Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me with Removing CryptoWall malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 okcitian

okcitian

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 03 February 2015 - 05:19 PM

I have been battling this for about a week before I found your site. I am not a veteran computer user but I have enough knowledge to be dangerous. That being said, I might have not done everything the way it was supposed to have been done. Whatever I need to do, please let me know, and I will try to make it happen.  I realize that I have probably lost some/most of my files but that is fine as I want to save as many as I can and want a computer that is not infected.  I have three different users on the computer but only one user receives the encrypt messages on start-up. I have deleted some of the enrypt-help files in some folders. Here are the attached files from the Farber Recovery Scan Tool. I appreciate your help. Thank you!

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by ShawHome (administrator) on SHAWHOME-THINK on 03-02-2015 15:59:37
Running from C:\Users\Nancy\Desktop
Loaded Profiles: ShawHome & Nancy (Available profiles: ShawHome & Steven C & Nancy & Guest)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(pdfforge GmbH) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GmbH) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Spotify Ltd) C:\Users\Nancy\AppData\Roaming\Spotify\Data\SPOTIF~2.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(LITE-ON TECHNOLOGY CORP.) C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skd8821.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(AVG Technologies) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe
(Ulead Systems, Inc.) C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(AVG Technologies) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\saUI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11775592 2014-12-12] (Realtek Semiconductor)
HKLM\...\Run: [Skd8821] => C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skd8821.exe [384000 2010-08-04] (LITE-ON TECHNOLOGY CORP.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3674576 2015-01-06] (AVG Technologies CZ, s.r.o.)
HKLM\...\RunOnce: [*CryptoPrevent Test] => C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPrevent.exe [1612944 2014-12-23] (Foolish IT LLC)
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: bcdedit.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\896\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-612788510-4205522902-714117695-1000\...\MountPoints2: {60be61c3-4ef1-11e1-a344-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-612788510-4205522902-714117695-1000\...\MountPoints2: {edc9cc25-cc84-11e1-a815-fd1eb5752fe4} - F:\LaunchU3.exe -a
HKU\S-1-5-21-612788510-4205522902-714117695-1005\...\Run: [Spotify Web Helper] => C:\Users\Nancy\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-11-11] (Spotify Ltd)
HKU\S-1-5-21-612788510-4205522902-714117695-1005\...\MountPoints2: {60be61c3-4ef1-11e1-a344-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-612788510-4205522902-714117695-1005\...\MountPoints2: {edc9cc25-cc84-11e1-a815-fd1eb5752fe4} - F:\LaunchU3.exe -a
Startup: C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
InternetURL: C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1axUke2
Startup: C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Steven C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-612788510-4205522902-714117695-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
HKU\S-1-5-21-612788510-4205522902-714117695-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKU\S-1-5-21-612788510-4205522902-714117695-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre
HKU\S-1-5-21-612788510-4205522902-714117695-1005\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKU\S-1-5-21-612788510-4205522902-714117695-1000 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
URLSearchHook: HKU\S-1-5-21-612788510-4205522902-714117695-1000 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {2B9E5F0A-2A66-48E3-A456-5AD94F1CCB36} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US636D20130228&p={SearchTerms}
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1000 -> {3102C69F-B4DD-458A-A673-838F66FA7B4C} URL = http://www.bing.com/search?FORM=BDKTDF&PC=BDT3&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1000 -> {BE4FB107-315D-4070-BF0D-39F306FFC3D8} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US636D20130228&p={SearchTerms}
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1000 -> {E62FF26A-F3A8-4FFC-8C85-C6408EB8C30E} URL = https://search.yahoo.com/search?fr=mcafee&type=A011US636&p={SearchTerms}
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> DefaultScope {F9C420B0-FC7F-4514-BA2C-787AE53131F0} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US636D20130228&p={SearchTerms}
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENP_enUS491
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> {92A6749F-E848-4510-958A-2E2FE2BF7474} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> {F9C420B0-FC7F-4514-BA2C-787AE53131F0} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US636D20130228&p={SearchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GmbH)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\j2re1.4.2\bin\ssv.dll No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Ads Removal -> {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} -> C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.dll (Adblock)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\j2re1.4.2\bin\jp2ssv.dll No File
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: HKLM-x32 {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

