53 - 2020-09-03 14:53 - 000004684 _____ C:\Users\Владелец\Downloads\Auslogics Anti-Malware v1.21.0.4 (RePack & Portable) by TryRooM (x86+x64) [2020, MULTILANG+RUS] [rutracker-5861243].torrent
2020-09-03 14:35 - 2020-09-03 14:35 - 000000000 ____D C:\Users\Владелец\AppData\Local\mbam
2020-09-03 14:33 - 2020-09-03 14:33 - 002040904 _____ (Malwarebytes) C:\Users\Владелец\Downloads\MBSetup.exe
2020-09-03 10:07 - 2020-09-03 10:07 - 000087626 _____ C:\Users\Владелец\Downloads\6f8b0f57-568d-408c-90de-00404725a928-vaf.pdf
2020-09-03 10:02 - 2020-09-03 10:02 - 000087741 _____ C:\Users\Владелец\Downloads\8d78bff4-ace1-42e0-964f-5b93c5895270-vaf.pdf
2020-09-03 09:52 - 2020-09-03 09:52 - 000087699 _____ C:\Users\Владелец\Downloads\83e60449-2af3-4ac8-a272-e77199589762-vaf.pdf
2020-09-03 09:46 - 2020-09-03 09:46 - 000087693 _____ C:\Users\Владелец\Downloads\8d2e6e19-594e-449b-9b0b-6216021e1ab1-vaf.pdf
2020-09-03 09:38 - 2020-09-03 09:38 - 000087608 _____ C:\Users\Владелец\Downloads\fe9e5165-80f8-4173-bf3f-0ba9c3fff7d6-vaf.pdf
2020-09-03 09:31 - 2020-09-03 09:31 - 000087709 _____ C:\Users\Владелец\Downloads\ff42f5a2-5384-4d54-93ff-2673ef983fd6-vaf.pdf
2020-09-03 09:24 - 2020-09-03 09:24 - 000087729 _____ C:\Users\Владелец\Downloads\SHCHUKIN MYKHAYLO 2020-09-03-06-23 Submitted.pdf
2020-09-01 15:03 - 2020-07-06 12:46 - 000039448 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\phantomtap.sys
2020-09-01 15:02 - 2020-09-01 15:03 - 008286996 _____ C:\Users\Владелец\Downloads\Avira.Phantom.VPN.Pro.2.34.3.23032.rar
2020-08-31 11:37 - 2020-08-31 11:38 - 002805828 _____ C:\Users\Владелец\Desktop\NAVA ULYSSES-FSTM-RUSSIAN.pdf
2020-08-31 11:36 - 2020-08-31 11:36 - 001909913 _____ C:\Users\Владелец\Desktop\NAVA ULYSSES-STM-RUSSIAN.pdf
2020-08-28 15:28 - 2020-09-02 10:29 - 000000000 ____D C:\Users\Владелец\AppData\Local\Discord
2020-08-28 15:28 - 2020-09-02 10:28 - 000000000 ____D C:\Users\Владелец\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc
2020-08-28 15:28 - 2020-09-02 10:28 - 000000000 ____D C:\Users\Владелец\AppData\Roaming\discord
2020-08-28 15:28 - 2020-08-28 15:28 - 000000000 ____D C:\Users\Владелец\AppData\Local\SquirrelTemp
2020-08-28 15:27 - 2020-08-28 15:28 - 062636856 _____ (Discord Inc.) C:\Users\Владелец\Downloads\DiscordSetup.exe
2020-08-26 10:15 - 2020-08-26 10:17 - 000000000 ____D C:\Users\Владелец\Desktop\1 ГОДИК
2020-08-26 09:47 - 2020-08-26 09:34 - 2532387468 _____ C:\Users\Владелец\Desktop\DropMeFiles_eSTFw.zip
2020-08-26 09:31 - 2020-08-26 09:34 - 2532387468 _____ C:\Users\Владелец\Downloads\DropMeFiles_eSTFw.zip
2020-08-21 10:31 - 2020-08-21 10:32 - 018028384 _____ C:\Users\Владелец\Downloads\Price_mixmebli_01.07.2020.xlsx

