Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware (possible CTB Locker) - ZeroAccess Rootkit symptoms


  • This topic is locked This topic is locked
20 replies to this topic

#1 Waysender

Waysender

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 30 January 2015 - 10:02 PM

A week or so ago I got locked out of AVG free and Google. Looking around I felt I possibly had ZeroAccess Rootkit or something of the like. Using a removal guide I began the process of removing it. It was while in safe mode that I saw "HELP_DECRYPT" files just sitting on my desktop. It was at this point I decided to ask for assistance as this is beyond my abilities of simply following removal guides.

 

Currently I receive clean reports from MBAM (malware and rootkit) and EAM. However, there are several things I have disabled in my startup menu until I am able to understand them, verify them, or remove them.

 

-yhenfeqv

-razvrtg

-HELP_DECRYPT  C:\Documents and Settings\Administrator.USER - 737A973129\Start Menu\Programs\Startup\HELP_DECRTYPT.HTML (as well as .PNO - .TXT - .URL)

 

other notes or keywords that might help you

- encryption RSA-2048

- all files are now labeled with ".otxujsi"

- conhost.exe was seen attempting to run

-paytoc4gtpn5cz12.tostotor.com/L4jRxg

-paytoc4gtpn5cz12.bananator.com

-paytoc4gtpn5cz12.trusteetor.com

-paytoc4gtpn5cz12.whitetor.com

 

basic computer info - WIndows XP Professional - Version 2002 - Service Pack 3 - 32-bit

 

If you need any other information feel free to request, thank you. Also, as my files are currently encrypted will they remain safe? Should I copy them to a USB or burn them to a CD, until a decryption method becomes available?

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01

Ran by USER (administrator) on USER-737A973129 on 30-01-2015 20:36:42
Running from C:\Documents and Settings\USER\My Documents\Downloads
Loaded Profiles: USER (Available profiles: USER & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
(ATI Technologies, Inc.) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Microsoft Default Manager] => C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM\...\Run: [HPDJ Taskbar Utility] => C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe [188416 2003-07-28] (HP)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2005-11-10] (ATI Technologies, Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [176128 2005-10-07] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [Zune Launcher] => c:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {452a78f2-4c2d-11dc-9fc0-00904b15d704} - E:\LaunchU3.exe -a
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {d0bd9ea0-2903-11dc-9fac-00904b15d704} - E:\SETUP.EXE
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {d7cda0d0-a6c0-11dc-9fd7-00904b15d704} - E:\MRI.exe
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?PC=BNHP
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} http://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11
 
FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-07]
 