FireFox:
========
FF ProfilePath: C:\Users\ShawHome\AppData\Roaming\Mozilla\Firefox\Profiles\u207joz1.default
FF DefaultSearchEngine: Secure Search
FF SearchEngineOrder.1: Secure Search
FF SelectedSearchEngine: Secure Search
FF Homepage: hxxp://www.google.com
FF Keyword.URL: https://search.yahoo.com/search?fr=mcafee&type=B111US636D20130228&p=
FF Keyword.URL: hxxp://search.yahoo.com/search?fr=mcafee&type=A111US636&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll ()
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\dtplugin\npDeployJava1.dll No File
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @sony.com/eBookLibrary -> C:\Program Files (x86)\Sony\Reader\Data\bin\npebldetectmoz.dll (Sony Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-612788510-4205522902-714117695-1005: @nsroblox.roblox.com/launcher -> C:\Users\Nancy\AppData\Local\Roblox\Versions\version-d11d3bd1dfae46fa\\NPRobloxProxy.dll ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-612788510-4205522902-714117695-1005: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Nancy\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\ShawHome\AppData\Roaming\Mozilla\Firefox\Profiles\u207joz1.default\searchplugins\aol-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\McSiteAdvisor.xml
FF Extension: Cox Secure Browsing - C:\Users\ShawHome\AppData\Roaming\Mozilla\Firefox\Profiles\u207joz1.default\Extensions\idvaultaddin@whitesky [2013-01-05]
FF Extension: EPUBReader - C:\Users\ShawHome\AppData\Roaming\Mozilla\Firefox\Profiles\u207joz1.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2015-01-11]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2013-02-28]
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2014-01-16]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2013-02-28]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3310031&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SPB3110C72-1026-4765-965A-AF4C686859C9&SSPV="
CHR DefaultSearchKeyword: Default -> conduit.search
CHR Profile: C:\Users\ShawHome\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\ShawHome\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-23]
CHR Extension: (SiteAdvisor) - C:\Users\ShawHome\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2013-01-12]
CHR Extension: (Google Wallet) - C:\Users\ShawHome\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-18]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-01-12]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgfws; C:\Program Files (x86)\AVG\AVG2015\avgfws.exe [1507632 2015-01-06] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3440080 2015-01-06] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [309232 2015-01-06] (AVG Technologies CZ, s.r.o.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [154320 2014-12-03] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [603424 2014-09-04] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-08-20] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1320496 2013-04-08] (pdfforge GmbH)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [799280 2013-04-08] (pdfforge GmbH)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 Sony SCSI Helper Service; C:\Program Files (x86)\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe [73728 2010-04-02] (Sony Corporation) [File not signed]
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [2604856 2014-11-24] (AVG Technologies)
R2 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-10] (Ulead Systems, Inc.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 vToolbarUpdater18.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\ToolbarUpdater.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [57144 2013-09-26] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [260888 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [203544 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2014-12-12] (REALiX™)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [445512 2014-08-20] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-08-20] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R1 SDHookDriver; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [64160 2014-04-25] ()
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [14112 2014-11-24] (TuneUp Software)
R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [40248 2011-05-30] (Lenovo Information Product(ShenZhen China) Inc.)
U5 UnlockerDriver5; C:\Program Files (x86)\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-03 15:59 - 2015-02-03 16:01 - 00044355 _____ () C:\Users\Nancy\Desktop\FRST.txt
2015-02-03 15:59 - 2015-02-03 15:59 - 00000000 ____D () C:\FRST
