Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe my computer has been infected with CryptoWall Ransomware


  • This topic is locked This topic is locked
20 replies to this topic

#1 Trillogy

Trillogy

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 16 September 2014 - 02:23 AM

EDIT: Moved to Malware Removal. ~~boopme


I basically received a ransom note on my computer.  I am running AVG Free as an antivirus with current definitions.  AVG detected the virus and said it removed it.  To complete the removal, I had to restart my computer.  After restarting, AVG would again detect it and the cycle would repeat.  So, basically, the computer was unavailable to me.  I thought that since I had recently download Malwarebytes to this computer, it was causing a false detection.  I had noticed a file called 4d518e.exe in my start menu, which had not been there before.  So, I uninstalled Malwarebytes and restarted the computer to see if the file was still there.  It had returned to the start menu.  I then uninstalled AVG (which I had also recently installed) and restarted.  The file was still back in the start menu, even though I had deleted it both before the Malwarebytes uninstall and the AVG uninstall.  I could also hear my hard drive running hard and see the CPU usage rise to near 90%.
 
About this time, I received basically a ransom note from notepad indicating that my data had been encrypted.  I have a screenshot saved in Paint of that, along with a screenshot of my desktop with the explorer files showing some sort of encryption.
 
Below is the information about the infected computer:
 
OS Name Microsoft Windows 7 Ultimate
Version 6.1.7601 Service Pack 1 Build 7601
Other OS Description  Not Available
OS Manufacturer Microsoft Corporation
System Name FAMILY-PC
System Manufacturer HP-Pavilion
System Model KZ720AA-ABA a6547c
System Type X86-based PC
Processor AMD Athlon™ 64 X2 Dual Core Processor 5000+, 2600 Mhz, 2 Core(s), 2 Logical Processor(s)
BIOS Version/Date Phoenix Technologies, LTD 5.13, 5/2/2008
SMBIOS Version 2.4
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "6.1.7601.17514"
User Name Family-PC\Family
Time Zone Pacific Daylight Time
Installed Physical Memory (RAM) 4.00 GB
Total Physical Memory 3.37 GB
Available Physical Memory 2.73 GB
Total Virtual Memory 6.75 GB
Available Virtual Memory 6.04 GB
Page File Space 3.37 GB
Page File C:\pagefile.sys
 
If I understand the way this virus works, I will not get back the infected data.  That is okay with me, but I would certainly appreciate any help in removing the virus from the computer.  The screenshots I have, I saved in Window Paint.  But, I am not aware how to paste that here.  So, if you wish to view the two screenshots, please let me know how to paste it to the forum.
 
Thank you,
Gary

Edited by boopme, 16 September 2014 - 09:33 AM.


BC AdBot (Login to Remove)

 


m

#2 Trillogy

Trillogy
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 19 September 2014 - 04:38 PM

I have not received any replies to this post.  Anyone else have this type of issue?



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 AM

Posted 21 September 2014 - 02:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/548513 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Trillogy

Trillogy
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 21 September 2014 - 07:41 PM

I believe I gave a fairly clear explanation of the problem, but will be happy to supply more if necessary.  As for a DDS log, if I use the infected computer, to download and start that log will the virus be able to infect other computers on my home network?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 AM

Posted 22 September 2014 - 07:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post the log from this scan.

The log is only a text file and will not infect other computer.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#6 Trillogy

Trillogy
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 24 September 2014 - 04:25 PM

nasdag, I appreciate your help.

 

Here are the results of the furbar recovery scan tool:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-09-2014
Ran by Family (administrator) on FAMILY-PC on 24-09-2014 14:04:44
Running from C:\Users\Family\Desktop
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
() C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
() C:\Program Files\pcreg\service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
() C:\Program Files\pcreg\service.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\pcreg\service.exe
(Ralink Technology, Corp.) C:\Program Files\RALINK\Common\RaUI.exe
(Farbar) C:\Users\Family\Desktop\furbar recovery scan tool 32 bit.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [83416 2014-01-04] ()
HKLM\...\Run: [mobilegeni daemon] => C:\Program Files\Mobogenie\DaemonProcess.exe                                                                                    
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2331129595-1848518947-1044182941-1000\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [83416 2014-01-04] ()
HKU\S-1-5-21-2331129595-1848518947-1044182941-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2331129595-1848518947-1044182941-1000\...\MountPoints2: {0a50edb0-99ad-11e2-b82a-806e6f6e6963} - E:\LaunchU3.exe -a
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
ShortcutTarget: Ralink Wireless Utility.lnk -> C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML ()
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT ()
InternetURL: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL -> https://kpai7ycr7jxqkilp.onion.lt/evzU
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD0F94C997CA3CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {A086B2A4-E781-4066-8523-C2C572394660} URL = https://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)