Chrome: 
=======
CHR Profile: C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-30]
CHR Extension: (Google Drive) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-30]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-31]
CHR Extension: (YouTube) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-30]
CHR Extension: (Google Search) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-30]
CHR Extension: (Google Wallet) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-30]
CHR Extension: (Gmail) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-30]
CHR HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Chrome\Extension: [imooohanopeeieejjcgioibkoejmdokj] - No Path
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-16] (Oracle Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [380928 2006-04-06] (Dell Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S4 ZuneBusEnum; c:\Program Files\Zune\ZuneBusEnum.exe [57056 2011-08-05] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [424320 2005-11-02] (Broadcom Corporation)
S3 CBEN5; C:\WINDOWS\System32\DRIVERS\cben5.sys [46108 2001-08-17] (Xircom, Inc.)
S3 CBPSp50; C:\WINDOWS\System32\Drivers\CBPSp50.sys [27072 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2005-03-21] (Adaptec, Inc.) [File not signed]
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2008-10-28] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2008-10-28] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2008-10-28] (HP)
R3 HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [208384 2005-05-03] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.SYS [1033728 2005-05-03] (Conexant Systems, Inc.)
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2003-01-23] (Dell Computer Corporation) [File not signed]
R3 OZSCR; C:\WINDOWS\System32\DRIVERS\ozscr.sys [92550 2005-04-21] (O2Micro)
S3 PCX504; C:\WINDOWS\System32\DRIVERS\PCX504.sys [96256 2003-02-14] (Cisco Systems)
S3 PRISM_ICB; C:\WINDOWS\System32\DRIVERS\WG511ICB.sys [390016 2004-03-22] (Conexant Systems, Inc.)
S3 Ptserial; C:\WINDOWS\System32\DRIVERS\ptserial.sys [135292 2003-02-24] (PCTEL, INC.)
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
R3 STAC97; C:\WINDOWS\System32\drivers\stac97.sys [264440 2004-11-15] (SigmaTel, Inc.)
R0 Vmodem; C:\WINDOWS\System32\DRIVERS\vmodem.sys [690973 2003-05-30] (PCTEL, INC.)
R0 Vpctcom; C:\WINDOWS\System32\DRIVERS\vpctcom.sys [477403 2003-05-30] (PCtel, Inc.)
R0 Vvoice; C:\WINDOWS\System32\DRIVERS\vvoice.sys [66111 2003-05-28] (PCtel, Inc.)
S3 w70n51; C:\WINDOWS\System32\DRIVERS\w70n51.sys [662400 2005-07-26] (Intel® Corporation)
R2 zumbus; C:\WINDOWS\System32\DRIVERS\zumbus.sys [41472 2011-08-05] (Microsoft Corporation)
S3 CBPMp50; System32\Drivers\CBPMp50.sys [X]
S3 cleanhlp; \??\C:\Program Files\Emsisoft Anti-Malware\cleanhlp32.sys [X]
S3 MFE_RR; \??\C:\DOCUME~1\USER\LOCALS~1\Temp\mfe_rr.sys [X]
S3 RT73; system32\DRIVERS\rt73.sys [X]
S4 s24trans; system32\DRIVERS\s24trans.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 UIUSys; system32\drivers\UIUSys.sys [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S3 w29n51; system32\DRIVERS\w29n51.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\BatteryCare\WinRing0.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-30 20:29 - 2015-01-30 20:36 - 00000000 ____D () C:\FRST
2015-01-30 00:53 - 2015-01-30 00:53 - 00000000 ____D () C:\Program Files\Tweaking.com
2015-01-29 21:28 - 2015-01-30 18:47 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-01-29 21:25 - 2015-01-30 02:20 - 00000000 ____D () C:\Documents and Settings\USER\Desktop\mbar
2015-01-29 21:00 - 2015-01-29 21:00 - 00000162 ____H () C:\Documents and Settings\USER\Desktop\~$Rkill.TXT.otxujsi
2015-01-29 20:44 - 2015-01-29 20:44 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\MFAData
2015-01-29 20:41 - 2015-01-29 20:43 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\AvgSetupLog
2015-01-29 20:39 - 2015-01-29 20:39 - 00023368 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-01-29 17:42 - 2015-01-29 18:46 - 00004741 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Desktop\avgrep.txt
2015-01-28 21:49 - 2015-01-28 21:49 - 01440054 _____ () C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.bmp
2015-01-28 21:49 - 2015-01-28 21:49 - 00001266 _____ () C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.txt
2015-01-28 21:46 - 2015-01-28 21:49 - 00553558 _____ () C:\Documents and Settings\All Users\Application Data\xrtcpih.html
2015-01-28 21:44 - 2015-01-28 21:44 - 00000000 __SHD () C:\Documents and Settings\Administrator.USER-737A973129\PrivacIE
2015-01-28 21:43 - 2015-01-28 21:43 - 00008528 _____ () C:\HELP_DECRYPT.HTML
2015-01-28 21:43 - 2015-01-28 21:43 - 00004204 _____ () C:\HELP_DECRYPT.TXT
2015-01-28 21:43 - 2015-01-28 21:43 - 00000272 _____ () C:\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:40 - 2015-01-28 21:40 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:40 - 2015-01-28 21:40 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.HTML
2015-01-28 21:40 - 2015-01-28 21:40 - 00004204 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:40 - 2015-01-28 21:40 - 00004204 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:40 - 2015-01-28 21:40 - 00004204 _____ () C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.TXT
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.URL
2015-01-28 21:38 - 2015-01-30 18:48 - 00000272 ____H () C:\WINDOWS\Tasks\gvalzrh.job
2015-01-28 21:37 - 2015-01-29 22:54 - 00000000 ____D () C:\WINDOWS\FrameworkUpdate
2015-01-28 21:37 - 2015-01-28 21:37 - 00000480 ____H () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\麽鎒駓覜
2015-01-28 21:35 - 2015-01-28 21:35 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Macromedia
2015-01-28 21:34 - 2015-01-28 21:34 - 00000000 __SHD () C:\Documents and Settings\Administrator.USER-737A973129\IETldCache
2015-01-28 21:34 - 2015-01-28 21:34 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Adobe
2015-01-28 21:33 - 2015-01-28 21:41 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google
2015-01-28 20:30 - 2015-01-28 21:33 - 00004928 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Desktop\avgrep.TXT.otxujsi
2015-01-28 20:29 - 2015-01-28 20:29 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Avg
2015-01-28 20:28 - 2015-01-29 20:51 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Avg2015
2015-01-28 20:26 - 2015-01-29 22:54 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Temp
2015-01-28 20:26 - 2015-01-29 20:50 - 00000178 ___SH () C:\Documents and Settings\Administrator.USER-737A973129\ntuser.ini
2015-01-28 20:26 - 2015-01-28 21:44 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129
2015-01-28 20:26 - 2012-10-27 15:39 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\TuneUp Software
2015-01-28 20:26 - 2009-12-21 23:57 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Adobe
2015-01-28 20:26 - 2005-08-12 04:02 - 00001599 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Remote Assistance.lnk
2015-01-28 20:26 - 2005-08-12 04:02 - 00000000 ___RD () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Accessories
2015-01-28 20:26 - 2005-08-12 04:01 - 00000792 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Windows Media Player.lnk
2015-01-27 18:09 - 2015-01-29 22:57 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{D999F8ED-946A-4C7B-9148-DAEFD27EE21B}
2015-01-25 19:11 - 2015-01-28 21:40 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations
2015-01-25 19:11 - 2015-01-25 19:11 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Program Files\HP Photo Creations
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Visan
2015-01-25 19:10 - 2015-01-30 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At3.job
2015-01-25 19:10 - 2015-01-27 20:40 - 00000450 _____ () C:\WINDOWS\Tasks\At2.job
2015-01-25 19:10 - 2015-01-25 19:17 - 00000000 ____D () C:\Documents and Settings\USER\Application Data\HpUpdate
2015-01-25 19:10 - 2015-01-25 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At4.job
2015-01-25 19:10 - 2015-01-25 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At1.job
2015-01-25 19:09 - 2015-01-25 19:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HP
2015-01-25 19:09 - 2015-01-25 19:09 - 00001921 _____ () C:\Documents and Settings\All Users\Desktop\HP ENVY 4500 series.lnk
2015-01-25 19:09 - 2015-01-25 19:09 - 00000883 _____ () C:\Documents and Settings\All Users\Desktop\Shop for Supplies - HP ENVY 4500 series.lnk
2015-01-25 19:09 - 2014-07-21 15:33 - 00597512 ____N (Hewlett-Packard Development Company, LP) C:\WINDOWS\system32\HPDiscoPMC511.dll
2015-01-25 19:09 - 2012-12-15 18:38 - 02525368 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\HPScanTRDrv_EN4500.dll
2015-01-25 19:09 - 2012-12-15 18:38 - 00417464 _____ (Hewlett-Packard) C:\WINDOWS\system32\HPWia1_EN4500.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00536760 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkstsC511.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00271032 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkstsC511LM.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00222904 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkcoiC511.dll
2015-01-25 19:08 - 2012-12-15 16:45 - 02220216 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkinsC511.exe
2015-01-25 19:06 - 2015-01-25 19:06 - 00000057 _____ () C:\Documents and Settings\All Users\Application Data\Ament.ini
2015-01-25 19:02 - 2015-01-25 19:37 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\Application Data\HP
2015-01-11 15:48 - 2015-01-11 15:50 - 00000015 _____ () C:\Documents and Settings\USER\settings.dat
2015-01-06 20:14 - 2015-01-30 18:50 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-06 20:14 - 2015-01-06 20:14 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-06 20:14 - 2015-01-06 20:14 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-06 20:13 - 2015-01-30 01:24 - 00108632 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-06 20:13 - 2015-01-28 21:46 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-06 20:13 - 2014-11-21 06:23 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-01-04 15:12 - 2012-11-17 12:09 - 00000496 _____ () C:\Boot.bak
2015-01-04 15:11 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2015-01-04 15:10 - 2015-01-04 15:12 - 00000000 _RSHD () C:\cmdcons
2015-01-04 15:05 - 2015-01-28 21:40 - 00000000 ___SD () C:\ComboFix
2015-01-04 15:05 - 2011-06-26 00:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2015-01-04 15:05 - 2010-11-07 11:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2015-01-04 15:05 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2015-01-04 15:05 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2015-01-04 15:05 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2015-01-04 15:05 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2015-01-04 15:05 - 2000-08-30 18:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2015-01-04 15:05 - 2000-08-30 18:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2015-01-04 15:05 - 2000-08-30 18:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2015-01-04 15:02 - 2015-01-04 15:05 - 00000000 ____D () C:\Qoobox
2015-01-04 14:56 - 2015-01-28 19:38 - 00132672 _____ () C:\TDSSKiller.3.0.0.44_28.01.2015_19.34.44_log.TXT.otxujsi
2015-01-04 14:56 - 2015-01-11 15:54 - 00132032 _____ () C:\TDSSKiller.3.0.0.42_11.01.2015_15.51.51_log.TXT.otxujsi
2015-01-04 14:56 - 2015-01-04 14:58 - 00131472 _____ () C:\TDSSKiller.3.0.0.42_04.01.2015_14.56.19_log.TXT.otxujsi
2015-01-04 14:20 - 2015-01-28 21:40 - 00000000 ____D () C:\AdwCleaner
2015-01-03 22:21 - 2015-01-03 22:21 - 00000000 ____D () C:\Documents and Settings\USER\Application Data\TuneUp Software
2015-01-03 22:19 - 2015-01-29 20:48 - 00060030 _____ () C:\WINDOWS\setupapi.log
2015-01-03 21:57 - 2015-01-29 20:51 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-03 21:41 - 2015-01-29 20:51 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-01-03 21:41 - 2015-01-03 21:41 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\Application Data\MFAData
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-30 20:37 - 2005-08-12 04:13 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\Temp
2015-01-30 19:41 - 2005-08-12 03:59 - 01557018 ____C () C:\WINDOWS\WindowsUpdate.log
2015-01-30 19:39 - 2005-08-11 20:38 - 00000327 __RSH () C:\boot.ini
2015-01-30 19:39 - 2004-08-04 06:00 - 00000608 _____ () C:\WINDOWS\win.ini
2015-01-30 19:39 - 2004-08-04 06:00 - 00000227 ____C () C:\WINDOWS\system.ini
2015-01-30 18:49 - 2012-08-13 20:24 - 00000000 ____D () C:\WINDOWS\pss
2015-01-30 18:48 - 2005-08-12 04:08 - 00000006 ___HC () C:\WINDOWS\Tasks\SA.DAT
2015-01-30 18:48 - 2005-08-11 20:43 - 00000159 ____C () C:\WINDOWS\wiadebug.log
2015-01-30 18:48 - 2005-08-11 20:43 - 00000049 ____C () C:\WINDOWS\wiaservc.log
2015-01-30 18:48 - 2004-08-04 06:00 - 00002206 ____C () C:\WINDOWS\system32\wpa.dbl
2015-01-30 18:47 - 2014-12-05 00:17 - 00000000 ____D () C:\Program Files\Emsisoft Anti-Malware
2015-01-30 02:21 - 2005-08-12 04:13 - 00000178 __SHC () C:\Documents and Settings\USER\ntuser.ini
2015-01-30 02:21 - 2005-08-12 04:08 - 00032554 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-30 00:33 - 2005-06-29 09:05 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\Story Time
2015-01-30 00:32 - 2012-09-06 17:58 - 00002473 _____ () C:\Documents and Settings\USER\Desktop\Microsoft Word.lnk
2015-01-29 22:57 - 2011-11-11 23:28 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2641690$
2015-01-29 21:25 - 2013-01-05 21:54 - 00000420 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{DA803D97-3304-4E5E-BBA0-642ADF96FFF2}.job
2015-01-29 20:44 - 2013-01-28 00:13 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG
2015-01-29 20:44 - 2013-01-07 19:32 - 00000000 ____D () C:\Program Files\AVG
2015-01-29 17:35 - 2012-01-12 17:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2631813$
2015-01-29 17:33 - 2005-06-29 09:06 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\General Information
2015-01-28 21:47 - 2013-10-10 16:54 - 00000000 ____D () C:\Program Files\Zune
2015-01-28 21:47 - 2013-01-28 01:07 - 00000000 ____D () C:\RegBackup
2015-01-28 21:47 - 2005-08-12 03:58 - 00000000 ____D () C:\Program Files\Outlook Express
2015-01-28 21:46 - 2014-10-28 17:10 - 00000000 ____D () C:\Program Files\iPod
2015-01-28 21:46 - 2014-10-28 17:09 - 00000000 ____D () C:\Program Files\iTunes
2015-01-28 21:42 - 2012-08-25 20:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\PCDr
2015-01-28 21:42 - 2010-02-07 22:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP
2015-01-28 21:42 - 2005-08-12 04:08 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-01-28 21:42 - 2005-08-12 04:06 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-01-28 21:42 - 2005-08-12 04:00 - 00000000 __SHD () C:\Documents and Settings\All Users\DRM
2015-01-28 21:41 - 2014-07-06 16:12 - 00000000 ____D () C:\a8ae3f591ed650812d
2015-01-28 21:41 - 2013-10-07 18:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2015-01-28 21:41 - 2013-05-04 13:37 - 00000000 ___SD () C:\Documents and Settings\Administrator
2015-01-28 21:41 - 2005-08-12 04:02 - 00000000 ____D () C:\DELL
2015-01-27 21:46 - 2013-07-11 14:25 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834886$
2015-01-26 22:27 - 2007-06-19 06:22 - 00002479 ____C () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2015-01-25 19:06 - 2010-02-02 21:47 - 00000000 ____D () C:\Program Files\HP
2015-01-25 19:06 - 2005-08-11 20:31 - 00000000 ____D () C:\WINDOWS\twain_32
2015-01-21 16:22 - 2005-08-11 20:39 - 00231453 _____ () C:\WINDOWS\setupact.log
2015-01-14 18:22 - 2013-08-13 21:51 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 18:01 - 2007-08-16 09:47 - 110348472 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-06 20:13 - 2013-07-12 18:31 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-01-02 21:20 - 2012-10-15 16:27 - 00065536 _____ () C:\WINDOWS\system32\config\TuneUp.evt
2015-01-02 20:37 - 2014-11-01 21:52 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-02 20:30 - 2014-08-16 16:03 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-01-02 20:29 - 2014-08-16 16:03 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-01-02 20:15 - 2013-03-10 22:33 - 00000000 ____D () C:\Program Files\Java
 
==================== Files in the root of some directories =======
 
2010-03-14 13:11 - 2012-08-21 12:06 - 0003584 ____C () C:\Documents and Settings\USER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-28 21:42 - 2015-01-28 21:42 - 0008528 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 0045624 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-01-28 21:42 - 2015-01-28 21:42 - 0004204 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 0000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
 
ZeroAccess:
C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419}
C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419}\L\201d3dde
 
Files to move or delete:
====================
C:\Documents and Settings\USER\settings.dat
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At4.job
 