2015-02-03 15:53 - 2015-02-03 15:53 - 02131456 _____ (Farbar) C:\Users\Nancy\Desktop\FRST64.exe
2015-02-01 20:59 - 2015-02-01 20:59 - 00452424 _____ (Bleeping Computer, LLC) C:\Users\Nancy\Downloads\ListCWall(2).exe
2015-02-01 20:57 - 2015-02-01 20:57 - 00452424 _____ (Bleeping Computer, LLC) C:\Users\Nancy\Downloads\ListCWall(1).exe
2015-02-01 20:20 - 2015-02-01 20:20 - 00000000 ____D () C:\ProgramData\Sun
2015-02-01 14:54 - 2015-02-01 14:55 - 00005120 _____ () C:\Users\ShawHome\Documents\AdwCleaner[S2].txt
2015-02-01 14:32 - 2015-02-01 14:33 - 02194432 _____ () C:\Users\ShawHome\Desktop\AdwCleaner.exe
2015-02-01 14:27 - 2015-02-01 14:27 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\ShawHome\Desktop\iexplore.exe.exe
2015-02-01 13:46 - 2015-02-01 13:46 - 00452424 _____ (Bleeping Computer, LLC) C:\Users\Nancy\Downloads\ListCWall.exe
2015-02-01 11:58 - 2015-02-01 11:59 - 01419748 _____ () C:\Users\ShawHome\Downloads\ESETPoweliksCleaner.exe_20150201.115802.8764.log
2015-02-01 11:56 - 2015-02-01 11:56 - 00190152 _____ (ESET) C:\Users\ShawHome\Downloads\ESETPoweliksCleaner.exe
2015-02-01 11:17 - 2015-02-01 11:17 - 00000000 ____D () C:\Users\ShawHome\AppData\Local\AVG Web TuneUp
2015-02-01 09:24 - 2015-02-01 09:24 - 00053248 _____ () C:\Windows\SysWOW64\zlib.dll
2015-02-01 09:24 - 2015-02-01 09:24 - 00001183 _____ () C:\Users\Public\Desktop\CryptoPrevent.lnk
2015-02-01 09:24 - 2015-02-01 09:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foolish IT
2015-02-01 09:24 - 2015-02-01 09:24 - 00000000 ____D () C:\ProgramData\Foolish IT
2015-02-01 09:24 - 2015-02-01 09:24 - 00000000 ____D () C:\Program Files (x86)\Foolish IT
2015-02-01 09:23 - 2015-02-01 09:23 - 00971528 _____ (Foolish IT LLC ) C:\Users\Nancy\Downloads\CryptoPreventSetup.exe
2015-02-01 00:43 - 2015-02-01 00:43 - 02194432 _____ () C:\Users\Nancy\Downloads\adwcleaner_4.109.exe
2015-01-31 23:21 - 2015-01-31 23:21 - 00000000 ____D () C:\Users\Steven C\AppData\Roaming\AVG
2015-01-31 23:16 - 2015-01-31 23:16 - 00000000 ____D () C:\Users\Steven C\AppData\Roaming\AVG2015
2015-01-31 23:16 - 2015-01-31 23:16 - 00000000 ____D () C:\Users\Steven C\AppData\Local\AVG Web TuneUp
2015-01-31 23:15 - 2015-01-31 23:15 - 00000000 ____D () C:\Users\Steven C\AppData\Local\Avg2015
2015-01-31 23:15 - 2015-01-31 23:15 - 00000000 ____D () C:\Users\Steven C\AppData\Local\Avg
2015-01-30 23:18 - 2015-01-30 23:18 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-30 21:38 - 2015-01-30 21:38 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\AVG
2015-01-30 21:32 - 2015-01-30 21:32 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Avg
2015-01-30 21:30 - 2014-11-24 12:48 - 00040248 _____ (AVG Technologies) C:\Windows\system32\TURegOpt.exe
2015-01-30 21:30 - 2014-11-24 12:48 - 00029496 _____ (AVG Technologies) C:\Windows\system32\authuitu.dll
2015-01-30 21:30 - 2014-11-24 12:48 - 00025400 _____ (AVG Technologies) C:\Windows\SysWOW64\authuitu.dll
2015-01-30 21:29 - 2015-01-30 21:29 - 00002196 _____ () C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
2015-01-30 21:29 - 2015-01-30 21:29 - 00002182 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp 2015.lnk
2015-01-30 21:29 - 2015-01-30 21:29 - 00002170 _____ () C:\Users\Public\Desktop\AVG PC TuneUp 2015.lnk
2015-01-30 21:29 - 2015-01-30 21:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp 2015
2015-01-30 21:27 - 2015-01-30 21:27 - 00000000 ____D () C:\Users\ShawHome\AppData\Roaming\AVG
2015-01-30 21:15 - 2015-01-30 21:15 - 00000000 ____D () C:\Users\ShawHome\AppData\Local\Avg
2015-01-30 21:12 - 2015-01-30 21:31 - 00000000 ____D () C:\ProgramData\AVG
2015-01-30 21:11 - 2015-01-30 21:45 - 90844984 _____ (AVG Technologies) C:\Users\Nancy\Downloads\avg_tuh_stf_all_2015_238_24c4(1).exe
2015-01-30 21:11 - 2015-01-30 21:11 - 90844984 _____ (AVG Technologies) C:\Users\Nancy\Downloads\avg_tuh_stf_all_2015_238_24c4.exe
2015-01-30 19:40 - 2015-01-30 19:40 - 00000000 ____D () C:\Users\Nancy\AppData\Local\AVG Web TuneUp
2015-01-30 19:37 - 2015-01-30 19:37 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\TuneUp Software
2015-01-30 19:36 - 2015-01-30 19:36 - 00000000 ____D () C:\ProgramData\AVG Web TuneUp
2015-01-30 19:36 - 2015-01-30 19:36 - 00000000 ____D () C:\Program Files (x86)\AVG Web TuneUp
2015-01-30 19:32 - 2015-01-30 19:35 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Avg2015
2015-01-30 19:32 - 2015-01-30 19:32 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\AVG2015
2015-01-30 19:28 - 2015-01-30 19:28 - 00000000 ____D () C:\Users\ShawHome\AppData\Roaming\AVG2015