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-09-15 09:28 - 2017-01-25 17:16 - 000000000 ____D C:\Users\Владелец\AppData\LocalLow\Mozilla
2020-09-15 09:26 - 2009-07-14 07:45 - 000034816 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2020-09-15 09:26 - 2009-07-14 07:45 - 000034816 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2020-09-15 09:23 - 2011-04-12 16:26 - 000727458 _____ C:\Windows\system32\perfh019.dat
2020-09-15 09:23 - 2011-04-12 16:26 - 000151550 _____ C:\Windows\system32\perfc019.dat
2020-09-15 09:23 - 2009-07-14 08:13 - 001656642 _____ C:\Windows\system32\PerfStringBackup.INI
2020-09-15 09:23 - 2009-07-14 06:20 - 000000000 ____D C:\Windows\inf
2020-09-15 09:18 - 2020-02-21 15:55 - 000000000 ____D C:\Users\Владелец\AppData\Roaming\ViberPC
2020-09-15 09:18 - 2016-06-27 10:28 - 000001100 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2020-09-15 09:18 - 2016-06-16 16:04 - 000000000 ____D C:\Users\Владелец\Documents\Файлы Outlook
2020-09-15 09:18 - 2009-07-14 08:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-09-15 09:16 - 2016-06-17 09:08 - 000000000 ____D C:\Users\Все пользователи\TEMP
2020-09-15 09:16 - 2016-06-17 09:08 - 000000000 ____D C:\ProgramData\TEMP
2020-09-15 09:13 - 2020-02-21 15:55 - 000000000 ____D C:\Users\Владелец\Documents\ViberDownloads
2020-09-14 16:38 - 2016-06-27 10:28 - 000001104 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2020-09-11 17:22 - 2017-07-04 16:28 - 000000000 ____D C:\Users\Владелец\AppData\Local\UkrFerry
2020-09-11 10:44 - 2018-04-11 09:51 - 000022963 _____ C:\Users\Владелец\Desktop\ECDIS TRAINING - STATUS FORM.xlsx
2020-09-11 09:41 - 2016-06-27 10:28 - 000000000 ____D C:\Program Files (x86)\Dropbox
2020-09-11 09:27 - 2016-06-16 16:55 - 000002220 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2020-09-11 09:26 - 2020-06-26 14:15 - 000002235 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2020-09-11 09:26 - 2020-06-26 14:15 - 000002194 _____ C:\Users\Все пользователи\Desktop\Microsoft Edge.lnk
2020-09-11 09:26 - 2020-06-26 14:15 - 000002194 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2020-09-11 09:26 - 2020-06-26 14:15 - 000002194 _____ C:\ProgramData\Desktop\Microsoft Edge.lnk
2020-09-10 14:14 - 2018-06-15 09:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2020-09-10 09:17 - 2009-07-14 08:32 - 000000000 ____D C:\Windows\system32\FxsTmp
2020-09-09 17:44 - 2016-06-16 11:03 - 000000000 ____D C:\Users\Все пользователи\Microsoft Help
2020-09-09 17:43 - 2016-06-22 17:15 - 000000000 ____D C:\Windows\system32\MRT
2020-09-09 17:41 - 2016-06-22 17:15 - 129170736 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2020-09-09 12:18 - 2017-11-14 11:36 - 000000000 ____D C:\Users\Владелец\Desktop\USA VISA
2020-09-04 10:34 - 2016-06-14 14:59 - 000000000 ____D C:\Users\Владелец
2020-09-04 10:23 - 2017-06-06 09:27 - 000185498 _____ C:\Windows\ntbtlog.txt
2020-09-03 16:32 - 2016-06-17 09:00 - 000000000 ____D C:\Users\Владелец\AppData\Roaming\uTorrent
2020-09-03 15:02 - 2020-03-02 14:23 - 000000000 ____D C:\Users\Владелец\AppData\LocalLow\uTorrent
2020-09-03 15:02 - 2019-04-26 11:39 - 000000000 ____D C:\Users\Владелец\AppData\Local\BitTorrentHelper
2020-09-03 14:40 - 2016-12-05 12:40 - 000002305 _____ C:\Users\Владелец\Desktop\Google Chrome.lnk
2020-09-02 14:18 - 2017-06-27 12:33 - 000000000 ____D C:\Program Files\Mozilla Firefox
2020-09-02 10:09 - 2018-03-01 11:22 - 000011536 _____ C:\Users\Владелец\Desktop\ГАЗ - ОПЛАТА.xlsx
2020-08-28 09:21 - 2020-06-26 14:15 - 000003512 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2020-08-28 09:21 - 2020-06-26 14:15 - 000003384 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2020-08-21 09:22 - 2016-06-14 18:56 - 000002059 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2020-08-17 14:15 - 2018-06-18 17:43 - 000000000 ____D C:\КОММУНАЛКА