 
Some content of TEMP:
====================
C:\Documents and Settings\USER\Local Settings\Temp\MsiZap.exe
C:\Documents and Settings\USER\Local Settings\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 28-01-2015 01
Ran by USER at 2015-01-30 20:37:30
Running from C:\Documents and Settings\USER\My Documents\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: AVG Internet Security 2015 (Disabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Emsisoft Internet Security (Disabled - Up to date) {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: Emsisoft Internet Security (Disabled) {0F8591BB-342B-4493-91C3-4E948ED21255}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
Adobe Flash Player 13 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 13.0.0.182 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
ALPS Touch Pad Driver (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version:  - )
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1014 - )
ATI Control Panel (HKLM\...\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}) (Version: 6.14.10.5173 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.20-051110a1-028793C-Dell - )
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Gigabit Integrated Controller (HKLM\...\{B7F54262-AB66-44B3-88BF-9FC69941B643}) (Version: 8.13.01 - Broadcom Corporation)
C-Major Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 42xx - SigmaTel)
Conexant D480 MDC V.92 Modem (HKLM\...\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1) (Version:  - )
Crash Analysis Tool (HKLM\...\{D5F881C2-B134-474E-AA60-B25DD218AE0D}) (Version: 1.00.0001 - Dell)
Dell Driver Download Manager (HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\f031ef6ac137efc5) (Version: 2.1.0.0 - Dell Inc.)
Dell Wireless WLAN Card (HKLM\...\Broadcom 802.11b Network Adapter) (Version: 4.10.47.3 - Dell Inc.)
DriverUpdate (HKLM\...\{E2EF4165-EAE4-4CEA-8FCB-EA04BB274639}) (Version: 2.2.36929 - SlimWare Utilities, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 39.0.2171.71 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
HP ENVY 4500 series Basic Device Software (HKLM\...\{BCC989C6-7003-4367-8C30-7B88D47D3E79}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP ENVY 4500 series Help (HKLM\...\{95BECC50-22B4-4FCA-8A2E-BF77713E6D3A}) (Version: 30.0.0 - Hewlett Packard)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.9 (HKLM\...\Wudf01009) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft WinUsb 1.0 (HKLM\...\winusb0100) (Version:  - Microsoft Corporation)
MobileMe Control Panel (HKLM\...\{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}) (Version: 3.1.6.0 - Apple Inc.)
MSN (HKLM\...\MSNINST) (Version:  - )
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
O2Micro Smartcard Driver (HKLM\...\InstallShield_{C5BED10B-42A9-4142-B4C2-008C0FDE27D5}) (Version: 2.26.0000 - O2Micro Electronics, Inc.)
O2Micro Smartcard Driver (Version: 2.26.0000 - O2Micro Electronics, Inc.) Hidden
PCTEL 2304WT V.9x MDC Modem Drivers (HKLM\...\Installing HSP56 MicroModem Drivers) (Version:  - )
Product Improvement Study for HP ENVY 4500 series (HKLM\...\{BA386F3E-92B8-4B1D-9C2F-E97B3707FE57}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
QuickSet (HKLM\...\{C5074CC4-0E26-4716-A307-960272A90040}) (Version: 7.1.8 - )
Ralink Wireless LAN Card (HKLM\...\{E91E8912-769D-42F0-8408-0E329443BABC}) (Version: 1.00.01 - RALINK)
Safari (HKLM\...\{FA4C2D53-205F-4245-9717-F3761154824D}) (Version: 5.34.57.2 - Apple Inc.)
Ulead DVD Player (HKLM\...\{21DAFB84-2421-488F-B17D-102FF53396AA}) (Version: 1.0 - Ulead Systems)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
05-12-2014 00:00:40 System Checkpoint
06-12-2014 09:40:59 System Checkpoint
08-12-2014 00:43:06 System Checkpoint
10-12-2014 20:45:34 Software Distribution Service 3.0
14-12-2014 12:06:23 System Checkpoint
16-12-2014 19:08:15 System Checkpoint
20-12-2014 23:02:31 System Checkpoint
25-12-2014 19:42:32 System Checkpoint
01-01-2015 23:54:49 System Checkpoint
02-01-2015 20:12:15 Removed Java 8 Update 25
03-01-2015 21:54:51 Installed AVG 2015
03-01-2015 21:56:42 Installed AVG 2015
04-01-2015 18:18:49 Rkill
06-01-2015 21:06:41 System Checkpoint
08-01-2015 22:44:10 System Checkpoint
14-01-2015 16:17:00 System Checkpoint
14-01-2015 18:01:16 Software Distribution Service 3.0
19-01-2015 19:40:28 System Checkpoint
23-01-2015 22:33:12 System Checkpoint
26-01-2015 20:38:15 System Checkpoint
27-01-2015 21:02:44 System Checkpoint
29-01-2015 16:29:44 System Checkpoint
29-01-2015 22:54:35 Malwarebytes Anti-Rootkit Restore Point
30-01-2015 01:03:37 Removed Microsoft Silverlight
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2004-08-04 06:00 - 2013-05-04 13:19 - 00000761 _RASH C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\At1.job => C:\Program Files\HP\HP ENVY 4500 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\At2.job => C:\Program Files\HP\HP ENVY 4500 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\At3.job => C:\Program Files\HP\HP ENVY 4500 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\At4.job => C:\Program Files\HP\HP ENVY 4500 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\gvalzrh.job => C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{DA803D97-3304-4E5E-BBA0-642ADF96FFF2}.job => C:\WINDOWS\system32\msfeedssync.exe
 
==================== Loaded Modules (whitelisted) =============
 
2004-08-04 06:00 - 2008-04-13 18:11 - 00059904 ____C () C:\WINDOWS\system32\devenum.dll
2004-08-04 06:00 - 2008-04-13 18:11 - 00014336 ____C () C:\WINDOWS\system32\msdmo.dll
2014-07-30 15:06 - 2014-02-10 12:44 - 04592128 _____ () C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2014-07-30 15:06 - 2014-02-10 12:44 - 00112128 _____ () C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
2014-11-30 13:07 - 2014-11-25 00:39 - 09009480 _____ () C:\Program Files\Google\Chrome\Application\39.0.2171.71\pdf.dll
2014-11-30 13:07 - 2014-11-25 00:39 - 01677128 _____ () C:\Program Files\Google\Chrome\Application\39.0.2171.71\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\setup.exe:SummaryInformation
AlternateDataStreams: C:\setup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\xc.bat:SummaryInformation
AlternateDataStreams: C:\xc.bat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\WINDOWS\checkip.dat:SummaryInformation
AlternateDataStreams: C:\WINDOWS\checkip.dat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
AlternateDataStreams: C:\Documents and Settings\USER\Local Settings:init
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator.USER-737A973129^Start Menu^Programs^Startup^HELP_DECRYPT.HTML => C:\WINDOWS\pss\HELP_DECRYPT.HTMLStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator.USER-737A973129^Start Menu^Programs^Startup^HELP_DECRYPT.PNG => C:\WINDOWS\pss\HELP_DECRYPT.PNGStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator.USER-737A973129^Start Menu^Programs^Startup^HELP_DECRYPT.TXT => C:\WINDOWS\pss\HELP_DECRYPT.TXTStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator.USER-737A973129^Start Menu^Programs^Startup^HELP_DECRYPT.URL => C:\WINDOWS\pss\HELP_DECRYPT.URLStartup
MSCONFIG\startupfolder: C:^Documents and Settings^USER^Start Menu^Programs^Startup^Monitor Ink Alerts - HP ENVY 4500 series.lnk => C:\WINDOWS\pss\Monitor Ink Alerts - HP ENVY 4500 series.lnkStartup
MSCONFIG\startupreg: Broadcom Wireless Manager UI => C:\WINDOWS\system32\WLTRAY.exe
MSCONFIG\startupreg: CTFMON.EXE => 
MSCONFIG\startupreg: HP Software Update => 
MSCONFIG\startupreg: MSConfig => "C:\Documents and Settings\USER\yhenfeqv.exe"
MSCONFIG\startupreg: QuickTime Task => 
MSCONFIG\startupreg: yyvqgjf => C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-299502267-152049171-1343024091-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator.USER-737A973129
ASPNET (S-1-5-21-299502267-152049171-1343024091-1005 - Limited - Enabled)
Guest (S-1-5-21-299502267-152049171-1343024091-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-299502267-152049171-1343024091-1000 - Limited - Disabled)
NETWORK  SERVICE (S-1-5-21-299502267-152049171-1343024091-1006 - Administrator - Enabled)
SUPPORT_388945a0 (S-1-5-21-299502267-152049171-1343024091-1002 - Limited - Disabled)
USER (S-1-5-21-299502267-152049171-1343024091-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\USER
 
==================== Faulty Device Manager Devices =============
 
Name: Dell TrueMobile 1300 WLAN Mini-PCI Card
Description: Dell TrueMobile 1300 WLAN Mini-PCI Card
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom
Service: BCM43XX
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: PHILIPS CDRW/DVD SCB5265
Description: CD-ROM Drive
Class Guid: {4D36E965-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard CD-ROM drives)
Service: cdrom
Problem: : A driver (service) for this device has been disabled. An alternate driver may be providing this functionality (Code 32)
Resolution: The start type for this driver is set to disabled in the registry.
Uninstall the driver from Device Manager, and then scan for new hardware to install the driver again. If this does not work, you might have to change the device start type parameter in the registry.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/29/2015 09:45:35 PM) (Source: MsiInstaller) (EventID: 11706) (User: USER-737A973129)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.
 
Error: (01/28/2015 10:14:07 PM) (Source: MsiInstaller) (EventID: 11706) (User: USER-737A973129)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.
 
Error: (01/28/2015 10:08:11 PM) (Source: MsiInstaller) (EventID: 11706) (User: USER-737A973129)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.
 
Error: (01/28/2015 07:09:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application rundll32.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (01/25/2015 08:06:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
 
System errors:
=============
Error: (01/30/2015 06:48:10 PM) (Source: WMPNetworkSvc) (EventID: 14322) (User: )
Description: Service 'WMPNetworkSvc' did not start correctly because MFStartup encountered error '0xc00d36e3'. Reinstall Windows Media Player.
 
Error: (01/29/2015 10:58:49 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
PCIIde
 
Error: (01/29/2015 10:58:35 PM) (Source: WMPNetworkSvc) (EventID: 14322) (User: )
Description: Service 'WMPNetworkSvc' did not start correctly because MFStartup encountered error '0xc00d36e3'. Reinstall Windows Media Player.
 
Error: (01/29/2015 09:09:01 PM) (Source: DCOM) (EventID: 10005) (User: USER-737A973129)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (01/29/2015 09:08:22 PM) (Source: DCOM) (EventID: 10005) (User: USER-737A973129)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (01/29/2015 08:52:07 PM) (Source: WMPNetworkSvc) (EventID: 14322) (User: )
Description: Service 'WMPNetworkSvc' did not start correctly because MFStartup encountered error '0xc00d36e3'. Reinstall Windows Media Player.
 
Error: (01/29/2015 08:50:09 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (01/29/2015 08:41:34 PM) (Source: DCOM) (EventID: 10005) (User: USER-737A973129)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (01/29/2015 05:40:41 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
a2injectiondriver
APPDRV
Avgdiskx
AVGIDSDriverl
AVGIDSShim
Avgldx86
Cdrom
Fips
intelppm
 
Error: (01/29/2015 05:40:41 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The AVGIDSAgent service depends on the AVGIDSDriverl service which failed to start because of the following error: 
%%31
 
 
Microsoft Office Sessions:
=========================
Error: (01/29/2015 09:45:35 PM) (Source: MsiInstaller) (EventID: 11706) (User: USER-737A973129)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.(NULL)(NULL)(NULL)
 
Error: (01/28/2015 10:14:07 PM) (Source: MsiInstaller) (EventID: 11706) (User: USER-737A973129)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.(NULL)(NULL)(NULL)
 
Error: (01/28/2015 10:08:11 PM) (Source: MsiInstaller) (EventID: 11706) (User: USER-737A973129)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional.  The Windows installer cannot continue.(NULL)(NULL)(NULL)
 
Error: (01/28/2015 07:09:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: rundll32.exe5.1.2600.5512hungapp0.0.0.000000000
 
Error: (01/25/2015 08:06:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000
 
 
==================== Memory info =========================== 
 
Processor:  Intel® Pentium® M processor 1400MHz
Percentage of memory in use: 68%
Total physical RAM: 511.23 MB
Available physical RAM: 163.09 MB
Total Pagefile: 1245.87 MB
Available Pagefile: 854.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1936.65 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:27.94 GB) (Free:1.83 GB) NTFS ==>[Drive with boot components (Windows XP)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 27.9 GB) (Disk ID: 07860786)
Partition 1: (Active) - (Size=27.9 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:31 PM

Posted 01 February 2015 - 12:40 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi Waysender,
 
Were you running EAM when you were infected with this ransomware?
 