2015-01-30 19:25 - 2015-01-30 19:25 - 00000936 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-01-30 19:25 - 2015-01-30 19:25 - 00000000 ____D () C:\Users\ShawHome\AppData\Roaming\TuneUp Software
2015-01-30 19:25 - 2015-01-30 19:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-01-30 19:23 - 2015-01-30 20:06 - 00000000 ____D () C:\ProgramData\AVG2015
2015-01-30 19:23 - 2015-01-30 19:23 - 00000000 ___HD () C:\$AVG
2015-01-30 19:21 - 2015-01-30 21:25 - 00000000 ____D () C:\Program Files (x86)\AVG
2015-01-30 19:15 - 2015-02-03 15:26 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-30 19:15 - 2015-01-30 19:27 - 00000000 ____D () C:\Users\ShawHome\AppData\Local\Avg2015
2015-01-30 19:15 - 2015-01-30 19:15 - 00000000 ____D () C:\Users\ShawHome\AppData\Local\MFAData
2015-01-30 19:14 - 2015-01-30 19:14 - 04637504 _____ (AVG Technologies) C:\Users\Nancy\Downloads\avg_free_stb_all_2015_5557_cnet.exe
2015-01-30 19:08 - 2015-02-01 21:02 - 00000000 ____D () C:\Users\Nancy\AppData\Local\WinZip
2015-01-30 16:29 - 2015-01-30 16:29 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Nancy\Downloads\tdsskiller.exe
2015-01-30 15:35 - 2015-02-01 12:51 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-30 15:35 - 2015-01-30 15:35 - 00001073 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-30 15:35 - 2015-01-30 15:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-30 15:35 - 2015-01-30 15:35 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-30 15:35 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-30 15:35 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-30 15:35 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-30 15:33 - 2015-01-30 15:33 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Nancy\Downloads\mbam-setup-2.0.4.1028.exe
2015-01-29 16:47 - 2015-01-29 16:47 - 00000000 ____D () C:\Users\Steven C\AppData\Local\Microsoft Games
2015-01-29 15:49 - 2015-01-29 15:49 - 00000000 _____ () C:\Users\Nancy\Downloads\CT2015_Decrypter.zip
2015-01-29 15:43 - 2015-01-29 15:43 - 00025088 _____ () C:\Users\Nancy\Desktop\XXXXXXXX(1)Test.xls
2015-01-28 16:54 - 2015-01-28 16:55 - 63836160 _____ () C:\Users\Steven C\Downloads\calibre-2.17.0.msi
2015-01-28 16:41 - 2015-01-28 16:41 - 00000000 _____ () C:\Windows\SysWOW64\sho367C.tmp
2015-01-27 18:03 - 2015-01-27 18:03 - 00002892 _____ () C:\Windows\System32\Tasks\Uninstaller_SkipUac_Nancy
2015-01-27 16:10 - 2015-01-27 16:10 - 00000162 ____H () C:\Users\ShawHome\Desktop\~$dem Code test.odt
2015-01-26 22:22 - 2015-01-26 22:22 - 00725280 _____ () C:\Users\Nancy\Downloads\Play (Stage Dive 02) - Kylie Scott.mobi
2015-01-26 22:04 - 2015-01-30 19:36 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-26 21:59 - 2015-02-02 20:04 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-26 21:58 - 2015-02-03 15:33 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-26 21:41 - 2015-01-26 21:59 - 00003898 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-01-26 21:41 - 2015-01-26 21:58 - 00003646 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-26 21:34 - 2015-01-26 21:55 - 00000276 _____ () C:\Users\Nancy\HELP_DECRYPT.URL
2015-01-26 21:34 - 2015-01-26 21:34 - 00000276 _____ () C:\Users\Public\HELP_DECRYPT.URL
2015-01-26 21:33 - 2015-01-26 21:33 - 00000276 _____ () C:\Users\Nancy\Downloads\HELP_DECRYPT.URL
2015-01-26 21:33 - 2015-01-26 21:33 - 00000276 _____ () C:\Users\Nancy\Documents\HELP_DECRYPT.URL
2015-01-24 13:47 - 2015-01-26 21:54 - 00000276 _____ () C:\Users\Nancy\AppData\Roaming\HELP_DECRYPT.URL
2015-01-24 13:47 - 2015-01-26 21:54 - 00000276 _____ () C:\Users\Nancy\AppData\HELP_DECRYPT.URL
2015-01-24 13:43 - 2015-01-26 21:52 - 00000276 _____ () C:\Users\Nancy\AppData\Local\HELP_DECRYPT.URL
2015-01-24 13:31 - 2015-01-26 21:19 - 00000276 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-24 13:16 - 2015-01-28 08:05 - 00000664 _____ () C:\ProgramData\@system.temp
2015-01-24 13:16 - 2015-01-28 08:05 - 00000400 ____H () C:\ProgramData\@system3.att
2015-01-24 13:16 - 2015-01-24 13:16 - 00000480 ____H () C:\Users\Nancy\AppData\Roaming\麽鎒駓覜
2015-01-24 13:15 - 2015-01-28 15:24 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\FrameworkUpdate
2015-01-24 13:14 - 2015-01-24 13:14 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-17 16:06 - 2015-01-31 11:17 - 00002860 _____ () C:\Windows\System32\Tasks\Driver Booster SkipUAC (SYSTEM)