Chrome:
=======
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
R2 RalinkRegistryWriter; C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe [54272 2008-02-22] () [File not signed]
S2 vToolbarUpdater17.0.12; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [657408 2009-07-13] (Ralink Technology Corp.)
S3 rt70x86; C:\Windows\System32\DRIVERS\netr70.sys [291840 2007-10-09] (Ralink Technology Corp.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2013-11-18] ()
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
S3 NVNET; system32\DRIVERS\nvmf6232.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 WinRing0_1_2_0; \??\C:\Users\Family\AppData\Local\Temp\tmpA121.tmp [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-24 14:04 - 2014-09-24 14:05 - 00007635 _____ () C:\Users\Family\Desktop\FRST.txt
2014-09-24 14:04 - 2014-09-24 14:04 - 00000000 ____D () C:\FRST
2014-09-24 14:04 - 2014-09-24 14:00 - 01098240 _____ (Farbar) C:\Users\Family\Desktop\furbar recovery scan tool 32 bit.exe
2014-09-24 13:53 - 2014-09-24 13:41 - 02106880 _____ (Farbar) C:\Users\Family\Desktop\farbar recovery scan tool.exe
2014-09-15 23:29 - 2014-09-15 23:29 - 00000922 _____ () C:\Users\Family\Desktop\my system.txt
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\Users\Family\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\Users\Family\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.URL
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\Users\Family\DECRYPT_INSTRUCTION.URL
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\Users\DECRYPT_INSTRUCTION.URL
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\Documents\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\Documents\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\Documents\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\AppData\DECRYPT_INSTRUCTION.URL
2014-09-15 16:07 - 2014-09-15 16:07 - 00008172 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:07 - 2014-09-15 16:07 - 00004130 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:07 - 2014-09-15 16:07 - 00000252 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL
2014-09-15 15:03 - 2014-09-15 15:03 - 00000852 _____ () C:\Users\Family\Downloads\debug.log
2014-09-15 14:54 - 2014-09-15 14:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-09-15 14:54 - 2014-09-15 14:54 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-09-15 14:54 - 2014-09-15 14:53 - 00272808 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-09-15 14:54 - 2014-09-15 14:53 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-09-15 14:54 - 2014-09-15 14:53 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-09-15 14:54 - 2014-09-15 14:53 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-09-15 14:53 - 2014-09-15 14:53 - 00000000 ____D () C:\Program Files\Java
2014-09-14 10:57 - 2014-09-14 10:57 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-14 10:52 - 2014-09-14 10:55 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Family\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-14 02:23 - 2014-09-14 02:23 - 00000000 ____D () C:\Users\Family\AppData\Roaming\TuneUp Software
2014-09-14 02:22 - 2014-09-15 17:55 - 00000000 ____D () C:\ProgramData\AVG2015
2014-09-14 02:12 - 2014-09-15 17:55 - 00000000 ____D () C:\ProgramData\MFAData
2014-09-14 02:12 - 2014-09-14 02:12 - 00000000 ____D () C:\Users\Family\AppData\Local\MFAData
2014-09-14 02:11 - 2014-09-14 02:11 - 04579176 _____ (AVG Technologies) C:\Users\Family\Downloads\avg_free_stb_all_2015_5315_cnet.exe
2014-09-14 02:10 - 2014-09-15 18:02 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-14 02:10 - 2014-09-14 02:10 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-14 02:10 - 2014-09-14 02:10 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-09-14 01:52 - 2014-09-14 01:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ralink Wireless
2014-09-14 01:48 - 2014-09-14 01:48 - 00000000 ____D () C:\Program Files\RALINK
2014-09-14 01:48 - 2007-10-09 13:43 - 00291840 _____ (Ralink Technology Corp.) C:\Windows\system32\Drivers\netr70.sys
2014-09-14 01:35 - 2014-09-14 01:24 - 35625327 _____ (Macrovision Corporation) C:\Users\Family\Downloads\IS_AP_STA_2500USB_D-2.1.1.15_VA-3.1.0.0_RU-2.1.1.0_VA-2.1.1.0_AU-2.0.0.0_VA-2.0.0.0_021209_0.1.0.46_.exe
2014-09-13 03:06 - 2014-09-13 03:06 - 00000000 ____D () C:\Users\Family\AppData\Local\DriverTuner