--------------
 
We need to submit a malware sample to BleepingComputer
 
Open up your Internet Browser and go to the following address:-
 
http://www.bleepingcomputer.com/submit-malware.php?channel=170
 
You will need to do the following:

  • In the Link to topic where this file was requested: please copy the link to this topic and paste it in the text box
  • In Browse to the file you want to submit: Click Browse and locate the following file C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe
  • Click Submit

In your next reply, please let me know if you have completed this or if you have any issues uploading the sample.
 
--------------
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM\...\Run: [] => [X]
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Policies\Explorer: [HideSCAHealth] 1
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CMD: netsh winsock reset
CHR HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Chrome\Extension: [imooohanopeeieejjcgioibkoejmdokj] - No Path
2015-01-28 21:49 - 2015-01-28 21:49 - 01440054 _____ () C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.bmp
2015-01-28 21:49 - 2015-01-28 21:49 - 00001266 _____ () C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.txt
2015-01-28 21:46 - 2015-01-28 21:49 - 00553558 _____ () C:\Documents and Settings\All Users\Application Data\xrtcpih.html
2015-01-25 19:10 - 2015-01-30 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At3.job
2015-01-25 19:10 - 2015-01-27 20:40 - 00000450 _____ () C:\WINDOWS\Tasks\At2.job
2015-01-25 19:10 - 2015-01-25 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At4.job
2015-01-25 19:10 - 2015-01-25 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At1.job
CMD: del /s /f /q HELP_DECRYPT*
C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419}
C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419}\L\201d3dde
Task: C:\WINDOWS\Tasks\gvalzrh.job => C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe
C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe
AlternateDataStreams: C:\setup.exe:SummaryInformation
AlternateDataStreams: C:\setup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\xc.bat:SummaryInformation
AlternateDataStreams: C:\xc.bat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\WINDOWS\checkip.dat:SummaryInformation
AlternateDataStreams: C:\WINDOWS\checkip.dat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
AlternateDataStreams: C:\Documents and Settings\USER\Local Settings:init
C:\Documents and Settings\USER\yhenfeqv.exe
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • fixlog.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Waysender

Waysender
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 01 February 2015 - 07:22 PM

Hello xXToffeeXx, it is very nice to meet you and thank you for helping me.

 

I apologize for not giving a more detailed list of events that led me here. They are as follows...

 

A week or so ago I was going to run a routine scan of my computer using AVG. When attempting to access the program I was greeted with "Windows cannot open this program because it has been prevented by a software restriction policy, for more information open Event Viewer or contact your system administrator." I was met with this same message when attempting to use Google as well.

 

After doing research and running a few scans I felt I had some form of a ZeroAccess Rootkit. This has been around for quite sometime and after doing my research and consulting a few removal guides I felt confident I could proceed on my own. I should have come here first but I understand the strain Bleeping Computer is under and I did not want to take up valuable resources for something I felt I could deal with on my own. At this point I was only aware of the rootkit, not the ransomware.

 

At this point and time I only had AVG installed. I scanned with TDDS and Rkill, ran Malwarebytes Malware and Rootkit progam, and for good measure ran EAM. I rebooted and ran again and received a clean report. I was still unable to run AVG normally so I booted into Safe Mode to attempt to run it. I was successful and AVG did find something blocking it, it was at this time I first noticed the "HELP_DECRYPT" files just sitting there on my desktop. I never received any type of pop-up or notification from this. I do not know if these two are related or if the ransomware was able to take hold because of gaps in security caused by the rootkit.

 

I no longer appear to have any after affects of the ZeroAccess rootkit and as far as I can tell have full function of my computer, although a second (profession) opinion is always welcome.  :)

 

I removed AVG for Malwarebytes for the time being since AVG still will not run normally.

 

Now, on to the task at hand. I have read your instructions and I am sad to say I am not off to a swimming start.

 

The program "razvrtg.exe" is still listed in my startup list. I am currently in selective startup and this program is disabled. I was unable to find it to send in for analysis. 

 

I copied and pasted the text to notepad and labeled it "fixlist.txt" and saved to my desktop. I ran FRST and as you stated it could not fix it if they were not in the same location. I ran once, then rebooted and ran again, I also ran again and scanned this time and received the same message. "No fixlist.txt found. The fixlist.txt should be in the same folder/directory the tool is located." 

 

I have read your instructions again and everything appears to be very straightforward. I clearly have missed a step and I apologize. Maybe I am a little tired, I will attempt again from the beginning tomorrow. If you have anything else you would like me to do please do not hesitate to ask. 

 

Thank you, Waysender.

 

Update...

 

I still am unable to locate C:\Docume~1\Admini~1.USE\Locals~1\Temp\razvrtg.exe - its location is listed as Software\Microsoft\Windows\Current Version\Run - I am missing something but I don't know what it is, a forest from the trees thing I guess.

 

I still cannot get the FRST to work properly either, the fixlist.txt is on my desktop, do I need to save the other logsfrom FRST to desktop or add them to the fixlist.txt? Thank you, please advise. Waysender.


Edited by Waysender, 02 February 2015 - 03:13 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:31 PM

Posted 03 February 2015 - 01:47 PM

Hi Waysender,
 
Thank you for the extra information, it is helpful.
 
Please move the fixlist.txt to C:\Documents and Settings\USER\My Documents\Downloads and then try running the FRST fix again.
 

I still am unable to locate C:\Docume~1\Admini~1.USE\Locals~1\Temp\razvrtg.exe - its location is listed as Software\Microsoft\Windows\Current Version\Run - I am missing something but I don't know what it is, a forest from the trees thing I guess.

No worries on not being able to find the file, it is quite possible that the file has since deleted itself.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Waysender

Waysender
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 03 February 2015 - 09:41 PM

Hello xXToffeeXx, your instructions were correct and the FRST fix ran this time. Thank you. The log is as follows...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-02-2015
Ran by USER at 2015-02-03 20:44:21 Run:1
Running from C:\Documents and Settings\USER\My Documents\Downloads
Loaded Profiles: USER (Available profiles: USER & Administrator)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\Run: [] => [X]
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Policies\Explorer: [HideSCAHealth] 1
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CMD: netsh winsock reset
CHR HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Chrome\Extension: [imooohanopeeieejjcgioibkoejmdokj] - No Path
2015-01-28 21:49 - 2015-01-28 21:49 - 01440054 _____ () C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.bmp
2015-01-28 21:49 - 2015-01-28 21:49 - 00001266 _____ () C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.txt
2015-01-28 21:46 - 2015-01-28 21:49 - 00553558 _____ () C:\Documents and Settings\All Users\Application Data\xrtcpih.html
2015-01-25 19:10 - 2015-01-30 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At3.job
2015-01-25 19:10 - 2015-01-27 20:40 - 00000450 _____ () C:\WINDOWS\Tasks\At2.job
2015-01-25 19:10 - 2015-01-25 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At4.job
2015-01-25 19:10 - 2015-01-25 19:10 - 00000450 _____ () C:\WINDOWS\Tasks\At1.job
CMD: del /s /f /q HELP_DECRYPT*
C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419}
C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419}\L\201d3dde
Task: C:\WINDOWS\Tasks\gvalzrh.job => C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe
C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe
AlternateDataStreams: C:\setup.exe:SummaryInformation
AlternateDataStreams: C:\setup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\xc.bat:SummaryInformation
AlternateDataStreams: C:\xc.bat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\WINDOWS\checkip.dat:SummaryInformation
AlternateDataStreams: C:\WINDOWS\checkip.dat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
AlternateDataStreams: C:\Documents and Settings\USER\Local Settings:init
C:\Documents and Settings\USER\yhenfeqv.exe
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value deleted successfully.
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
 
=========  netsh winsock reset =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.
 
 
========= End of CMD: =========
 
"HKU\S-1-5-21-299502267-152049171-1343024091-1003\SOFTWARE\Google\Chrome\Extensions\imooohanopeeieejjcgioibkoejmdokj" => Key deleted successfully.
C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.bmp => Moved successfully.
C:\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.txt => Moved successfully.
C:\Documents and Settings\All Users\Application Data\xrtcpih.html => Moved successfully.
C:\WINDOWS\Tasks\At3.job => Moved successfully.
C:\WINDOWS\Tasks\At2.job => Moved successfully.
C:\WINDOWS\Tasks\At4.job => Moved successfully.
C:\WINDOWS\Tasks\At1.job => Moved successfully.
 
=========  del /s /f /q HELP_DECRYPT* =========
 
Could Not Find C:\Documents and Settings\USER\My Documents\Downloads\HELP_DECRYPT*
 
========= End of CMD: =========
 
C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419} => Moved successfully.
"C:\Windows\Installer\{9f0b09e5-b1ec-f7b1-a8fb-12d09251b419}\L\201d3dde" => File/Directory not found.
C:\WINDOWS\Tasks\gvalzrh.job => Moved successfully.
"C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe" => File/Directory not found.
"C:\setup.exe" => ":SummaryInformation" ADS not found.
C:\setup.exe => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\xc.bat" => ":SummaryInformation" ADS not found.
C:\xc.bat => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\WINDOWS\checkip.dat" => ":SummaryInformation" ADS not found.
C:\WINDOWS\checkip.dat => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":0B4227B4" ADS removed successfully.
C:\Documents and Settings\USER\Local Settings => ":init" ADS removed successfully.
"C:\Documents and Settings\USER\yhenfeqv.exe" => File/Directory not found.
 