2015-01-15 15:08 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-15 15:08 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-15 15:08 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 09:12 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 09:12 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 09:12 - 2014-12-11 11:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 09:11 - 2014-12-11 23:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 09:11 - 2014-12-11 23:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 09:11 - 2014-12-11 23:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 09:11 - 2014-12-11 23:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 09:11 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 09:11 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 09:11 - 2014-12-11 23:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-11 07:27 - 2015-01-11 07:27 - 00000000 __SHD () C:\Users\ShawHome\AppData\Local\EmieBrowserModeList
2015-01-04 22:47 - 2015-01-04 22:47 - 00000000 _____ () C:\Windows\SysWOW64\shoA4A7.tmp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-03 15:55 - 2009-07-13 22:45 - 00031296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-03 15:55 - 2009-07-13 22:45 - 00031296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-03 15:38 - 2012-07-06 07:02 - 01341407 _____ () C:\Windows\WindowsUpdate.log
2015-02-03 15:37 - 2014-12-07 19:37 - 00001855 _____ () C:\Users\Public\Desktop\McAfee Security Center.lnk
2015-02-03 15:37 - 2013-07-21 10:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2015-02-03 15:34 - 2012-07-11 21:55 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-03 15:32 - 2014-12-30 22:01 - 00004256 _____ () C:\Windows\setupact.log
2015-02-03 15:32 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-03 15:29 - 2012-07-06 22:03 - 00000000 ____D () C:\Users\Steven C\AppData\Local\VirtualStore
2015-02-03 15:26 - 2013-08-13 14:08 - 00001108 __RSH () C:\Users\ShawHome\ntuser.pol
2015-02-03 15:26 - 2012-07-06 07:03 - 00000000 ____D () C:\Users\ShawHome
2015-02-02 19:39 - 2013-06-20 16:35 - 00000000 ____D () C:\Users\Steven C\Desktop\321 Useful How To Do It Yourself Books Pack - Mantesh
2015-02-02 19:38 - 2012-07-14 15:46 - 00000000 ____D () C:\Users\Steven C\Documents\Calibre Library
2015-02-01 20:26 - 2012-07-07 14:13 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-02-01 16:11 - 2012-07-06 17:55 - 00000000 ____D () C:\Program Files (x86)\Java
2015-02-01 14:55 - 2014-07-11 18:49 - 00000000 ____D () C:\AdwCleaner
2015-02-01 14:48 - 2014-12-30 22:01 - 00007116 _____ () C:\Windows\PFRO.log
2015-02-01 09:37 - 2013-08-13 15:34 - 00001108 __RSH () C:\Users\Nancy\ntuser.pol
2015-02-01 09:37 - 2012-09-03 20:05 - 00000000 ____D () C:\Users\Nancy
2015-02-01 09:32 - 2012-09-03 20:05 - 00000000 ____D () C:\Users\Nancy\AppData\Local\VirtualStore
2015-01-31 23:26 - 2014-05-16 22:10 - 00000000 ____D () C:\ProgramData\TEMP
2015-01-31 23:25 - 2014-05-16 22:10 - 00000000 ____D () C:\Program Files (x86)\SpywareBlaster
2015-01-30 23:07 - 2013-08-26 19:39 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-01-30 23:06 - 2014-12-18 23:00 - 00000000 ____D () C:\Windows\Minidump
2015-01-30 23:06 - 2011-02-15 03:42 - 00000000 ____D () C:\Windows\Panther
2015-01-30 23:06 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\system32\sysprep
2015-01-30 19:46 - 2013-02-24 17:53 - 00000000 ____D () C:\Users\Nancy\AppData\Local\CrashDumps
2015-01-30 18:33 - 2012-07-08 21:09 - 00000000 ____D () C:\Users\ShawHome\AppData\Roaming\vlc
2015-01-30 16:49 - 2013-03-17 13:14 - 00000000 ____D () C:\Users\Nancy\Documents\Bankruptcy Docs
2015-01-30 16:47 - 2013-03-18 17:50 - 00000000 ____D () C:\Users\Nancy\Documents\Tax Returns
2015-01-30 16:45 - 2014-06-11 14:03 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded Last
2015-01-29 22:04 - 2009-07-13 23:13 - 00783464 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-29 20:12 - 2013-05-21 20:58 - 00000000 ____D () C:\Users\ShawHome\Documents\My Kindle Content
2015-01-29 20:07 - 2010-11-21 01:16 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-01-29 20:05 - 2012-12-22 07:32 - 00000000 ____D () C:\Users\ShawHome\Downloads\Movies Not Watched
2015-01-29 18:19 - 2014-09-11 15:08 - 00000000 ____D () C:\Users\ShawHome\AppData\Roaming\BitTorrent
2015-01-29 17:54 - 2012-07-08 21:02 - 00000000 ____D () C:\Users\ShawHome\Documents\Calibre Library
2015-01-29 17:30 - 2012-09-29 13:51 - 00000000 ____D () C:\Users\Steven C\AppData\Roaming\vlc
2015-01-29 17:02 - 2012-08-12 14:05 - 00000000 ____D () C:\Users\Steven C\AppData\Local\Windows Live
2015-01-29 17:01 - 2012-07-14 06:35 - 00000000 ____D () C:\Users\Steven C\Documents\Magic Briefcase
2015-01-29 16:08 - 2014-01-11 22:30 - 00000000 ____D () C:\Users\Nancy\Desktop\Diabetic Cooking
2015-01-28 17:02 - 2012-07-23 20:47 - 00000931 _____ () C:\Users\Public\Desktop\calibre - E-book management.lnk
2015-01-28 17:02 - 2012-07-23 20:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2015-01-28 17:02 - 2012-07-23 20:47 - 00000000 ____D () C:\Program Files (x86)\Calibre2