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-24 14:05 - 2014-09-24 14:04 - 00007635 _____ () C:\Users\Family\Desktop\FRST.txt
2014-09-24 14:04 - 2014-09-24 14:04 - 00000000 ____D () C:\FRST
2014-09-24 14:03 - 2013-04-07 16:09 - 00000354 _____ () C:\Windows\Tasks\SmartPCFix Task.job
2014-09-24 14:03 - 2013-03-30 21:14 - 02040410 _____ () C:\Windows\WindowsUpdate.log
2014-09-24 14:03 - 2009-07-13 21:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-24 14:03 - 2009-07-13 21:39 - 00030740 _____ () C:\Windows\setupact.log
2014-09-24 14:00 - 2014-09-24 14:04 - 01098240 _____ (Farbar) C:\Users\Family\Desktop\furbar recovery scan tool 32 bit.exe
2014-09-24 13:57 - 2009-07-13 21:34 - 00016944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-24 13:57 - 2009-07-13 21:34 - 00016944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-24 13:55 - 2013-03-30 21:17 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-24 13:41 - 2014-09-24 13:53 - 02106880 _____ (Farbar) C:\Users\Family\Desktop\farbar recovery scan tool.exe
2014-09-15 23:29 - 2014-09-15 23:29 - 00000922 _____ () C:\Users\Family\Desktop\my system.txt
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\Users\Family\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00008174 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\Users\Family\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00004132 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.URL
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\Users\Family\DECRYPT_INSTRUCTION.URL
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\Users\DECRYPT_INSTRUCTION.URL
2014-09-15 18:07 - 2014-09-15 18:07 - 00000254 _____ () C:\DECRYPT_INSTRUCTION.URL
2014-09-15 18:07 - 2013-03-30 20:27 - 00000000 ____D () C:\Users\Family
2014-09-15 18:02 - 2014-09-14 02:10 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-15 17:55 - 2014-09-14 02:22 - 00000000 ____D () C:\ProgramData\AVG2015
2014-09-15 17:55 - 2014-09-14 02:12 - 00000000 ____D () C:\ProgramData\MFAData
2014-09-15 17:55 - 2013-04-01 10:20 - 00494522 _____ () C:\Windows\PFRO.log
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\Documents\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00008172 _____ () C:\Users\Family\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\Documents\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00004130 _____ () C:\Users\Family\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\Documents\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-09-15 16:08 - 00000252 _____ () C:\Users\Family\AppData\DECRYPT_INSTRUCTION.URL
2014-09-15 16:08 - 2014-01-18 12:02 - 00000000 ____D () C:\Users\Family\Documents\PC Speed Maximizer
2014-09-15 16:08 - 2014-01-18 12:00 - 00000000 ____D () C:\Users\Family\AppData\Local\Mobogenie
2014-09-15 16:08 - 2013-11-07 17:38 - 00000000 ____D () C:\Users\Family\AppData\Local\SlimWare Utilities Inc
2014-09-15 16:08 - 2013-10-19 21:27 - 00000000 ____D () C:\Users\Family\AppData\Local\Roblox
2014-09-15 16:08 - 2013-09-14 16:51 - 00735999 _____ () C:\Users\Family\Downloads\dresscaillou.dcr
2014-09-15 16:08 - 2013-09-14 07:18 - 00000000 ____D () C:\Users\Family\Documents\Optimizer Pro
2014-09-15 16:08 - 2013-06-24 22:15 - 02122039 _____ () C:\Users\Family\Downloads\game.dcr
2014-09-15 16:08 - 2013-04-05 15:56 - 02217988 _____ () C:\Users\Family\Downloads\battleblitz (1).dcr
2014-09-15 16:08 - 2013-04-05 15:55 - 02217988 _____ () C:\Users\Family\Downloads\battleblitz.dcr
2014-09-15 16:08 - 2013-04-05 09:59 - 09089417 _____ () C:\Users\Family\Downloads\hopeless2 (1).dcr
2014-09-15 16:08 - 2013-04-05 09:58 - 09089417 _____ () C:\Users\Family\Downloads\hopeless2.dcr
2014-09-15 16:07 - 2014-09-15 16:07 - 00008172 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-09-15 16:07 - 2014-09-15 16:07 - 00004130 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-09-15 16:07 - 2014-09-15 16:07 - 00000252 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL
2014-09-15 16:07 - 2013-10-11 21:15 - 00000000 ____D () C:\ProgramData\Motive
2014-09-15 16:07 - 2013-09-11 10:00 - 00000000 ____D () C:\ProgramData\Knowledge Adventure
2014-09-15 16:07 - 2013-04-05 16:00 - 00000000 ____D () C:\Users\Family\AppData\Local\Microsoft Games
2014-09-15 16:07 - 2013-04-05 11:30 - 00000000 ____D () C:\ProgramData\HP
2014-09-15 16:07 - 2013-04-05 11:28 - 00000000 ____D () C:\Users\Family\AppData\Local\HP
2014-09-15 16:05 - 2009-07-13 19:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-09-15 15:03 - 2014-09-15 15:03 - 00000852 _____ () C:\Users\Family\Downloads\debug.log
2014-09-15 14:57 - 2013-12-23 13:56 - 00000000 ____D () C:\ProgramData\Oracle
2014-09-15 14:54 - 2014-09-15 14:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-09-15 14:54 - 2014-09-15 14:54 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-09-15 14:53 - 2014-09-15 14:54 - 00272808 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-09-15 14:53 - 2014-09-15 14:54 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-09-15 14:53 - 2014-09-15 14:54 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-09-15 14:53 - 2014-09-15 14:54 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-09-15 14:53 - 2014-09-15 14:53 - 00000000 ____D () C:\Program Files\Java
2014-09-15 14:40 - 2013-08-10 20:21 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-09-14 11:16 - 2014-01-18 11:58 - 00000000 ____D () C:\Users\Family\AppData\Local\Conduit
2014-09-14 11:16 - 2014-01-18 11:58 - 00000000 ____D () C:\Program Files\Conduit
2014-09-14 11:16 - 2014-01-18 11:20 - 00000000 ____D () C:\Program Files\Bench
2014-09-14 11:16 - 2013-09-07 14:31 - 00000000 ____D () C:\Users\Family\AppData\Roaming\Systweak
2014-09-14 10:57 - 2014-09-14 10:57 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-14 10:55 - 2014-09-14 10:52 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Family\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-14 10:17 - 2014-01-18 11:19 - 00000000 ____D () C:\Program Files\pcreg
2014-09-14 10:09 - 2014-01-18 11:19 - 00000000 ____D () C:\Program Files\pcreginst
2014-09-14 03:00 - 2013-04-01 11:18 - 00000000 ____D () C:\Users\Family\AppData\Local\Google
2014-09-14 03:00 - 2013-04-01 11:18 - 00000000 ____D () C:\Program Files\Google
2014-09-14 03:00 - 2013-03-30 20:28 - 00001434 _____ () C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-09-14 02:48 - 2014-01-18 12:00 - 00000000 ____D () C:\Users\Family\AppData\Local\genienext
2014-09-14 02:23 - 2014-09-14 02:23 - 00000000 ____D () C:\Users\Family\AppData\Roaming\TuneUp Software
2014-09-14 02:12 - 2014-09-14 02:12 - 00000000 ____D () C:\Users\Family\AppData\Local\MFAData
2014-09-14 02:11 - 2014-09-14 02:11 - 04579176 _____ (AVG Technologies) C:\Users\Family\Downloads\avg_free_stb_all_2015_5315_cnet.exe
2014-09-14 02:10 - 2014-09-14 02:10 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-14 02:10 - 2014-09-14 02:10 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-09-14 01:52 - 2014-09-14 01:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ralink Wireless
2014-09-14 01:48 - 2014-09-14 01:48 - 00000000 ____D () C:\Program Files\RALINK
2014-09-14 01:24 - 2014-09-14 01:35 - 35625327 _____ (Macrovision Corporation) C:\Users\Family\Downloads\IS_AP_STA_2500USB_D-2.1.1.15_VA-3.1.0.0_RU-2.1.1.0_VA-2.1.1.0_AU-2.0.0.0_VA-2.0.0.0_021209_0.1.0.46_.exe
2014-09-13 03:06 - 2014-09-13 03:06 - 00000000 ____D () C:\Users\Family\AppData\Local\DriverTuner
2014-09-07 00:13 - 2013-04-02 21:14 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-08-26 21:23 - 2013-04-02 21:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