==================== Files in the root of some directories ========

2019-07-09 11:06 - 2019-07-09 11:06 - 000000022 _____ () C:\Users\Владелец\AppData\Roaming\langInstall.exe
2016-12-05 18:41 - 2016-12-05 18:41 - 000000017 _____ () C:\Users\Владелец\AppData\Local\resmon.resmoncfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

LastRegBack: 2020-09-07 13:32
==================== End of FRST.txt ========================
UNQUOTE

nasdaq · Sep 15, 2020

Hi,
Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

kozav100 · Sep 15, 2020

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-09-2020
Ran by User (15-09-2020 16:47:09) Run:1
Running from C:\Users\Владелец\Desktop\Farbar Recovery Scan Tool
Loaded Profiles: User
Boot Mode: Normal
==============================================

fixlist content:
*****************
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
GroupPolicy\User: Restriction ? <==== ATTENTION
FF Plugin: @videolan.org/vlc,version=3.0.7.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR HomePage: Default -> mail.ru/cnt/11956636?rciguc__PARAM__
CHR StartupUrls: Profile 1 -> "hxxp://mail.ru/cnt/10445?gp=821268","hxxps://www.google.com/"
CHR HKLM-x32\...\Chrome\Extension: [ehfjihahbphdpljpiadbkmgmhnfehhgi]
S3 fiddrv64; no ImagePath
S1 amsdk; \??\C:\Windows\system32\drivers\amsdk.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
AlternateDataStreams: C:\SNOWING AT ODESSA 17-19-JAN-2016:com.dropbox.attributes [168]
AlternateDataStreams: C:\ProgramData\TEMP:FD9CE1F3 [292]
AlternateDataStreams: C:\Users\??? ????????????\TEMP:FD9CE1F3 [292]
SearchScopes: HKU\S-1-5-21-3247224823-1321410192-2680924528-1000 -> DefaultScope {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = hxxps://yandex.ru/search/?text={searchTerms}&clid=2261463
SearchScopes: HKU\S-1-5-21-3247224823-1321410192-2680924528-1000 -> {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = hxxps://yandex.ru/search/?text={searchTerms}&clid=2261463
FirewallRules: [{8F3D6F9B-F69C-4607-993D-933EC6512654}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins5B87\Setup.exe => No File
FirewallRules: [{67F9334C-2730-4317-A736-615FD7ED5B26}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins5B87\Setup.exe => No File
FirewallRules: [{98F57984-E087-475D-9438-41784505DAB5}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins5B87\Setup.exe => No File
FirewallRules: [{7B6E2F75-8304-4757-968B-BA39E61B66E8}] => (Allow) C:\Users\????????\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{85EDA6C8-C071-4398-A49E-B00AE33F1D4F}] => (Allow) C:\Users\????????\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{DC445717-623B-44F6-83B8-C2B66298CE95}] => (Allow) C:\Users\????????\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{BAF8617E-E15C-41DD-BD4A-AA08BED7CE83}] => (Allow) C:\Users\????????\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{EE6572CB-32B6-489D-A0F0-126EBA84386A}] => (Allow) C:\Users\????????\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{A92A8574-E0EF-4628-8163-37B5BEF06763}] => (Allow) C:\Users\????????