2015-01-27 15:49 - 2014-04-27 12:21 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Windows Live
2015-01-27 06:45 - 2012-07-07 22:41 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-26 22:48 - 2013-05-27 09:40 - 00000000 ____D () C:\Users\ShawHome\Downloads\My Audio
2015-01-26 22:03 - 2012-09-27 06:36 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Google
2015-01-26 21:58 - 2012-02-02 13:04 - 00000000 ____D () C:\Program Files (x86)\Google
2015-01-26 21:55 - 2013-08-18 18:12 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Deployment
2015-01-26 21:54 - 2012-11-04 22:25 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\Mozilla
2015-01-26 21:31 - 2014-05-18 22:31 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded at Work on May 16, 2014
2015-01-26 21:30 - 2014-05-07 21:56 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded at Work on May 07, 2014
2015-01-26 21:30 - 2014-05-01 19:05 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded at Work on May 01, 2014
2015-01-26 21:30 - 2014-04-30 16:46 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded at Work on April 30, 2014
2015-01-26 21:29 - 2014-04-29 17:05 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded at Work on April 29, 2014
2015-01-26 21:27 - 2014-04-27 21:30 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded at Work on April 25, 2014
2015-01-26 21:27 - 2014-04-22 03:06 - 00000000 ____D () C:\Users\Nancy\Documents\Recorded at Work on April 21,2014
2015-01-26 21:25 - 2013-01-01 11:58 - 00000000 ____D () C:\Users\Nancy\Documents\Recipes
2015-01-26 21:24 - 2013-03-18 14:54 - 00000000 ____D () C:\Users\Nancy\Documents\NBC Paystubs
2015-01-26 21:23 - 2013-03-18 15:18 - 00000000 ____D () C:\Users\Nancy\Documents\First Fidelity Statements
2015-01-25 18:31 - 2013-03-23 19:40 - 00000000 ____D () C:\Users\ShawHome\Downloads\Movies Watched
2015-01-25 15:34 - 2012-07-11 21:55 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-25 15:34 - 2012-07-11 21:55 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-25 15:34 - 2012-07-11 21:55 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-25 13:35 - 2014-07-27 07:36 - 00000000 ____D () C:\ProgramData\ProductData
2015-01-24 13:59 - 2013-03-18 14:53 - 00000000 ____D () C:\Users\Nancy\Documents\CVS Paystubs
2015-01-24 13:57 - 2013-03-18 14:40 - 00000000 ____D () C:\Users\Nancy\Documents\CNI Paystubs
2015-01-24 13:56 - 2013-03-10 13:50 - 00000000 ____D () C:\Users\Nancy\Documents\Calibre Library
2015-01-24 13:51 - 2014-01-11 22:34 - 00000000 ____D () C:\Users\Nancy\Desktop\Health Info
2015-01-24 13:48 - 2014-01-11 22:31 - 00000000 ____D () C:\Users\Nancy\Desktop\Diabetic Information
2015-01-24 13:47 - 2013-09-28 05:58 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\vlc
2015-01-24 13:45 - 2014-02-23 17:04 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\Spotify
2015-01-24 13:45 - 2012-09-17 15:43 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\OpenOffice.org
2015-01-24 13:44 - 2013-03-10 13:50 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\calibre
2015-01-24 13:44 - 2013-01-06 07:52 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\ID Vault
2015-01-24 13:44 - 2012-12-01 10:59 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\.minecraft
2015-01-24 13:44 - 2012-09-03 20:06 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\Adobe
2015-01-24 13:43 - 2014-02-23 17:07 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Spotify
2015-01-24 13:43 - 2013-07-16 17:59 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Roblox
2015-01-24 13:39 - 2012-11-04 22:25 - 00000000 ____D () C:\Users\Nancy\AppData\Local\Mozilla
2015-01-24 13:28 - 2012-02-02 12:36 - 00000000 ____D () C:\ProgramData\Lenovo
2015-01-20 23:33 - 2013-01-26 19:03 - 00000000 ____D () C:\Users\ShawHome\Downloads\Book
2015-01-17 16:06 - 2014-07-27 07:35 - 00000000 ____D () C:\Users\Nancy\AppData\Roaming\IObit
2015-01-15 15:00 - 2013-02-28 21:58 - 00000000 ____D () C:\Program Files (x86)\McAfee
2015-01-15 00:06 - 2013-07-17 17:06 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 23:54 - 2012-07-08 02:16 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 21:46 - 2014-08-10 12:53 - 00002860 _____ () C:\Windows\System32\Tasks\Driver Booster SkipUAC (ShawHome)
2015-01-12 16:37 - 2013-09-11 14:11 - 00030496 _____ () C:\Users\Nancy\Documents\XXXXXXXX - Copy.xls
2015-01-11 08:56 - 2012-07-07 13:54 - 00000000 ____D () C:\Users\ShawHome\AppData\Local\CrashDumps
2015-01-09 16:19 - 2009-07-13 23:08 - 00032652 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

