Hello,
I am from TSF Hardware Maintenance Team, and I have a Customer PC that I believe is infected with NEMUCOD Ransomware. The Ransomware virus has locked all the Customer files in all accounts with the ".Crypted" suffix. It has also locked all his files on his external usb 1TB hard drive as well as a small 64GB flash drive too. Customer has had this problem for a over a month; and I believe I'm the 2nd or 3rd Tech he's hired to fix his problem. He has 20 years worth of business files, excel spreadsheets and word docs, along with at least 50 folders worth of archived family photos in his My Pictures folder he cannot access. All the photo folders are empty; he tells me they have tons of photos in them; he doesn't remember how many GB worth. He's very desperate, and has done everything he can think of including installing several fix-it programs including antispyware Pro and several others which I've removed per your instructions.
Briefly here's what I've tried to fix the problem, and I'm of course looking for further help:
1.) Customer gave me copy of a DECRYPT.TXT file on his desktop with detailed instructions on how to unlock his files from virus author. Author demands payment of 0.44092 bitcoins [$253.37 USD] to unlock files. Gave Customer 3 days to unlock or decrypt key to be destroyed. Customer opted not to pay as he heard from friends it's a scam and doesn't believe virus author would unlock his files even after payment. I confirmed this information in that DECRYPT.TXT file still on his desktop.
2.) Isolated PC from network, and ran local tools including TrendMicro Ransomware Decrypter program to try and find and remove virus and unlock his files. No success.
3.) Upon further research, went to EMSISOFT.COM, a Ransomware help site and downloaded their Ransomware Decrypter tool specifically for the NEMUCOD Ransomware. Their decrypter file works; but only 1 file at a time, and I must have a copy of the non-encrypted file to decrypt each locked file. Was able to do this partially as a test by retrieving unlocked copies of a file (used .xls to test) from the Windows.old directory (he had unsuccessfully tried to upgrade to W10 last year and this year and both attempts failed). EMSISOFT decrypter does work and unlocks a test .xls file ok. However, he has 123,000+ files in his Windows.old directory and with this decrypter, those are the only files I can recover, and then only 1 at a time--a very tedious procedure. :nonono:
4.) I have placed a help request to the EMSISOFT support team to help me back on Thur. 8/18/2016. It's been over 72 hrs. and I have not heard a response back of any kind, and have bumped the request twice; 1 time >24 hrs., 2nd time >48 hrs. Their forum threads appear active and other people are getting help, but I know from working on TSF that your response time limit is 72 hrs., so I don't know why they aren't responding unless their site has a problem. Therefore I am here looking for help from you guys desperately!
5.) I do have access to Win7 boot media for all versions of Win7 as you asked. I repair computers for a living and have most tools Techs use to do so. Customer computer is a PC-Clone from ZT Systems bought at Costco about 6 years ago. It has an Intel i7-cpu879 CPU@2.90Ghz. Has 12GB PC3-10600 Kingston RAM, and an internal Hitachi HDS721010CLA332-ATA 1TB hard drive. HDD passed GSmartControl in UBCD diags both short and extended tests as did MEMTEST, 8 PASSES no errors found.
I am looking for a tool or help to unlock ALL his files on his C: drive, and if that works, I can then connect his external usb 1TB drive and his flash drive and attempt to unlock and recover those files as well.
******
Follows the 2 files dds.txt and attach.txt as requested from the dds.scr tool downloaded from your instructions.
DDS.TXT FILE:
******DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17840
Run by Owner at 5:21:28 on 2016-08-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12247.9482 [GMT -7:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe
C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\GWX\GWXConfigManager.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://bing/
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe
BHO: Candle Jar: {10bdb19e-8d73-42cf-81d3-8d5a9021cb3a} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\urlredir.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\d9c3780.lnk - C:\Windows\System32\cmd.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: C:\Windows\System32\LavasoftTcpService.dll
Trusted Zone: localhost
Trusted Zone: webcompanion.com
TCP: NameServer = 10.56.42.203
TCP: Interfaces\{641A7779-4719-4979-A321-EB184F63A0A2} : DHCPNameServer = 10.56.42.203
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\msosb.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Skype for Business Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\urlredir.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnie.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xqzad1mu.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - bing
FF - plugin: c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrlui.dll
FF - plugin: C:\Windows\System32\Macromed\Flash\NPSWF64_22_0_0_209.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-20 203776]
R2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2015-11-12 3189488]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 HP DS Service;HP DS Service;C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [2011-10-17 13824]
R2 HP LaserJet Service;HP LaserJet Service;C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2012-12-4 174592]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-11-14 114688]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2015-11-12 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-11-14 1255736]
.
=============== Created Last 30 ================
.
2016-08-19 19:37:57 -------- d-----w- C:\Users\Owner\RANSOMWARE REMOVAL TOOLS
2016-08-19 11:47:17 -------- d---a-w- C:\$Anvi Rescue Disk$
2016-08-17 23:44:16 -------- d-----w- C:\Windows\pss
2016-08-17 23:02:34 -------- d-----w- C:\MAINTENANCE
2016-08-17 20:34:03 -------- d-sh--w- C:\found.005
2016-07-30 00:01:56 -------- d-sh--w- C:\found.004
.
==================== Find3M ====================
.