\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{81F93B49-2606-4728-B381-3140D6DFDFB6}] => (Allow) C:\Users\????????\AppData\Local\Temp\7zS32BF\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{488147CF-272C-4CF2-AA2E-531BC6197124}] => (Allow) C:\Users\????????\AppData\Local\Temp\7zS32BF\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{AC0CBD35-5195-434F-99C2-09733331B9B6}] => (Allow) C:\Users\????????\AppData\Local\Amigo\Application\amigo.exe => No File
FirewallRules: [{D6F9D729-A7DB-4F6D-BEBA-C9CF6F3DCACA}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins45B6\Setup.exe => No File
FirewallRules: [{6E453898-2965-4B8F-A45F-D26136BE9660}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins45B6\Setup.exe => No File
FirewallRules: [{6769230C-E2A6-46CC-9B52-A6A64F2C677D}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins45B6\Setup.exe => No File
FirewallRules: [{CB0CE3D5-B155-4DB2-ADAA-B74520595847}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins953D\Setup.exe => No File
FirewallRules: [{931CA25F-5EC0-40A3-B806-901193847E45}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins953D\Setup.exe => No File
FirewallRules: [{5D4C5A80-A744-498D-A22A-BF556CA2F36C}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins953D\Setup.exe => No File
FirewallRules: [{E842C49E-24E4-4465-B0A2-2E08E740274C}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins683A\Setup.exe => No File
FirewallRules: [{2331CFFF-E10D-481F-880F-6D6C744144C8}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins683A\Setup.exe => No File
FirewallRules: [{D6B48DCD-5DA0-4675-A0F8-9F6A2B4E6F42}] => (Allow) C:\Users\????????\AppData\Local\Temp\Ins683A\Setup.exe => No File
FirewallRules: [{8EAC1D76-3CBD-4EDA-B4A1-80758E424B88}] => (Allow) C:\Program Files\BlueStacks\HD-Player.exe => No File
FirewallRules: [TCP Query User{892860D4-AA3E-4FDB-83F6-1558D72AFDFA}C:\telegram\telegram.exe] => (Block) C:\telegram\telegram.exe => No File
FirewallRules: [UDP Query User{3CF599AD-CFCC-470E-B902-CAE3AB77F9D2}C:\telegram\telegram.exe] => (Block) C:\telegram\telegram.exe => No File
FirewallRules: [TCP Query User{B710FA59-3809-423C-8F2F-C404BF6F7589}C:\users\????????\desktop\get_divan.exe] => (Allow) C:\users\????????\desktop\get_divan.exe => No File
FirewallRules: [UDP Query User{F364FAD1-85E3-454E-AF8F-7D251681F3F0}C:\users\????????\desktop\get_divan.exe] => (Allow) C:\users\????????\desktop\get_divan.exe => No File
FirewallRules: [TCP Query User{C4317C36-EEEC-4371-8AE6-50274C235CF2}C:\users\????????\desktop\divantv\get_divan.exe] => (Allow) C:\users\????????\desktop\divantv\get_divan.exe => No File
FirewallRules: [UDP Query User{6002DDB9-B1AA-409A-8E5A-F38C442D836D}C:\users\????????\desktop\divantv\get_divan.exe] => (Allow) C:\users\????????\desktop\divantv\get_divan.exe => No File
CMD: netsh int ip reset
CMD: ipconfig /flushDNS
CMD: "%WINDIR%\SYSTEM32\lodctr.exe" /R
CMD: "%WINDIR%\SysWOW64\lodctr.exe" /R
CMD: "C:\Windows\SYSTEM32\lodctr.exe" /R
CMD: "C:\Windows\SysWOW64\lodctr.exe" /R
EmptyTemp:

*****************

SystemRestore: On => completed
Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.7.1 => removed successfully
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => removed successfully
"Chrome HomePage" => removed successfully
"Chrome StartupUrls" => removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ehfjihahbphdpljpiadbkmgmhnfehhgi => removed successfully
HKLM\System\CurrentControlSet\Services\fiddrv64 => removed successfully
fiddrv64 => service removed successfully
HKLM\System\CurrentControlSet\Services\amsdk => removed successfully
amsdk => service removed successfully
HKLM\System\CurrentControlSet\Services\dbx => removed successfully
dbx => service removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
C:\SNOWING AT ODESSA 17-19-JAN-2016 => ":com.dropbox.attributes" ADS removed successfully
C:\ProgramData\TEMP => ":FD9CE1F3" ADS removed successfully
"C:\Users\??? ????????????\TEMP" => ":FD9CE1F3" ADS not found.
"HKU\S-1-5-21-3247224823-1321410192-2680924528-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
HKU\S-1-5-21-3247224823-1321410192-2680924528-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8C3078A0-9AAB-4371-85D1-656CA8E46EE8} => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8F3D6F9B-F69C-4607-993D-933EC6512654}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{67F9334C-2730-4317-A736-615FD7ED5B26}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{98F57984-E087-475D-9438-41784505DAB5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7B6E2F75-8304-4757-968B-BA39E61B66E8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{85EDA6C8-C071-4398-A49E-B00AE33F1D4F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DC445717-623B-44F6-83B8-C2B66298CE95}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BAF8617E-E15C-41DD-BD4A-AA08BED7CE83}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EE6572CB-32B6-489D-A0F0-126EBA84386A}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A92A8574-E0EF-4628-8163-37B5BEF06763}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{81F93B49-2606-4728-B381-3140D6DFDFB6}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{488147CF-272C-4CF2-AA2E-531BC6197124}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AC0CBD35-5195-434F-99C2-09733331B9B6}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D6F9D729-A7DB-4F6D-BEBA-C9CF6F3DCACA}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6E453898-2965-4B8F-A45F-D26136BE9660}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6769230C-E2A6-46CC-9B52-A6A64F2C677D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CB0CE3D5-B155-4DB2-ADAA-B74520595847}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{931CA25F-5EC0-40A3-B806-901193847E45}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5D4C5A80-A744-498D-A22A-BF556CA2F36C}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E842C49E-24E4-4465-B0A2-2E08E740274C}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2331CFFF-E10D-481F-880F-6D6C744144C8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D6B48DCD-5DA0-4675-A0F8-9F6A2B4E6F42}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8EAC1D76-3CBD-4EDA-B4A1-80758E424B88}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{892860D4-AA3E-4FDB-83F6-1558D72AFDFA}C:\telegram\telegram.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{3CF599AD-CFCC-470E-B902-CAE3AB77F9D2}C:\telegram\telegram.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{B710FA59-3809-423C-8F2F-C404BF6F7589}C:\users\????????\desktop\get_divan.exe" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F364FAD1-85E3-454E-AF8F-7D251681F3F0}C:\users\????????\desktop\get_divan.exe" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{C4317C36-EEEC-4371-8AE6-50274C235CF2}C:\users\????????\desktop\divantv\get_divan.exe" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{6002DDB9-B1AA-409A-8E5A-F38C442D836D}C:\users\????????\desktop\divantv\get_divan.exe" => not found

========= netsh int ip reset =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= ipconfig /flushDNS =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= "%WINDIR%\SYSTEM32\lodctr.exe" /R =========