==================== Files in the root of some directories =======

2013-01-13 09:18 - 2013-01-13 09:18 - 0000288 _____ () C:\Users\ShawHome\AppData\Roaming\.backup.dm
2014-12-03 23:19 - 2014-12-03 23:19 - 0007618 _____ () C:\Users\ShawHome\AppData\Local\Resmon.ResmonCfg
2015-01-24 13:16 - 2015-01-28 08:05 - 0000664 _____ () C:\ProgramData\@system.temp
2015-01-24 13:16 - 2015-01-28 08:05 - 0000400 ____H () C:\ProgramData\@system3.att
2015-01-24 13:31 - 2015-01-26 21:19 - 0045593 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-24 13:31 - 2015-01-26 21:19 - 0000276 _____ () C:\ProgramData\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Users\Nancy\AppData\Local\Temp\eblinstaller.exe
C:\Users\Nancy\AppData\Local\Temp\k8jgv27h.dll
C:\Users\Nancy\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Nancy\AppData\Local\Temp\vlc-2.1.5-win32.exe
C:\Users\ShawHome\AppData\Local\Temp\Quarantine.exe
C:\Users\ShawHome\AppData\Local\Temp\sqlite3.dll
C:\Users\Steven C\AppData\Local\Temp\cztl1otd.dll
C:\Users\Steven C\AppData\Local\Temp\dp-qfwtz.dll
C:\Users\Steven C\AppData\Local\Temp\_zfesf1z.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-24 12:00