Files to move or delete:
====================
C:\Users\Public\AlexaNSISPlugin.2120.dll

Some content of TEMP:
====================
C:\Users\Family\AppData\Local\Temp\16952uninstall.exe
C:\Users\Family\AppData\Local\Temp\APNSetup.exe
C:\Users\Family\AppData\Local\Temp\AVG-Safeguard.exe
C:\Users\Family\AppData\Local\Temp\EnableExtDll.dll
C:\Users\Family\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\Family\AppData\Local\Temp\MSN4941.exe
C:\Users\Family\AppData\Local\Temp\oi_{30FB2316-E3A1-4820-AAEE-C13CF1F0DD7F}.exe
C:\Users\Family\AppData\Local\Temp\oi_{83A21650-A0D9-4EDD-8756-A53AB420BC5D}.exe
C:\Users\Family\AppData\Local\Temp\pcDesktopAlertNotifierX.dll
C:\Users\Family\AppData\Local\Temp\SendMsg.dll
C:\Users\Family\AppData\Local\Temp\Sqlite3.dll
C:\Users\Family\AppData\Local\Temp\tbVisu.dll
C:\Users\Family\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Family\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Family\AppData\Local\Temp\_is1F14.exe
C:\Users\Family\AppData\Local\Temp\_isCD58.exe
C:\Users\Family\AppData\Local\Temp\_isE310.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-09-07 00:35

==================== End Of Log ============================

 