==== End of Fixlog 20:44:26 ====


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:31 PM

Posted 05 February 2015 - 11:08 AM

Hi Waysender,
 
Good to hear :)
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 Waysender

Waysender
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 05 February 2015 - 08:55 PM

Hello xXToffeeXx,

 

I scanned with FRST and the FRST.txt log is posted below.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-02-2015
Ran by USER (administrator) on USER-737A973129 on 05-02-2015 19:56:00
Running from C:\Documents and Settings\USER\My Documents\Downloads
Loaded Profiles: USER (Available profiles: USER & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
(ATI Technologies, Inc.) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\hidfind.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Farbar) C:\Documents and Settings\USER\My Documents\Downloads\FRST (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Microsoft Default Manager] => C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM\...\Run: [HPDJ Taskbar Utility] => C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe [188416 2003-07-28] (HP)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2005-11-10] (ATI Technologies, Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [176128 2005-10-07] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [Zune Launcher] => c:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {452a78f2-4c2d-11dc-9fc0-00904b15d704} - E:\LaunchU3.exe -a
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {d0bd9ea0-2903-11dc-9fac-00904b15d704} - E:\SETUP.EXE
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {d7cda0d0-a6c0-11dc-9fd7-00904b15d704} - E:\MRI.exe
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?PC=BNHP
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} http://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11
 
FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-07]
 
Chrome: 
=======
CHR Profile: C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-30]
CHR Extension: (Google Drive) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-30]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-31]
CHR Extension: (YouTube) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-30]
CHR Extension: (Google Search) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-30]
CHR Extension: (Google Wallet) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-30]
CHR Extension: (Gmail) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-30]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-16] (Oracle Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [380928 2006-04-06] (Dell Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S4 ZuneBusEnum; c:\Program Files\Zune\ZuneBusEnum.exe [57056 2011-08-05] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [424320 2005-11-02] (Broadcom Corporation)
S3 CBEN5; C:\WINDOWS\System32\DRIVERS\cben5.sys [46108 2001-08-17] (Xircom, Inc.)
S3 CBPSp50; C:\WINDOWS\System32\Drivers\CBPSp50.sys [27072 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2005-03-21] (Adaptec, Inc.) [File not signed]
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2008-10-28] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2008-10-28] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2008-10-28] (HP)
R3 HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [208384 2005-05-03] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.SYS [1033728 2005-05-03] (Conexant Systems, Inc.)
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2003-01-23] (Dell Computer Corporation) [File not signed]
R3 OZSCR; C:\WINDOWS\System32\DRIVERS\ozscr.sys [92550 2005-04-21] (O2Micro)
S3 PCX504; C:\WINDOWS\System32\DRIVERS\PCX504.sys [96256 2003-02-14] (Cisco Systems)
S3 PRISM_ICB; C:\WINDOWS\System32\DRIVERS\WG511ICB.sys [390016 2004-03-22] (Conexant Systems, Inc.)
S3 Ptserial; C:\WINDOWS\System32\DRIVERS\ptserial.sys [135292 2003-02-24] (PCTEL, INC.)
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
R3 STAC97; C:\WINDOWS\System32\drivers\stac97.sys [264440 2004-11-15] (SigmaTel, Inc.)
R0 Vmodem; C:\WINDOWS\System32\DRIVERS\vmodem.sys [690973 2003-05-30] (PCTEL, INC.)
R0 Vpctcom; C:\WINDOWS\System32\DRIVERS\vpctcom.sys [477403 2003-05-30] (PCtel, Inc.)
R0 Vvoice; C:\WINDOWS\System32\DRIVERS\vvoice.sys [66111 2003-05-28] (PCtel, Inc.)
S3 w70n51; C:\WINDOWS\System32\DRIVERS\w70n51.sys [662400 2005-07-26] (Intel® Corporation)
R2 zumbus; C:\WINDOWS\System32\DRIVERS\zumbus.sys [41472 2011-08-05] (Microsoft Corporation)
S3 CBPMp50; System32\Drivers\CBPMp50.sys [X]
S3 cleanhlp; \??\C:\Program Files\Emsisoft Anti-Malware\cleanhlp32.sys [X]
S3 MFE_RR; \??\C:\DOCUME~1\USER\LOCALS~1\Temp\mfe_rr.sys [X]
S3 RT73; system32\DRIVERS\rt73.sys [X]
S4 s24trans; system32\DRIVERS\s24trans.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 UIUSys; system32\drivers\UIUSys.sys [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S3 w29n51; system32\DRIVERS\w29n51.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\BatteryCare\WinRing0.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-03 20:43 - 2015-02-02 13:13 - 00003621 _____ () C:\Documents and Settings\USER\My Documents\fixlist.txt
2015-02-02 22:33 - 2015-02-02 22:33 - 00000667 _____ () C:\Documents and Settings\USER\Desktop\Shortcut to tdsskiller.exe.lnk
2015-02-02 22:31 - 2015-02-02 22:31 - 00000697 _____ () C:\Documents and Settings\USER\Desktop\Malwarebytes Anti-Rootkit.lnk
2015-02-02 22:31 - 2015-02-02 22:31 - 00000638 _____ () C:\Documents and Settings\USER\Desktop\Shortcut to rkill.exe.lnk
2015-02-02 22:30 - 2015-02-02 22:30 - 00000633 _____ () C:\Documents and Settings\USER\Desktop\Shortcut to FRST.exe.lnk
2015-02-02 14:09 - 2015-02-05 19:56 - 00000000 ____D () C:\FRST
2015-02-01 14:44 - 2015-02-02 13:13 - 00003621 _____ () C:\Documents and Settings\USER\Desktop\fixlist.txt
2015-02-01 13:04 - 2015-02-01 13:04 - 00000000 ____D () C:\Documents and Settings\USER\Application Data\R-TT
2015-02-01 13:03 - 2015-02-01 15:42 - 00000000 ____D () C:\Program Files\R-Studio
2015-02-01 13:03 - 2015-02-01 13:04 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\R-TT
2015-01-30 00:53 - 2015-01-30 00:53 - 00000000 ____D () C:\Program Files\Tweaking.com
2015-01-29 21:28 - 2015-01-31 21:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-01-29 21:25 - 2015-01-31 21:27 - 00000000 ____D () C:\Documents and Settings\USER\Desktop\mbar
2015-01-29 21:00 - 2015-01-29 21:00 - 00000162 ____H () C:\Documents and Settings\USER\Desktop\~$Rkill.TXT.otxujsi
2015-01-29 20:44 - 2015-01-29 20:44 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\MFAData
2015-01-29 20:41 - 2015-01-29 20:43 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\AvgSetupLog
2015-01-29 20:39 - 2015-01-29 20:39 - 00023368 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-01-29 17:42 - 2015-01-29 18:46 - 00004741 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Desktop\avgrep.txt
2015-01-28 21:44 - 2015-01-28 21:44 - 00000000 __SHD () C:\Documents and Settings\Administrator.USER-737A973129\PrivacIE
2015-01-28 21:43 - 2015-01-28 21:43 - 00008528 _____ () C:\HELP_DECRYPT.HTML
2015-01-28 21:43 - 2015-01-28 21:43 - 00004204 _____ () C:\HELP_DECRYPT.TXT
2015-01-28 21:43 - 2015-01-28 21:43 - 00000272 _____ () C:\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00008528 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00004204 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:40 - 2015-01-28 21:40 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:40 - 2015-01-28 21:40 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.HTML
2015-01-28 21:40 - 2015-01-28 21:40 - 00004204 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.TXT
2015-01-28 21:40 - 2015-01-28 21:40 - 00004204 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-28 21:40 - 2015-01-28 21:40 - 00004204 _____ () C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.TXT
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00008528 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.HTML
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.URL
2015-01-28 21:37 - 2015-01-29 22:54 - 00000000 ____D () C:\WINDOWS\FrameworkUpdate
2015-01-28 21:37 - 2015-01-28 21:37 - 00000480 ____H () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\麽鎒駓覜
2015-01-28 21:35 - 2015-01-28 21:35 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Macromedia
2015-01-28 21:34 - 2015-01-28 21:34 - 00000000 __SHD () C:\Documents and Settings\Administrator.USER-737A973129\IETldCache
2015-01-28 21:34 - 2015-01-28 21:34 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Adobe
2015-01-28 21:33 - 2015-01-28 21:41 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google
2015-01-28 20:30 - 2015-01-28 21:33 - 00004928 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Desktop\avgrep.TXT.otxujsi
2015-01-28 20:29 - 2015-01-28 20:29 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Avg
2015-01-28 20:28 - 2015-01-29 20:51 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Avg2015
2015-01-28 20:26 - 2015-01-29 22:54 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Temp
2015-01-28 20:26 - 2015-01-29 20:50 - 00000178 ___SH () C:\Documents and Settings\Administrator.USER-737A973129\ntuser.ini
2015-01-28 20:26 - 2015-01-28 21:44 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129
2015-01-28 20:26 - 2012-10-27 15:39 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\TuneUp Software
2015-01-28 20:26 - 2009-12-21 23:57 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Adobe
2015-01-28 20:26 - 2005-08-12 04:02 - 00001599 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Remote Assistance.lnk
2015-01-28 20:26 - 2005-08-12 04:02 - 00000000 ___RD () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Accessories
2015-01-28 20:26 - 2005-08-12 04:01 - 00000792 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Windows Media Player.lnk
2015-01-27 18:09 - 2015-01-29 22:57 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{D999F8ED-946A-4C7B-9148-DAEFD27EE21B}
2015-01-25 19:11 - 2015-01-28 21:40 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations
2015-01-25 19:11 - 2015-01-25 19:11 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Program Files\HP Photo Creations
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Visan
2015-01-25 19:10 - 2015-01-25 19:17 - 00000000 ____D () C:\Documents and Settings\USER\Application Data\HpUpdate
2015-01-25 19:09 - 2015-01-25 19:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HP
2015-01-25 19:09 - 2015-01-25 19:09 - 00001921 _____ () C:\Documents and Settings\All Users\Desktop\HP ENVY 4500 series.lnk
2015-01-25 19:09 - 2015-01-25 19:09 - 00000883 _____ () C:\Documents and Settings\All Users\Desktop\Shop for Supplies - HP ENVY 4500 series.lnk
2015-01-25 19:09 - 2014-07-21 15:33 - 00597512 ____N (Hewlett-Packard Development Company, LP) C:\WINDOWS\system32\HPDiscoPMC511.dll
2015-01-25 19:09 - 2012-12-15 18:38 - 02525368 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\HPScanTRDrv_EN4500.dll
2015-01-25 19:09 - 2012-12-15 18:38 - 00417464 _____ (Hewlett-Packard) C:\WINDOWS\system32\HPWia1_EN4500.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00536760 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkstsC511.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00271032 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkstsC511LM.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00222904 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkcoiC511.dll
2015-01-25 19:08 - 2012-12-15 16:45 - 02220216 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkinsC511.exe
2015-01-25 19:06 - 2015-01-25 19:06 - 00000057 _____ () C:\Documents and Settings\All Users\Application Data\Ament.ini
2015-01-25 19:02 - 2015-01-25 19:37 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\Application Data\HP
2015-01-11 15:48 - 2015-01-11 15:50 - 00000015 _____ () C:\Documents and Settings\USER\settings.dat
2015-01-06 20:14 - 2015-02-04 18:58 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-06 20:14 - 2015-01-06 20:14 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-06 20:14 - 2015-01-06 20:14 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-06 20:13 - 2015-01-31 19:35 - 00108632 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-06 20:13 - 2015-01-28 21:46 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-06 20:13 - 2014-11-21 06:23 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-05 19:57 - 2005-08-12 04:13 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\Temp
2015-02-05 19:53 - 2013-01-05 21:54 - 00000420 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{DA803D97-3304-4E5E-BBA0-642ADF96FFF2}.job
2015-02-05 19:42 - 2005-08-12 03:59 - 01670872 ____C () C:\WINDOWS\WindowsUpdate.log
2015-02-05 19:40 - 2005-08-11 20:38 - 00000327 __RSH () C:\boot.ini
2015-02-05 19:40 - 2004-08-04 06:00 - 00000608 _____ () C:\WINDOWS\win.ini
2015-02-05 19:40 - 2004-08-04 06:00 - 00000227 ____C () C:\WINDOWS\system.ini
2015-02-05 19:33 - 2005-08-12 04:08 - 00000006 ___HC () C:\WINDOWS\Tasks\SA.DAT
2015-02-05 19:33 - 2005-08-11 20:43 - 00000159 ____C () C:\WINDOWS\wiadebug.log
2015-02-05 19:33 - 2005-08-11 20:43 - 00000048 ____C () C:\WINDOWS\wiaservc.log
2015-02-05 19:33 - 2004-08-04 06:00 - 00002206 ____C () C:\WINDOWS\system32\wpa.dbl
2015-02-04 21:33 - 2005-08-12 04:08 - 00032554 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-04 21:32 - 2005-08-12 04:13 - 00000178 __SHC () C:\Documents and Settings\USER\ntuser.ini
2015-02-02 13:43 - 2005-06-29 09:06 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\General Information
2015-01-31 19:21 - 2005-08-11 20:39 - 00231513 _____ () C:\WINDOWS\setupact.log
2015-01-30 18:49 - 2012-08-13 20:24 - 00000000 ____D () C:\WINDOWS\pss
2015-01-30 18:47 - 2014-12-05 00:17 - 00000000 ____D () C:\Program Files\Emsisoft Anti-Malware
2015-01-30 00:33 - 2005-06-29 09:05 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\Story Time
2015-01-30 00:32 - 2012-09-06 17:58 - 00002473 _____ () C:\Documents and Settings\USER\Desktop\Microsoft Word.lnk
2015-01-29 22:57 - 2011-11-11 23:28 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2641690$
2015-01-29 20:51 - 2015-01-03 21:57 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-29 20:51 - 2015-01-03 21:41 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-01-29 20:48 - 2015-01-03 22:19 - 00060030 _____ () C:\WINDOWS\setupapi.log
2015-01-29 20:44 - 2013-01-28 00:13 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG
2015-01-29 20:44 - 2013-01-07 19:32 - 00000000 ____D () C:\Program Files\AVG
2015-01-29 17:35 - 2012-01-12 17:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2631813$
2015-01-28 21:47 - 2013-10-10 16:54 - 00000000 ____D () C:\Program Files\Zune
2015-01-28 21:47 - 2013-01-28 01:07 - 00000000 ____D () C:\RegBackup
2015-01-28 21:47 - 2005-08-12 03:58 - 00000000 ____D () C:\Program Files\Outlook Express
2015-01-28 21:46 - 2014-10-28 17:10 - 00000000 ____D () C:\Program Files\iPod
2015-01-28 21:46 - 2014-10-28 17:09 - 00000000 ____D () C:\Program Files\iTunes
2015-01-28 21:42 - 2012-08-25 20:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\PCDr
2015-01-28 21:42 - 2010-02-07 22:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP
2015-01-28 21:42 - 2005-08-12 04:08 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-01-28 21:42 - 2005-08-12 04:06 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-01-28 21:42 - 2005-08-12 04:00 - 00000000 __SHD () C:\Documents and Settings\All Users\DRM
2015-01-28 21:41 - 2014-07-06 16:12 - 00000000 ____D () C:\a8ae3f591ed650812d
2015-01-28 21:41 - 2013-10-07 18:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2015-01-28 21:41 - 2013-05-04 13:37 - 00000000 ___SD () C:\Documents and Settings\Administrator
2015-01-28 21:41 - 2005-08-12 04:02 - 00000000 ____D () C:\DELL
2015-01-28 21:40 - 2015-01-04 15:05 - 00000000 ___SD () C:\ComboFix
2015-01-28 21:40 - 2015-01-04 14:20 - 00000000 ____D () C:\AdwCleaner
2015-01-28 19:38 - 2015-01-04 14:56 - 00132672 _____ () C:\TDSSKiller.3.0.0.44_28.01.2015_19.34.44_log.TXT.otxujsi
2015-01-27 21:46 - 2013-07-11 14:25 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834886$
2015-01-26 22:27 - 2007-06-19 06:22 - 00002479 ____C () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2015-01-25 19:06 - 2010-02-02 21:47 - 00000000 ____D () C:\Program Files\HP
2015-01-25 19:06 - 2005-08-11 20:31 - 00000000 ____D () C:\WINDOWS\twain_32
2015-01-14 18:22 - 2013-08-13 21:51 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 18:01 - 2007-08-16 09:47 - 110348472 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-11 15:54 - 2015-01-04 14:56 - 00132032 _____ () C:\TDSSKiller.3.0.0.42_11.01.2015_15.51.51_log.TXT.otxujsi
2015-01-06 20:13 - 2013-07-12 18:31 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
 