==================== End Of Log ============================

Attached Files


Edited by nasdaq, 04 February 2015 - 10:43 AM.
FRST log posted.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:15 AM

Posted 04 February 2015 - 10:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
InternetURL: C:\Users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1axUke2
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> {92A6749F-E848-4510-958A-2E2FE2BF7474} URL = https://www.google.com/search?q={searchTerms}
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\j2re1.4.2\bin\ssv.dll No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\j2re1.4.2\bin\jp2ssv.dll No File
Toolbar: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-612788510-4205522902-714117695-1005 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: HKLM-x32 {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\dtplugin\npDeployJava1.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3310031&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SPB3110C72-1026-4765-965A-AF4C686859C9&SSPV="
CHR DefaultSearchKeyword: Default -> conduit.search
CHR Extension: (Google Wallet) - C:\Users\ShawHome\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-18]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
S2 vToolbarUpdater18.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\ToolbarUpdater.exe [X]
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt64.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
HKLM\...\.exe: CryptoPreventEXE => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" /"%1" %* <===== ATTENTION!
HKU\S-1-5-21-612788510-4205522902-714117695-1000\Software\Classes\.exe: exefile =>  <===== ATTENTION!
C:\Windows\SysWOW64\shoA4A7.tmp
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.URL
C:\Users\Nancy\AppData\Local\Temp\eblinstaller.exe
C:\Users\Nancy\AppData\Local\Temp\k8jgv27h.dll
C:\Users\Steven C\AppData\Local\Temp\cztl1otd.dll
C:\Users\Steven C\AppData\Local\Temp\dp-qfwtz.dll
C:\Users\Steven C\AppData\Local\Temp\_zfesf1z.dll

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#3 okcitian

okcitian
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 04 February 2015 - 11:55 AM

Hi nasdaq,

 

I appreciate you taking time to help me.  I am at work now, but I will follow your instructions as soon as I get home.  Once again, thanks!



#4 okcitian

okcitian
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 04 February 2015 - 04:58 PM

nasdaq,

 

I have a silly question:

"Save the files as fixlist.txt into the same folder as FRST".

Do you mean add fixlist.txt to the end of FRST.txt?

I want to be sure that is what you want and that you don't want me to do anything with the FRST64 other than run as admin when fixlist.txt is right behind the FRST.txt.

I have FRST.txt and Addition.txt as text files on the desktop. Neither are in folders but are standing alone.

Sorry to be so dense.

 

Steve



#5 okcitian

okcitian
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 04 February 2015 - 05:08 PM

nasdaq,

 

And if it is after the FRST file that I sent to you, would you want me to add it directly after the "end of log"?

 

Thank you.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:15 AM

Posted 05 February 2015 - 09:50 AM

Your are Running the farbet tool from C:\Users\Nancy\Desktop

Keep in mind that the Desktop is also a folder.
So save the FixList.txt to your desktop. Run the tool and select the Fix button.

A log will open post the content on your next reply.

How is the computer running now?

#7 okcitian

okcitian
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 05 February 2015 - 07:01 PM

nasdaq,
 
I am able to login using her account without the photo viewer showing an error and without the URL going to the ransom URL page.  Before you started helping me, I deleted Google Chrome and turned off Internet Explorer.  Will they be OK to install and turn back on?  I am attaching the fixlog and checkup files for you. Please let me know if you need anything else.  As always, thank you very much!

Results of screen317's Security Check version 0.99.96
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
AVG Internet Security 2015
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
SpywareBlaster 5.0
Spybot - Search & Destroy
McAfee SiteAdvisor
AVG PC TuneUp 2015
AVG Web TuneUp
AVG PC TuneUp 2015 (en-US)
AVG PC TuneUp 2015
Java 2 Runtime Environment, SE v1.4.2
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Adobe Reader XI
Mozilla Firefox (35.0.1)
Google Chrome (40.0.2214.94)
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
AVG avgwdsvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
[b][u]````````````````````End of Log``

Attached Files


Edited by nasdaq, 06 February 2015 - 08:38 AM.
Security check log posted.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:15 AM

Posted 06 February 2015 - 08:40 AM


Will they be OK to install and turn back on?

Yes.

If IE is still acting up reset it.

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

Remove this old version of Java 2 Runtime Environment, SE v1.4.2 using the Add/Remove programs applet.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#9 okcitian

okcitian
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 AM

Posted 06 February 2015 - 11:06 AM

nasdaq,

 

Thank you for all your help!  You are doing a wonderful service for a lot of users.  And we do appreciate you!!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:15 AM

Posted 07 February 2015 - 08:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users