The "additional" is listed below:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-09-2014
Ran by Family at 2014-09-24 14:05:41
Running from C:\Users\Family\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Microsoft Security Essentials (Enabled - Up to date) {3F839487-C7A2-C958-E30C-E2825BA31FB5}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}
AS: Microsoft Security Essentials (Enabled - Up to date) {84E27563-E198-C6D6-D9BC-D9F020245508}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.152 - Adobe Systems Incorporated)
HP Deskjet 2050 J510 series Basic Device Software (HKLM\...\{E654D1E3-B18B-4953-BFBC-F16227323E05}) (Version: 22.50.231.0 - Hewlett-Packard Co.)
HP Deskjet 2050 J510 series Help (HKLM\...\{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}) (Version: 140.0.61.61 - Hewlett Packard)
HP Update (HKLM\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java Auto Updater (Version: 2.1.67.1 - Oracle, Inc.) Hidden
Microsoft Security Client (Version: 4.2.0223.1 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.2.223.1 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Ralink Wireless LAN (HKLM\...\{E91E8912-769D-42F0-8408-0E329443BABC}) (Version: 1.00.0000 - RaLink)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2331129595-1848518947-1044182941-1000_Classes\CLSID\{083f5ae0-2b0a-11dd-bd0b-0800200c9a66}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2331129595-1848518947-1044182941-1000_Classes\CLSID\{5b55a44a-d008-49aa-9234-86fb7709bc0a}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:04 - 2014-02-01 15:38 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {049930BE-4144-4828-8BF1-2E228EAA3343} - \VisualBeeRecovery No Task File <==== ATTENTION
Task: {2821A4FA-45C4-414F-BC61-68B8483BBF80} - System32\Tasks\PCMeter\Startup => F:\PCMeterV0.3.exe
Task: {7A6B9F96-5CA4-4008-99E0-BF5EC4BB07B7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-14] (Adobe Systems Incorporated)
Task: {7B253F49-472D-4A67-BF0E-9D34AC135FEB} - System32\Tasks\IHUninstallTrackingTASK => CMD
Task: {9088F800-221F-4208-B4C1-09E92D65CDCF} - System32\Tasks\Games\UpdateCheck_S-1-5-21-2331129595-1848518947-1044182941-1000
Task: {D33CEC12-C1B3-4D1F-BD19-81BEF41254A2} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe [2014-01-04] () <==== ATTENTION
Task: {DB3DF13F-065D-4B0E-9CFE-B605C24DB5C9} - System32\Tasks\SmartPCFix Task => C:\Program Files\SmartPCFix\SmartPCFix.exe <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\SmartPCFix Task.job => C:\Program Files\SmartPCFix\SmartPCFix.exe <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2014-09-14 01:48 - 2008-02-22 18:10 - 00054272 _____ () C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
2014-01-04 03:11 - 2014-01-04 03:11 - 00083416 _____ () C:\Program Files\pcreg\service.exe

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:AD022376

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (09/15/2014 06:00:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 1.0.0.532, time stamp: 0x53518532
Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: 0x4df2be1e
Exception code: 0x40000015
Fault offset: 0x0008d6fd
Faulting process id: 0xd0c
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (09/15/2014 06:00:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 1.0.0.532, time stamp: 0x53518532
Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: 0x4df2be1e
Exception code: 0x40000015
Fault offset: 0x0008d6fd
Faulting process id: 0xa30
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (09/15/2014 05:53:38 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary AVGIDSDriver.

System Error:
The system cannot find the file specified.
.

Error: (09/15/2014 05:07:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: avgidsagent.exe, version: 15.0.0.5315, time stamp: 0x5409c9e8
Faulting module name: avgidsagent.exe, version: 15.0.0.5315, time stamp: 0x5409c9e8
Exception code: 0xc0000005
Fault offset: 0x001635b9
Faulting process id: 0x6c4
Faulting application start time: 0xavgidsagent.exe0
Faulting application path: avgidsagent.exe1
Faulting module path: avgidsagent.exe2
Report Id: avgidsagent.exe3

Error: (09/15/2014 05:00:39 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: avgidsagent.exe, version: 15.0.0.5315, time stamp: 0x5409c9e8
Faulting module name: avgidsagent.exe, version: 15.0.0.5315, time stamp: 0x5409c9e8
Exception code: 0xc0000005
Fault offset: 0x001635b9
Faulting process id: 0x798
Faulting application start time: 0xavgidsagent.exe0
Faulting application path: avgidsagent.exe1
Faulting module path: avgidsagent.exe2
Report Id: avgidsagent.exe3

Error: (09/15/2014 04:25:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: avgidsagent.exe, version: 15.0.0.5315, time stamp: 0x5409c9e8
Faulting module name: avgidsagent.exe, version: 15.0.0.5315, time stamp: 0x5409c9e8
Exception code: 0xc0000005
Fault offset: 0x001635b9
Faulting process id: 0x784
Faulting application start time: 0xavgidsagent.exe0
Faulting application path: avgidsagent.exe1
Faulting module path: avgidsagent.exe2
Report Id: avgidsagent.exe3

Error: (09/14/2014 10:40:02 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: taskeng.exe, version: 6.1.7601.17514, time stamp: 0x4ce79261
Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeaf722
Exception code: 0xc0000005
Fault offset: 0x0000aa6d
Faulting process id: 0x7d4
Faulting application start time: 0xtaskeng.exe0
Faulting application path: taskeng.exe1
Faulting module path: taskeng.exe2
Report Id: taskeng.exe3

Error: (09/14/2014 10:02:03 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: taskeng.exe, version: 6.1.7601.17514, time stamp: 0x4ce79261
Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeaf722
Exception code: 0xc0000005
Fault offset: 0x0000aa6d
Faulting process id: 0x1038
Faulting application start time: 0xtaskeng.exe0
Faulting application path: taskeng.exe1
Faulting module path: taskeng.exe2
Report Id: taskeng.exe3

Error: (09/14/2014 02:56:20 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: taskeng.exe, version: 6.1.7601.17514, time stamp: 0x4ce79261
Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeaf722
Exception code: 0xc0000005
Fault offset: 0x0000aa6d
Faulting process id: 0x510
Faulting application start time: 0xtaskeng.exe0
Faulting application path: taskeng.exe1
Faulting module path: taskeng.exe2
Report Id: taskeng.exe3