==================== Files in the root of some directories =======
 
2010-03-14 13:11 - 2012-08-21 12:06 - 0003584 ____C () C:\Documents and Settings\USER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-28 21:42 - 2015-01-28 21:42 - 0008528 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-01-28 21:42 - 2015-01-28 21:42 - 0045624 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-01-28 21:42 - 2015-01-28 21:42 - 0004204 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-01-28 21:42 - 2015-01-28 21:42 - 0000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
 
Files to move or delete:
====================
C:\Documents and Settings\USER\settings.dat
 
 
Some content of TEMP:
====================
C:\Documents and Settings\USER\Local Settings\Temp\MsiZap.exe
C:\Documents and Settings\USER\Local Settings\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:31 PM

Posted 07 February 2015 - 07:52 AM

Hi Waysender,
 

Also, as my files are currently encrypted will they remain safe? Should I copy them to a USB or burn them to a CD, until a decryption method becomes available?

I forgot to answer this earlier I believe, but yes they will stay safe. Keeping them somewhere where you know where they are would be best.
 
Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------
 
This scan can take a long time, so it is best done overnight or when you do not need the computer
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Emsisoft log
  • ESET log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Waysender

Waysender
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 07 February 2015 - 11:44 PM

Hello xXToffeeXx,

 

The Emsisoft Emergency Kit ran fine and the information is listed below. The ESET Scan however froze at the 99% mark on "C:\WINSSLog\WOC_Firewall2_uninstall.log". I let it go for quite awhile, the timer kept running but no progress was made after that point. I listed the threat log below, I will try to run again tomorrow. Thank you.

 

Emsisoft Emergency Kit - Version 9.0
Last update: 2/7/2015 4:47:54 PM
User account: USER-737A973129\USER
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect PUPs: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 2/7/2015 4:49:31 PM
C:\System Volume Information\_restore{098A718E-B7A7-4024-B16D-E30C3B0C0ACF}\RP21\A0004761.exe detected: Trojan.GenericKD.2118576 (B)
 
Scanned 130317
Found 1
 
Scan end: 2/7/2015 6:32:20 PM
Scan time: 1:42:49
 
C:\System Volume Information\_restore{098A718E-B7A7-4024-B16D-E30C3B0C0ACF}\RP21\A0004761.exe Quarantined Trojan.GenericKD.2118576 (B)
 
Quarantined 1
 
ESET threat list...
 
C:\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\AdwCleaner\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\AdwCleaner\Quarantine\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\ComboFix\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R105328\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\DOS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\DOS\NDIS2\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\DOS\NDIS2\v8.19\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\DOS\ODI\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\DOS\ODI\v8.17\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\Win2K\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\Win2K\v8.27.1\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\WinXP\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R107518\WinXP\v8.27.1\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R113575\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R113813\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\ARA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\CHS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\CHT\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\CSY\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\DAN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\DEU\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\ELL\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\ENU\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\ESN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\FIN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\FRA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\HEB\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\HUN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\ITA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\JPN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\KOR\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\NLD\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\NOR\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\PLK\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\PTB\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\PTG\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\RUS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\SVE\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\THA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\Lang\TRK\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\win2000\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\win2003\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114079\XP\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114084\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114084\O2Micro\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R114084\O2Micro\Ctapi\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R115321\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R120775\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R120895\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R122667\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\ARA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\CHS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\CHT\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\CSY\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\DAN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\DEU\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\ELL\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\ENU\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\ESN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\FIN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\FRA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\HEB\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\HUN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\ITA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\JPN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\KOR\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\NLD\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\NOR\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\PLK\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\PTB\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\PTG\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\RUS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\SVE\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\THA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32\iProLang\TRK\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\ARA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\CHS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\CHT\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\CSY\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\DAN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\DEU\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\ELL\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\ENU\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\ESN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\FIN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\FRA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\HEB\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\HUN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\ITA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\JPN\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\KOR\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\NLD\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\NOR\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\PLK\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\PTB\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\PTG\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\RUS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\SVE\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\THA\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R138749\XP\Apps\IA32E\iProLang\TRK\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R55037\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\DELL\drivers\R90698\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator\Templates\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Microsoft\Internet Explorer\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Cookies\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\Default\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\Default\databases\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\Default\Storage\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\Default\Storage\ext\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\databases\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Templates\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Administrator.USER-737A973129\Templates\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1\x86\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1\x86\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\AVG2015\IDS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\AVG2015\IDS\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\Accessory\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\Accessory\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\Accessory\images\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\Accessory\images\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\flash\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\HP\HP ENVY 4500 series\Help\flash\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\Microsoft\Zune\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\Microsoft\Zune\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\datastore\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\datastore\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\Tonopah\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\Tonopah\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\Tonopah\upload\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\Application Data\PCDr\6032\Tonopah\upload\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\DRM\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\All Users\DRM\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Application Data\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Templates\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\Default User\Templates\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\11.0\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\11.0\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\11.0\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\11.0\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Zune\Art Cache\Decrypt-All-Files-otxujsi.txt Win32/Filecoder.DA.Gen trojan
C:\FRST\Quarantine\C\Documents and Settings\Administrator.USER-737A973129\My Documents\Decrypt-All-Files-otxujsi.txt.xBAD Win32/Filecoder.DA.Gen trojan
C:\Program Files\Safari\Apple Application Support\WebKit.resources\inspector\Decrypt-All-Files-otxujsi.txt Win32/Filecoder.DA.Gen trojan
C:\RegBackup\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\RegBackup\USER-737A973129\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\RegBackup\USER-737A973129\1.28.2013_1.07.08-AM\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\WINDOWS\pss\HELP_DECRYPT.HTMLStartup Win32/Filecoder.CR trojan
C:\WINDOWS\pss\HELP_DECRYPT.TXTStartup Win32/Filecoder.CR trojan
C:\WINDOWS\system32\config\systemprofile\My Documents\Decrypt-All-Files-otxujsi.txt Win32/Filecoder.DA.Gen trojan
 


#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:31 PM

Posted 10 February 2015 - 04:31 PM

Hi Waysender,

 

Was ESET able to run (we can remove the detections other ways if it does not want to work)?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 Waysender

Waysender
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 12 February 2015 - 09:50 PM

Hello xXToffeeXx,

 

I missed it the first time, even though it didn't finish there was still an option to delete quarantined items. The second run found about 70 items, I checked the delete box and ran a third time. It now runs the whole way and reports a clean bill of health.