Info: Successfully rebuilt performance counter setting from system backup store
========= End of CMD: =========

========= "%WINDIR%\SysWOW64\lodctr.exe" /R =========

Info: Successfully rebuilt performance counter setting from system backup store
========= End of CMD: =========

========= "C:\Windows\SYSTEM32\lodctr.exe" /R =========

Info: Successfully rebuilt performance counter setting from system backup store
========= End of CMD: =========

========= "C:\Windows\SysWOW64\lodctr.exe" /R =========

Info: Successfully rebuilt performance counter setting from system backup store
========= End of CMD: =========

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 54556375 B
Java, Flash, Steam htmlcache => 1110 B
Windows/system/drivers => 139300461 B
Edge => 0 B
Chrome => 872097128 B
Firefox => 1123970893 B
Opera => 46110689 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 66228 B
ProgramData => 66228 B
systemprofile => 99414 B
systemprofile32 => 132600 B
LocalService => 198828 B
NetworkService => 5817592 B
Владелец => 3736053192 B

RecycleBin => 0 B
EmptyTemp: => 5.6 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 16:48:05 ====

kozav100 · Sep 16, 2020

What's next ?

nasdaq · Sep 16, 2020

Hi,

If the problem is still with the e-mail messages these are possibly infected or it's a false positive.

Are the messages from known contacts or someone else.
Any attachment with these messages?

You can submit these attachments if any to Virus total for inspection.
Follow the directives on this page.

VirusTotal

www.virustotal.com

===

Run this Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

Right-click the icon and select Run as administrator.[/*]
Click Yes to accept any security warnings that may appear.[/*]
Click the Next button.[/*]
Select 'I accept the terms in the license agreement', then click Next twice.[/*]
Click the Install button and wait until the installation is complete.[/*]
Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.[/*]
Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.[/*]
Click Yes to accept any security warnings that may appear.[/*]
After it updates and a "Start Scanning" button appears in the lower right:
- Disconnect from the Internet or physically unplug your Internet cable connection.[/*]
- Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.[/*]
- Temporarily disable your anti-virus and real-time anti-spyware protection.[/*]
[/*]

Click the "Start Scanning" button in the lower right to start the scan.[/*]
After starting the scan, do not use the computer until the scan has completed.[/*]
When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.[/*]
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.[/*]
If any threats are found click Details, then View Log file (bottom left-hand corner).[/*]
Copy and paste its contents in your next reply and note any errors encountered.[/*]
Close the Notepad document, close the Threat Details screen, then click Start cleanup.[/*]
Click Exit to close the program.[/*]
If no threats were found, please confirm that result.[/*]

Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log

Please post the contents of the log in your next reply and note any errors encountered.
===

Let me know what problem persists.

kozav100 · Sep 17, 2020

Dear nasdaq,

I would like to express my gratitude for providing help/assistance to this important matter.

This is business e-mail of one private enterprise and we get quite a lot of e-mail correspondence including unknown/unauthorized sources with different attachments. The majority of attachments appear to be PDF/WORD/EXCEL format docs only. But as you very well know, spammers love to attach also different viruses, making different tricks and hiding real viruses as ordinary documents…

Anyway, following your instructions I have download/installed and using the tool Sophos Virus Removal Tool and successfully scanned computer for viruses with result as follows:

Your computer is clean.

Number of threats found: 0

Brgds

Alexander

nasdaq · Sep 18, 2020

Hi,
Glad we could help.
Stay safe.

Search

virus VBA/TrojanDownloader.Agent.UFY trojan

kozav100

New Member

Attachments

nasdaq

Super Moderator

kozav100

New Member

nasdaq

Super Moderator

kozav100

New Member

nasdaq

Super Moderator

kozav100

New Member

Attachments

nasdaq

Super Moderator

Attachments

kozav100

New Member

kozav100

New Member

nasdaq

Super Moderator

VirusTotal

kozav100

New Member

nasdaq

Super Moderator

Similar threads