Error: (09/14/2014 01:47:53 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {1d08fc50-69ce-4c41-8705-80b6a6287ce0}

System errors:
=============
Error: (09/24/2014 02:03:34 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 112.5.0.0

 Update Source: %NT AUTHORITY51

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\NETWORK SERVICE

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (09/24/2014 02:03:34 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.185.9.0

 Update Source: %NT AUTHORITY51

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\NETWORK SERVICE

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (09/24/2014 02:03:34 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.185.9.0

 Update Source: %NT AUTHORITY51

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\NETWORK SERVICE

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (09/24/2014 02:03:32 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.185.9.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (09/24/2014 02:03:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vToolbarUpdater17.0.12 service failed to start due to the following error:
%%2

Error: (09/24/2014 01:51:05 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 112.5.0.0

 Update Source: %NT AUTHORITY51

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\NETWORK SERVICE

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (09/24/2014 01:51:04 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.185.9.0

 Update Source: %NT AUTHORITY51

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\NETWORK SERVICE

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (09/24/2014 01:51:04 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.185.9.0

 Update Source: %NT AUTHORITY51

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\NETWORK SERVICE

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (09/24/2014 01:51:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vToolbarUpdater17.0.12 service failed to start due to the following error:
%%2

Error: (09/24/2014 01:51:02 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.185.9.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.2.0223.00

 Source Path: 4.2.0223.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Microsoft Office Sessions:
=========================
Error: (09/15/2014 06:00:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: mbam.exe1.0.0.53253518532MSVCR100.dll10.0.40219.3254df2be1e400000150008d6fdd0c01cfd149a7d5dbb0C:\Program Files\Malwarebytes Anti-Malware\mbam.exeC:\Program Files\Malwarebytes Anti-Malware\MSVCR100.dlle5afa0b0-3d3c-11e4-972e-001fc68a3221

Error: (09/15/2014 06:00:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: mbam.exe1.0.0.53253518532MSVCR100.dll10.0.40219.3254df2be1e400000150008d6fda3001cfd14999d04230C:\Program Files\Malwarebytes Anti-Malware\mbam.exeC:\Program Files\Malwarebytes Anti-Malware\MSVCR100.dlldb811f10-3d3c-11e4-972e-001fc68a3221

Error: (09/15/2014 05:53:38 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary AVGIDSDriver.

System Error:
The system cannot find the file specified.

Error: (09/15/2014 05:07:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: avgidsagent.exe15.0.0.53155409c9e8avgidsagent.exe15.0.0.53155409c9e8c0000005001635b96c401cfd141b9210c80C:\Program Files\AVG\AVG2015\avgidsagent.exeC:\Program Files\AVG\AVG2015\avgidsagent.exe6702e710-3d35-11e4-9809-001fc68a3221

Error: (09/15/2014 05:00:39 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: avgidsagent.exe15.0.0.53155409c9e8avgidsagent.exe15.0.0.53155409c9e8c0000005001635b979801cfd14108a721a0C:\Program Files\AVG\AVG2015\avgidsagent.exeC:\Program Files\AVG\AVG2015\avgidsagent.exe7dd50640-3d34-11e4-9933-001fc68a3221

Error: (09/15/2014 04:25:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: avgidsagent.exe15.0.0.53155409c9e8avgidsagent.exe15.0.0.53155409c9e8c0000005001635b978401cfd13c0f54cb60C:\Program Files\AVG\AVG2015\avgidsagent.exeC:\Program Files\AVG\AVG2015\avgidsagent.exe82c734c0-3d2f-11e4-9794-001fc68a3221

Error: (09/14/2014 10:40:02 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: taskeng.exe6.1.7601.175144ce79261msvcrt.dll7.0.7601.177444eeaf722c00000050000aa6d7d401cfd042e06443c0C:\Windows\system32\taskeng.exeC:\Windows\system32\msvcrt.dll278a19a0-3c36-11e4-8109-001fc68a3221

Error: (09/14/2014 10:02:03 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: taskeng.exe6.1.7601.175144ce79261msvcrt.dll7.0.7601.177444eeaf722c00000050000aa6d103801cfd03d97a2c8a0C:\Windows\system32\taskeng.exeC:\Windows\system32\msvcrt.dlld8da3f60-3c30-11e4-9f6a-001fc68a3221

Error: (09/14/2014 02:56:20 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: taskeng.exe6.1.7601.175144ce79261msvcrt.dll7.0.7601.177444eeaf722c00000050000aa6d51001cfd0021893e7a0C:\Windows\system32\taskeng.exeC:\Windows\system32\msvcrt.dll603371c0-3bf5-11e4-9f6a-001217841496

Error: (09/14/2014 01:47:53 AM) (Source: VSS) (EventID: 8194) (User: )
Description: 0x80070005, Access is denied.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {1d08fc50-69ce-4c41-8705-80b6a6287ce0}