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:31 PM

Posted 14 February 2015 - 04:59 PM

Hi Waysender,
 
Good to hear. How is your computer running?
 
Your version of Adobe Flash is out of date.

Please follow these steps to remove older version Adobe Flash components and update:

  • Download the latest version of Adobe Flash and save it to your desktop.
  • Note: If you use Google Chrome or Firefox then there is no need to download Adobe Flash, if you also use Internet Explorer then use that browser to download Flash.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel, and double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8.
  • Check (highlight) any item with Adobe Flash in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Adobe Flash uninstaller.
  • Reboot your computer once Adobe Flash is removed.
  • Then from your desktop double-click on the Adobe Flash installer to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then run as Administrator.
  • If offered any unwanted software or toolbars during installation (such as Google Chrome and Google Toolbar); just uncheck the box before continuing unless you want these programs.

--------------

Your version of Java is out of date. Older versions of programs have vulnerabilities that malicious sites can use to exploit and infect your system.

You may want to read these before you update, as most users do not use Java and have no need for it to be on their computer:
You don't need Java
W3Techs usage statistics and market share data of Java on the web
 
If you want to use Java, then please follow these steps to remove older version Java components and update:

  • Download the latest version of Java and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel, and double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8.
  • Check (highlight) any item with Java in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the Java installer to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then Run as Administrator.
  • When the Java Setup - Welcome window opens, click the Install button.
  • If offered any unwanted software or toolbars during installation (such as the Ask Toolbar); just uncheck the box before continuing unless you want it.
  • Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature, and you will not have to remember to update when Java releases a new version.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 Waysender

Waysender
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 14 February 2015 - 10:38 PM

Hello xXToffeeXx,

 

My computer is running fine as far as I can tell, however "yhenfeqv", "razvrtg", and the four "HELP_DECRYPT" programs are still listed in my start up list. I am currently in selective start up and logging on today they were all still there. Is this something I should be concerned with or are these just "ghosts" so to speak? If I went back to normal start up and allowed them to load would they be detected by scans then?

 

Thank you.



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:31 PM

Posted 15 February 2015 - 02:43 PM

Hi Waysender,
 

Is this something I should be concerned with or are these just "ghosts" so to speak? If I went back to normal start up and allowed them to load would they be detected by scans then?

These are leftovers, the malicious files which they are linked to are gone. If you go back to normal startup and then run FRST again to create a new log, I will remove them completely.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 Waysender

Waysender
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:04:31 PM

Posted 16 February 2015 - 08:18 PM

Hello xXToffeeXx,

 

I have run the FRST again and the results are as follows.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-02-2015
Ran by USER (administrator) on USER-737A973129 on 16-02-2015 19:20:14
Running from C:\Documents and Settings\USER\My Documents\Downloads
Loaded Profiles: USER (Available profiles: USER & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
(ATI Technologies, Inc.) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Farbar) C:\Documents and Settings\USER\My Documents\Downloads\FRST (2).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Microsoft Default Manager] => C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM\...\Run: [HPDJ Taskbar Utility] => C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe [188416 2003-07-28] (HP)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2005-11-10] (ATI Technologies, Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [176128 2005-10-07] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [Zune Launcher] => c:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [yyvqgjf] => C:\DOCUME~1\ADMINI~1.USE\LOCALS~1\Temp\razvrtg.exe <===== ATTENTION
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [1347584 2005-12-19] (Dell Inc.)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\Run: [MSConfig] => "C:\Documents and Settings\USER\yhenfeqv.exe"
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {452a78f2-4c2d-11dc-9fc0-00904b15d704} - E:\LaunchU3.exe -a
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {d0bd9ea0-2903-11dc-9fac-00904b15d704} - E:\SETUP.EXE
HKU\S-1-5-21-299502267-152049171-1343024091-1003\...\MountPoints2: {d7cda0d0-a6c0-11dc-9fd7-00904b15d704} - E:\MRI.exe
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
Startup: C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
InternetURL: C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/L4jRxg
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-299502267-152049171-1343024091-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?PC=BNHP
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} http://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11
 
FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-07]
 