2016-08-02 01:40:17 796352 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-08-02 01:40:17 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2016-08-02 01:40:07 19527360 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2016-06-14 02:31:06 484008 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 5:21:44.63 ===============
Thanks for looking at my issue! :smile:
<<<BIGBEARJEDI>>>
I am from TSF Hardware Maintenance Team, and I have a Customer PC that I believe is infected with NEMUCOD Ransomware. The Ransomware virus has locked all the Customer files in all accounts with the ".Crypted" suffix. It has also locked all his files on his external usb 1TB hard drive as well as a small 64GB flash drive too. Customer has had this problem for a over a month; and I believe I'm the 2nd or 3rd Tech he's hired to fix his problem. He has 20 years worth of business files, excel spreadsheets and word docs, along with at least 50 folders worth of archived family photos in his My Pictures folder he cannot access. All the photo folders are empty; he tells me they have tons of photos in them; he doesn't remember how many GB worth. He's very desperate, and has done everything he can think of including installing several fix-it programs including antispyware Pro and several others which I've removed per your instructions.
Briefly here's what I've tried to fix the problem, and I'm of course looking for further help:
1.) Customer gave me copy of a DECRYPT.TXT file on his desktop with detailed instructions on how to unlock his files from virus author. Author demands payment of 0.44092 bitcoins [$253.37 USD] to unlock files. Gave Customer 3 days to unlock or decrypt key to be destroyed. Customer opted not to pay as he heard from friends it's a scam and doesn't believe virus author would unlock his files even after payment. I confirmed this information in that DECRYPT.TXT file still on his desktop.
2.) Isolated PC from network, and ran local tools including TrendMicro Ransomware Decrypter program to try and find and remove virus and unlock his files. No success.
3.) Upon further research, went to EMSISOFT.COM, a Ransomware help site and downloaded their Ransomware Decrypter tool specifically for the NEMUCOD Ransomware. Their decrypter file works; but only 1 file at a time, and I must have a copy of the non-encrypted file to decrypt each locked file. Was able to do this partially as a test by retrieving unlocked copies of a file (used .xls to test) from the Windows.old directory (he had unsuccessfully tried to upgrade to W10 last year and this year and both attempts failed). EMSISOFT decrypter does work and unlocks a test .xls file ok. However, he has 123,000+ files in his Windows.old directory and with this decrypter, those are the only files I can recover, and then only 1 at a time--a very tedious procedure. :nonono:
4.) I have placed a help request to the EMSISOFT support team to help me back on Thur. 8/18/2016. It's been over 72 hrs. and I have not heard a response back of any kind, and have bumped the request twice; 1 time >24 hrs., 2nd time >48 hrs. Their forum threads appear active and other people are getting help, but I know from working on TSF that your response time limit is 72 hrs., so I don't know why they aren't responding unless their site has a problem. Therefore I am here looking for help from you guys desperately!
5.) I do have access to Win7 boot media for all versions of Win7 as you asked. I repair computers for a living and have most tools Techs use to do so. Customer computer is a PC-Clone from ZT Systems bought at Costco about 6 years ago. It has an Intel i7-cpu879 CPU@2.90Ghz. Has 12GB PC3-10600 Kingston RAM, and an internal Hitachi HDS721010CLA332-ATA 1TB hard drive. HDD passed GSmartControl in UBCD diags both short and extended tests as did MEMTEST, 8 PASSES no errors found.
I am looking for a tool or help to unlock ALL his files on his C: drive, and if that works, I can then connect his external usb 1TB drive and his flash drive and attempt to unlock and recover those files as well.
******
Follows the 2 files dds.txt and attach.txt as requested from the dds.scr tool downloaded from your instructions.
DDS.TXT FILE:
******DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17840
Run by Owner at 5:21:28 on 2016-08-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12247.9482 [GMT -7:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe
C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\GWX\GWXConfigManager.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://bing/
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe
BHO: Candle Jar: {10bdb19e-8d73-42cf-81d3-8d5a9021cb3a} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\urlredir.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\d9c3780.lnk - C:\Windows\System32\cmd.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: C:\Windows\System32\LavasoftTcpService.dll
Trusted Zone: localhost
Trusted Zone: webcompanion.com
TCP: NameServer = 10.56.42.203
TCP: Interfaces\{641A7779-4719-4979-A321-EB184F63A0A2} : DHCPNameServer = 10.56.42.203
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\msosb.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Skype for Business Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\urlredir.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnie.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xqzad1mu.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - bing
FF - plugin: c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrlui.dll
FF - plugin: C:\Windows\System32\Macromed\Flash\NPSWF64_22_0_0_209.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-20 203776]
R2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2015-11-12 3189488]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 HP DS Service;HP DS Service;C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [2011-10-17 13824]
R2 HP LaserJet Service;HP LaserJet Service;C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2012-12-4 174592]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-11-14 114688]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2015-11-12 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-11-14 1255736]
.
=============== Created Last 30 ================
.
2016-08-19 19:37:57 -------- d-----w- C:\Users\Owner\RANSOMWARE REMOVAL TOOLS
2016-08-19 11:47:17 -------- d---a-w- C:\$Anvi Rescue Disk$
2016-08-17 23:44:16 -------- d-----w- C:\Windows\pss
2016-08-17 23:02:34 -------- d-----w- C:\MAINTENANCE
2016-08-17 20:34:03 -------- d-sh--w- C:\found.005
2016-07-30 00:01:56 -------- d-sh--w- C:\found.004
.
==================== Find3M ====================
.
2016-08-02 01:40:17 796352 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-08-02 01:40:17 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2016-08-02 01:40:07 19527360 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2016-06-14 02:31:06 484008 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 5:21:44.63 ===============
Thanks for looking at my issue! :smile:
<<<BIGBEARJEDI>>>