==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual Core Processor 5000+
Percentage of memory in use: 20%
Total physical RAM: 3454.49 MB
Available physical RAM: 2752.17 MB
Total Pagefile: 6907.27 MB
Available Pagefile: 6177.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1883.15 MB

==================== Drives ================================

Drive c: (Windows7 Ultimate) (Fixed) (Total:465.66 GB) (Free:440.55 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 AM

Posted 25 September 2014 - 08:18 AM


Clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start
() C:\Program Files\pcreg\service.exe
HKLM\...\Run: [] => [X]
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [83416 2014-01-04] ()
HKLM\...\Run: [mobilegeni daemon] => C:\Program Files\Mobogenie\DaemonProcess.exe
HKU\S-1-5-21-2331129595-1848518947-1044182941-1000\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [83416 2014-01-04] ()
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML ()
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT ()
InternetURL: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL -> https://kpai7ycr7jxqkilp.onion.lt/evzU
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S2 vToolbarUpdater17.0.12; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
S3 NVNET; system32\DRIVERS\nvmf6232.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 WinRing0_1_2_0; \??\C:\Users\Family\AppData\Local\Temp\tmpA121.tmp [X]
C:\Program Files\pcreg
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL
Task: {049930BE-4144-4828-8BF1-2E228EAA3343} - \VisualBeeRecovery No Task File <==== ATTENTION
Task: {D33CEC12-C1B3-4D1F-BD19-81BEF41254A2} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe [2014-01-04] () <==== ATTENTION
Task: {DB3DF13F-065D-4B0E-9CFE-B605C24DB5C9} - System32\Tasks\SmartPCFix Task => C:\Program Files\SmartPCFix\SmartPCFix.exe <==== ATTENTION
Task: C:\Windows\Tasks\SmartPCFix Task.job => C:\Program Files\SmartPCFix\SmartPCFix.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:AD022376
C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\DECRYPT_INSTRUCTION.HTML
C:\Users\DECRYPT_INSTRUCTION.HTML
C:\DECRYPT_INSTRUCTION.HTML
 C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\DECRYPT_INSTRUCTION.TXT
C:\Users\DECRYPT_INSTRUCTION.TXT
C:\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.URL
C:\Users\Family\DECRYPT_INSTRUCTION.URL
C:\Users\DECRYPT_INSTRUCTION.URL
C:\DECRYPT_INSTRUCTION.URL
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.HTML
 C:\Users\Family\Documents\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\Documents\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.URL
C:\Users\Family\Documents\DECRYPT_INSTRUCTION.URL
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.URL
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.URL
C:\ProgramData\DECRYPT_INSTRUCTION.HTML
C:\ProgramData\DECRYPT_INSTRUCTION.TXT
C:\ProgramData\DECRYPT_INSTRUCTION.URL

End

Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

How is the computer running now?

#8 Trillogy

Trillogy
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 25 September 2014 - 01:46 PM

Below is the Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-09-2014
Ran by Family at 2014-09-25 10:36:21 Run:1
Running from C:\Users\Family\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
() C:\Program Files\pcreg\service.exe
HKLM\...\Run: [] => [X]
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [83416 2014-01-04] ()
HKLM\...\Run: [mobilegeni daemon] => C:\Program Files\Mobogenie\DaemonProcess.exe
HKU\S-1-5-21-2331129595-1848518947-1044182941-1000\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [83416 2014-01-04] ()
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML ()
Startup: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT ()
InternetURL: C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL -> https://kpai7ycr7jxqkilp.onion.lt/evzU
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S2 vToolbarUpdater17.0.12; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
S3 NVNET; system32\DRIVERS\nvmf6232.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 WinRing0_1_2_0; \??\C:\Users\Family\AppData\Local\Temp\tmpA121.tmp [X]
C:\Program Files\pcreg
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL
Task: {049930BE-4144-4828-8BF1-2E228EAA3343} - \VisualBeeRecovery No Task File <==== ATTENTION
Task: {D33CEC12-C1B3-4D1F-BD19-81BEF41254A2} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe [2014-01-04] () <==== ATTENTION
Task: {DB3DF13F-065D-4B0E-9CFE-B605C24DB5C9} - System32\Tasks\SmartPCFix Task => C:\Program Files\SmartPCFix\SmartPCFix.exe <==== ATTENTION
Task: C:\Windows\Tasks\SmartPCFix Task.job => C:\Program Files\SmartPCFix\SmartPCFix.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:AD022376
C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\DECRYPT_INSTRUCTION.HTML
C:\Users\DECRYPT_INSTRUCTION.HTML
C:\DECRYPT_INSTRUCTION.HTML
 C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\DECRYPT_INSTRUCTION.TXT
C:\Users\DECRYPT_INSTRUCTION.TXT
C:\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.URL
C:\Users\Family\DECRYPT_INSTRUCTION.URL
C:\Users\DECRYPT_INSTRUCTION.URL
C:\DECRYPT_INSTRUCTION.URL
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.HTML
 C:\Users\Family\Documents\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.HTML
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\Documents\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.TXT
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.URL
C:\Users\Family\Documents\DECRYPT_INSTRUCTION.URL
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.URL
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.URL
C:\ProgramData\DECRYPT_INSTRUCTION.HTML
C:\ProgramData\DECRYPT_INSTRUCTION.TXT
C:\ProgramData\DECRYPT_INSTRUCTION.URL