Chrome: 
=======
CHR Profile: C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-30]
CHR Extension: (Google Drive) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-30]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-31]
CHR Extension: (YouTube) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-30]
CHR Extension: (Google Search) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-30]
CHR Extension: (Google Wallet) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-30]
CHR Extension: (Gmail) - C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-30]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [380928 2006-04-06] (Dell Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S4 ZuneBusEnum; c:\Program Files\Zune\ZuneBusEnum.exe [57056 2011-08-05] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [424320 2005-11-02] (Broadcom Corporation)
S3 CBEN5; C:\WINDOWS\System32\DRIVERS\cben5.sys [46108 2001-08-17] (Xircom, Inc.)
S3 CBPSp50; C:\WINDOWS\System32\Drivers\CBPSp50.sys [27072 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2005-03-21] (Adaptec, Inc.) [File not signed]
S3 cleanhlp; C:\EEK\bin\cleanhlp32.sys [50200 2015-02-07] (Emsisoft GmbH)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2008-10-28] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2008-10-28] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2008-10-28] (HP)
R3 HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [208384 2005-05-03] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.SYS [1033728 2005-05-03] (Conexant Systems, Inc.)
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2003-01-23] (Dell Computer Corporation) [File not signed]
R3 OZSCR; C:\WINDOWS\System32\DRIVERS\ozscr.sys [92550 2005-04-21] (O2Micro)
S3 PCX504; C:\WINDOWS\System32\DRIVERS\PCX504.sys [96256 2003-02-14] (Cisco Systems)
S3 PRISM_ICB; C:\WINDOWS\System32\DRIVERS\WG511ICB.sys [390016 2004-03-22] (Conexant Systems, Inc.)
S3 Ptserial; C:\WINDOWS\System32\DRIVERS\ptserial.sys [135292 2003-02-24] (PCTEL, INC.)
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
R3 STAC97; C:\WINDOWS\System32\drivers\stac97.sys [264440 2004-11-15] (SigmaTel, Inc.)
R0 Vmodem; C:\WINDOWS\System32\DRIVERS\vmodem.sys [690973 2003-05-30] (PCTEL, INC.)
R0 Vpctcom; C:\WINDOWS\System32\DRIVERS\vpctcom.sys [477403 2003-05-30] (PCtel, Inc.)
R0 Vvoice; C:\WINDOWS\System32\DRIVERS\vvoice.sys [66111 2003-05-28] (PCtel, Inc.)
S3 w70n51; C:\WINDOWS\System32\DRIVERS\w70n51.sys [662400 2005-07-26] (Intel® Corporation)
R2 zumbus; C:\WINDOWS\System32\DRIVERS\zumbus.sys [41472 2011-08-05] (Microsoft Corporation)
S3 CBPMp50; System32\Drivers\CBPMp50.sys [X]
S3 MFE_RR; \??\C:\DOCUME~1\USER\LOCALS~1\Temp\mfe_rr.sys [X]
S3 RT73; system32\DRIVERS\rt73.sys [X]
S4 s24trans; system32\DRIVERS\s24trans.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 UIUSys; system32\drivers\UIUSys.sys [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S3 w29n51; system32\DRIVERS\w29n51.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\BatteryCare\WinRing0.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-07 22:43 - 2015-02-07 22:43 - 00025708 _____ () C:\Documents and Settings\USER\Desktop\ESETScan.txt
2015-02-07 16:40 - 2015-02-07 16:40 - 00000637 _____ () C:\Documents and Settings\USER\Desktop\Start Emsisoft Emergency Kit.lnk
2015-02-07 16:38 - 2015-02-07 16:42 - 00000000 ____D () C:\EEK
2015-02-03 20:43 - 2015-02-02 13:13 - 00003621 _____ () C:\Documents and Settings\USER\My Documents\fixlist.txt
2015-02-02 22:33 - 2015-02-02 22:33 - 00000667 _____ () C:\Documents and Settings\USER\Desktop\Shortcut to tdsskiller.exe.lnk
2015-02-02 22:31 - 2015-02-02 22:31 - 00000697 _____ () C:\Documents and Settings\USER\Desktop\Malwarebytes Anti-Rootkit.lnk
2015-02-02 22:31 - 2015-02-02 22:31 - 00000638 _____ () C:\Documents and Settings\USER\Desktop\Shortcut to rkill.exe.lnk
2015-02-02 22:30 - 2015-02-02 22:30 - 00000633 _____ () C:\Documents and Settings\USER\Desktop\Shortcut to FRST.exe.lnk
2015-02-02 14:09 - 2015-02-16 19:20 - 00000000 ____D () C:\FRST
2015-02-01 14:44 - 2015-02-02 13:13 - 00003621 _____ () C:\Documents and Settings\USER\Desktop\fixlist.txt
2015-02-01 13:04 - 2015-02-01 13:04 - 00000000 ____D () C:\Documents and Settings\USER\Application Data\R-TT
2015-02-01 13:03 - 2015-02-01 15:42 - 00000000 ____D () C:\Program Files\R-Studio
2015-02-01 13:03 - 2015-02-01 13:04 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\R-TT
2015-01-30 00:53 - 2015-01-30 00:53 - 00000000 ____D () C:\Program Files\Tweaking.com
2015-01-29 21:28 - 2015-01-31 21:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-01-29 21:25 - 2015-01-31 21:27 - 00000000 ____D () C:\Documents and Settings\USER\Desktop\mbar
2015-01-29 21:00 - 2015-01-29 21:00 - 00000162 ____H () C:\Documents and Settings\USER\Desktop\~$Rkill.TXT.otxujsi
2015-01-29 20:44 - 2015-01-29 20:44 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\MFAData
2015-01-29 20:41 - 2015-01-29 20:43 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\AvgSetupLog
2015-01-29 20:39 - 2015-01-29 20:39 - 00023368 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-01-29 17:42 - 2015-01-29 18:46 - 00004741 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Desktop\avgrep.txt
2015-01-28 21:44 - 2015-01-28 21:44 - 00000000 __SHD () C:\Documents and Settings\Administrator.USER-737A973129\PrivacIE
2015-01-28 21:43 - 2015-01-28 21:43 - 00000272 _____ () C:\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-01-28 21:42 - 2015-01-28 21:42 - 00000272 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:40 - 2015-01-28 21:40 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00001376 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.TXT.otxujsi
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-01-28 21:39 - 2015-01-28 21:39 - 00000272 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\HELP_DECRYPT.URL
2015-01-28 21:37 - 2015-01-29 22:54 - 00000000 ____D () C:\WINDOWS\FrameworkUpdate
2015-01-28 21:37 - 2015-01-28 21:37 - 00000480 ____H () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\麽鎒駓覜
2015-01-28 21:35 - 2015-01-28 21:35 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Macromedia
2015-01-28 21:34 - 2015-01-28 21:34 - 00000000 __SHD () C:\Documents and Settings\Administrator.USER-737A973129\IETldCache
2015-01-28 21:34 - 2015-01-28 21:34 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\Adobe
2015-01-28 21:33 - 2015-02-11 19:05 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Google
2015-01-28 20:30 - 2015-01-28 21:33 - 00004928 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Desktop\avgrep.TXT.otxujsi
2015-01-28 20:29 - 2015-01-28 20:29 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Avg
2015-01-28 20:28 - 2015-01-29 20:51 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Avg2015
2015-01-28 20:26 - 2015-02-07 20:09 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129
2015-01-28 20:26 - 2015-01-29 22:54 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Temp
2015-01-28 20:26 - 2015-01-29 20:50 - 00000178 ___SH () C:\Documents and Settings\Administrator.USER-737A973129\ntuser.ini
2015-01-28 20:26 - 2012-10-27 15:39 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Application Data\TuneUp Software
2015-01-28 20:26 - 2009-12-21 23:57 - 00000000 ____D () C:\Documents and Settings\Administrator.USER-737A973129\Local Settings\Application Data\Adobe
2015-01-28 20:26 - 2005-08-12 04:02 - 00001599 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Remote Assistance.lnk
2015-01-28 20:26 - 2005-08-12 04:02 - 00000000 ___RD () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Accessories
2015-01-28 20:26 - 2005-08-12 04:01 - 00000792 _____ () C:\Documents and Settings\Administrator.USER-737A973129\Start Menu\Programs\Windows Media Player.lnk
2015-01-27 18:09 - 2015-01-29 22:57 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{D999F8ED-946A-4C7B-9148-DAEFD27EE21B}
2015-01-25 19:11 - 2015-01-28 21:40 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations
2015-01-25 19:11 - 2015-01-25 19:11 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Program Files\HP Photo Creations
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2015-01-25 19:11 - 2015-01-25 19:11 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Visan
2015-01-25 19:10 - 2015-02-09 18:04 - 00000000 ____D () C:\Documents and Settings\USER\Application Data\HpUpdate
2015-01-25 19:09 - 2015-01-25 19:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HP
2015-01-25 19:09 - 2015-01-25 19:09 - 00001921 _____ () C:\Documents and Settings\All Users\Desktop\HP ENVY 4500 series.lnk
2015-01-25 19:09 - 2015-01-25 19:09 - 00000883 _____ () C:\Documents and Settings\All Users\Desktop\Shop for Supplies - HP ENVY 4500 series.lnk
2015-01-25 19:09 - 2014-07-21 15:33 - 00597512 ____N (Hewlett-Packard Development Company, LP) C:\WINDOWS\system32\HPDiscoPMC511.dll
2015-01-25 19:09 - 2012-12-15 18:38 - 02525368 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\HPScanTRDrv_EN4500.dll
2015-01-25 19:09 - 2012-12-15 18:38 - 00417464 _____ (Hewlett-Packard) C:\WINDOWS\system32\HPWia1_EN4500.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00536760 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkstsC511.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00271032 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkstsC511LM.dll
2015-01-25 19:08 - 2012-12-15 18:38 - 00222904 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkcoiC511.dll
2015-01-25 19:08 - 2012-12-15 16:45 - 02220216 _____ (Hewlett-Packard Co.) C:\WINDOWS\system32\hpinkinsC511.exe
2015-01-25 19:06 - 2015-01-25 19:06 - 00000057 _____ () C:\Documents and Settings\All Users\Application Data\Ament.ini
2015-01-25 19:02 - 2015-01-25 19:37 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\Application Data\HP
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-16 19:21 - 2005-08-12 04:13 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\Temp
2015-02-16 19:14 - 2005-08-12 03:59 - 01891143 ____C () C:\WINDOWS\WindowsUpdate.log
2015-02-16 19:07 - 2013-01-05 21:54 - 00000420 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{DA803D97-3304-4E5E-BBA0-642ADF96FFF2}.job
2015-02-16 19:05 - 2005-08-12 04:08 - 00000006 ___HC () C:\WINDOWS\Tasks\SA.DAT
2015-02-16 19:05 - 2005-08-11 20:43 - 00000159 ____C () C:\WINDOWS\wiadebug.log
2015-02-16 19:05 - 2005-08-11 20:43 - 00000049 ____C () C:\WINDOWS\wiaservc.log
2015-02-16 19:05 - 2004-08-04 06:00 - 00002206 ____C () C:\WINDOWS\system32\wpa.dbl
2015-02-16 19:04 - 2005-08-12 04:13 - 00000178 __SHC () C:\Documents and Settings\USER\ntuser.ini
2015-02-16 19:04 - 2005-08-12 04:08 - 00032574 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-16 19:04 - 2005-08-11 20:38 - 00000327 __RSH () C:\boot.ini
2015-02-16 19:04 - 2004-08-04 06:00 - 00000608 _____ () C:\WINDOWS\win.ini
2015-02-16 19:04 - 2004-08-04 06:00 - 00000227 ____C () C:\WINDOWS\system.ini
2015-02-15 14:21 - 2005-06-29 09:06 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\General Information
2015-02-15 13:56 - 2012-09-06 17:58 - 00002473 _____ () C:\Documents and Settings\USER\Desktop\Microsoft Word.lnk
2015-02-11 21:13 - 2013-01-28 01:07 - 00000000 ____D () C:\RegBackup
2015-02-11 21:13 - 2012-08-13 20:24 - 00000000 ____D () C:\WINDOWS\pss
2015-02-11 21:01 - 2012-08-25 20:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\PCDr
2015-02-11 21:01 - 2005-08-12 04:08 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-02-11 21:01 - 2005-08-12 04:06 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-02-11 21:01 - 2005-08-12 04:00 - 00000000 __SHD () C:\Documents and Settings\All Users\DRM
2015-02-11 19:05 - 2013-10-07 18:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2015-02-11 19:05 - 2013-05-04 13:37 - 00000000 ___SD () C:\Documents and Settings\Administrator
2015-02-11 19:05 - 2010-02-07 22:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP
2015-02-11 15:49 - 2013-08-13 21:51 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-11 15:48 - 2007-08-16 09:47 - 113756392 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-09 20:00 - 2015-01-04 15:05 - 00000000 ___SD () C:\ComboFix
2015-02-09 20:00 - 2015-01-04 14:20 - 00000000 ____D () C:\AdwCleaner
2015-02-09 20:00 - 2005-08-12 04:02 - 00000000 ____D () C:\DELL
2015-02-04 18:58 - 2015-01-06 20:14 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-31 19:35 - 2015-01-06 20:13 - 00108632 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-31 19:21 - 2005-08-11 20:39 - 00231513 _____ () C:\WINDOWS\setupact.log
2015-01-30 18:47 - 2014-12-05 00:17 - 00000000 ____D () C:\Program Files\Emsisoft Anti-Malware
2015-01-30 00:33 - 2005-06-29 09:05 - 00000000 ____D () C:\Documents and Settings\USER\My Documents\Story Time
2015-01-29 22:57 - 2011-11-11 23:28 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2641690$
2015-01-29 20:51 - 2015-01-03 21:57 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-29 20:51 - 2015-01-03 21:41 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-01-29 20:48 - 2015-01-03 22:19 - 00060030 _____ () C:\WINDOWS\setupapi.log
2015-01-29 20:44 - 2013-01-28 00:13 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG
2015-01-29 20:44 - 2013-01-07 19:32 - 00000000 ____D () C:\Program Files\AVG
2015-01-29 17:35 - 2012-01-12 17:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2631813$
2015-01-28 21:47 - 2013-10-10 16:54 - 00000000 ____D () C:\Program Files\Zune
2015-01-28 21:47 - 2005-08-12 03:58 - 00000000 ____D () C:\Program Files\Outlook Express
2015-01-28 21:46 - 2015-01-06 20:13 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-28 21:46 - 2014-10-28 17:10 - 00000000 ____D () C:\Program Files\iPod
2015-01-28 21:46 - 2014-10-28 17:09 - 00000000 ____D () C:\Program Files\iTunes
2015-01-28 21:41 - 2014-07-06 16:12 - 00000000 ____D () C:\a8ae3f591ed650812d
2015-01-28 19:38 - 2015-01-04 14:56 - 00132672 _____ () C:\TDSSKiller.3.0.0.44_28.01.2015_19.34.44_log.TXT.otxujsi
2015-01-27 21:46 - 2013-07-11 14:25 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834886$
2015-01-26 22:27 - 2007-06-19 06:22 - 00002479 ____C () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2015-01-25 19:06 - 2010-02-02 21:47 - 00000000 ____D () C:\Program Files\HP
2015-01-25 19:06 - 2005-08-11 20:31 - 00000000 ____D () C:\WINDOWS\twain_32
 
==================== Files in the root of some directories =======
 
2010-03-14 13:11 - 2012-08-21 12:06 - 0003584 ____C () C:\Documents and Settings\USER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-28 21:42 - 2015-01-28 21:42 - 0045624 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-01-28 21:42 - 2015-01-28 21:42 - 0000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
 
Files to move or delete:
====================
C:\Documents and Settings\USER\settings.dat
 
 
Some content of TEMP:
====================
C:\Documents and Settings\USER\Local Settings\Temp\MsiZap.exe
C:\Documents and Settings\USER\Local Settings\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users