End
*****************

[1672] C:\Program Files\pcreg\service.exe => Process closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\mobilegeni daemon => value deleted successfully.
HKU\S-1-5-21-2331129595-1848518947-1044182941-1000\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL => Moved successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => Key deleted successfully.
"HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}" => Key not found.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
"HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
vToolbarUpdater17.0.12 => Service deleted successfully.
MBAMSwissArmy => Service deleted successfully.
MREMP50 => Service deleted successfully.
MREMPR5 => Service deleted successfully.
MRENDIS5 => Service deleted successfully.
MRESP50 => Service deleted successfully.
NVNET => Service deleted successfully.
Synth3dVsc => Service deleted successfully.
tsusbhub => Service deleted successfully.
VGPU => Service deleted successfully.
WinRing0_1_2_0 => Service deleted successfully.

"C:\Program Files\pcreg" directory move:

C:\Program Files\pcreg\nodown.txt => Moved successfully.
Could not move "C:\Program Files\pcreg\service.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg" directory. => Scheduled to move on reboot.

"C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{049930BE-4144-4828-8BF1-2E228EAA3343}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{049930BE-4144-4828-8BF1-2E228EAA3343}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\VisualBeeRecovery" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D33CEC12-C1B3-4D1F-BD19-81BEF41254A2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D33CEC12-C1B3-4D1F-BD19-81BEF41254A2}" => Key deleted successfully.
C:\Windows\System32\Tasks\pcreg => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\pcreg" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DB3DF13F-065D-4B0E-9CFE-B605C24DB5C9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DB3DF13F-065D-4B0E-9CFE-B605C24DB5C9}" => Key deleted successfully.
C:\Windows\System32\Tasks\SmartPCFix Task => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SmartPCFix Task" => Key deleted successfully.
C:\Windows\Tasks\SmartPCFix Task.job => Moved successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
C:\ProgramData\TEMP => ":AD022376" ADS removed successfully.
C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Family\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Family\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Family\Desktop\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Family\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Family\Documents\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Family\Documents\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Family\Downloads\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Family\Documents\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Family\AppData\Local\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Family\AppData\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\ProgramData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\ProgramData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\ProgramData\DECRYPT_INSTRUCTION.URL => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-09-25 10:38:03)<=

C:\Program Files\pcreg\service.exe => Is moved successfully.
C:\Program Files\pcreg => Is moved successfully.

==== End of Fixlog ====

 

I have isolated the infected computer from the internet and only start it up to complete your cleanup actions.  So, I am not sure how it is running. 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 AM

Posted 26 September 2014 - 07:37 AM

Using a good computer download Dr.Web Cure it from this site.
http://www.freedrweb.com/download+cureit+free/?lng=en

Copy the file to the problem computer and run it.

Follow the Instructions on how to use it, left pane on the page.
====

The I suggest you connect the computer and hope that all is well.

Keep me posted.

#10 Trillogy

Trillogy
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 26 September 2014 - 03:48 PM

nasdaq, the download apparently didn't work.  I followed the link you provided.  At the site, I clicked on the various requirements and started the download.  I did a "save as" to my desktop, but nothing is showing there and all that happened was I was redirected to his "facebook" page of all things.  If the download did anything, it is hidden.  It doesn't show up where I said to save to the desktop, nor does it show in the programs so that I can uninstall it or anything.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 AM

Posted 27 September 2014 - 08:17 AM

Set this:
How to show hidden files in Windows 7
http://www.bleepingcomputer.com/tutorials/tutorial151.html
*/*


Follow the instruction on this site to get the last Good Configuration on the problem computer.
http://windows.microsoft.com/en-CA/windows7/Using-Last-Known-Good-Configuration
<<<>>>

#12 Trillogy

Trillogy
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 30 September 2014 - 04:48 AM

nasdaq, I am a bit confused.  You sent me the link for Dr. Web Cure.  Have you used it?  Is taking you to a facebook page and no download being evident the way that program is supposed to work?  If it is, how to I transfer it to the infected computer?



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 AM

Posted 30 September 2014 - 06:22 AM

I have not used it since they have changed their policy.

I suggest for now that you get the last Good Configuration on this problem computer.
See my previous post.

#14 Trillogy

Trillogy
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birch Bay, Wa
  • Local time:01:02 AM

Posted 01 October 2014 - 12:39 AM

nasdaq, has the cryptowall virus been removed from my computer?



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 AM

Posted 01 October 2014 - 07:15 AM


I think it is, this is not a WORM that could infect other computer.

Run this tool and will see what else is identified as malware it any.

Download OTL to your desktop.
Double click on the icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.

OTL_Main_Tutorial.gif
  • Select All Users.
  • Under the Custom Scan box paste this text in bold in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Post both logs DO NOT ATTACH THEM.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users