Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Create Fixlist.txt to remove Cryptopwall 3.0


  • This topic is locked This topic is locked
22 replies to this topic

#1 juad

juad

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 10 February 2015 - 01:55 PM

Hi,

 

My Windows 7 64bit PC is infected with Cryptowall 3.0.  I understand encrypted documents cannot be recovered.  So far though, it has not encrypted other user accounts documents on the same machine that I know of; only the user that downloaded the Trojan seems to have gotten all documents encrypted.  Before I knew exactly what it was I ran MBAM and that removed some malware that was present.  I later ran Combofix and that deleted other items as well.  I ran Superantispyware next and that found nothing but I continued getting the Pop Up message.  I downloaded and ran FRST yesterday from Safe Mode as I'm able to boot up fine.  I need help creating a Fixlist.txt from some of the more experienced Malware experts.  Below are the FRST log and Addition log.  Thanks a bunch.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
Ran by LIZA1 (administrator) on LIZA1-PC on 09-02-2015 17:27:53
Running from D:\FRST
Loaded Profiles: LIZA1 (Available profiles: LIZA1 & DANAE & ManuelGerardo)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Symantec Corporation) C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796696 2009-07-21] (Intel Corporation)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [1712672 2009-07-08] ()
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2710856 2009-11-01] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-03] (CANON INC.)
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-04-23] (Analog Devices, Inc.)
HKLM-x32\...\Run: [ccApp] => C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe [115624 2012-10-25] (Symantec Corporation)
HKLM-x32\...\Run: [IJNetworkScanUtility] => C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [140640 2009-09-28] (CANON INC.)
HKLM-x32\...\Run: [AgentMonitor] => C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe [401280 2014-06-20] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM-x32\...\Run: [Acrobat Assistant 7.0] => C:\CS2\Adobe Acrobat 7.0\Distillr\Acrotray.exe [483328 2004-12-14] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/Yi94b0
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
GroupPolicyUsers\S-1-5-21-785029809-3937339692-3893416616-1004\User: Group Policy restriction detected <======= ATTENTION
GroupPolicyUsers\S-1-5-21-785029809-3937339692-3893416616-1003\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\CS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\CS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-785029809-3937339692-3893416616-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 209.18.47.61 209.18.47.62
 
FireFox:
========
FF ProfilePath: C:\Users\LIZA1\AppData\Roaming\Mozilla\Firefox\Profiles\z5beaip3.default-1383851963037
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: 20-20 3D Viewer - IKEA - C:\Users\LIZA1\AppData\Roaming\Mozilla\Firefox\Profiles\z5beaip3.default-1383851963037\Extensions\2020Player_IKEA@2020Technologies.com [2014-07-01]
FF Extension: Block site - C:\Users\LIZA1\AppData\Roaming\Mozilla\Firefox\Profiles\z5beaip3.default-1383851963037\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2014-06-16]
FF Extension: Disable CSS - C:\Users\LIZA1\AppData\Roaming\Mozilla\Firefox\Profiles\z5beaip3.default-1383851963037\Extensions\jid0-1VwU0d7h7azvou6XbFWe9tmQyoQ@jetpack.xpi [2014-02-11]
FF Extension: Web Developer - C:\Users\LIZA1\AppData\Roaming\Mozilla\Firefox\Profiles\z5beaip3.default-1383851963037\Extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi [2014-02-11]
 
Chrome: 
=======
CHR Profile: C:\Users\LIZA1\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\LIZA1\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-04]
CHR Extension: (Google Wallet) - C:\Users\LIZA1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-14]
CHR HKLM-x32\...\Chrome\Extension: [lcnnhcneegeeojhgpfijnlnocjdmlaon] - C:\ProgramData\ValueApps\CH\ValueApps.crx [2014-01-10]
CHR HKLM-x32\...\Chrome\Extension: [llohkdhljoeoekfieamifonacjllceol] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta592\ch\VideoPlayerV3beta592.crx [Not Found]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-09-25] (SUPERAntiSpyware.com)
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2013-06-04] (Adobe Systems) [File not signed]
S2 bckwfs; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [2647256 2014-01-24] (Blue Coat Systems, Inc.)
R2 ccEvtMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-10-25] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-10-25] (Symantec Corporation)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-02-07] (Symantec Corporation)
S2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2009-07-21] (Intel Corporation)
S2 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe [3250392 2012-10-25] (Symantec Corporation)
S4 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE [428976 2012-10-25] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2012-10-25] (Symantec Corporation)
S2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-21] (Intel Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 bckd; C:\Windows\System32\drivers\bckd.sys [126168 2014-01-24] (Blue Coat Systems, Inc.)
S3 e1kexpress; C:\Windows\System32\DRIVERS\e1k60x64.sys [220672 2009-06-10] (Intel Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-11-25] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-12-15] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Symantec\Definitions\VirusDefs\20150105.019\ENG64.SYS [129752 2014-12-15] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Symantec\Definitions\VirusDefs\20150105.019\EX64.SYS [2137304 2014-12-15] (Symantec Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SMR430; C:\Windows\System32\drivers\SMR430.SYS [108216 2015-02-06] (Symantec Corporation)
S1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [453240 2012-10-25] (Symantec Corporation)
S1 SRTSP; C:\Windows\SysWOW64\Drivers\SRTSP64.SYS [453240 2012-10-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [482424 2012-10-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\SysWOW64\Drivers\SRTSPL64.SYS [482424 2012-10-25] (Symantec Corporation)
S1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32376 2012-10-25] (Symantec Corporation)
S1 SRTSPX; C:\Windows\SysWOW64\Drivers\SRTSPX64.SYS [32376 2012-10-25] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2013-06-04] (Symantec Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S0 sjfp; System32\drivers\npub.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-09 17:27 - 2015-02-09 17:27 - 00000000 ____D () C:\FRST
2015-02-06 21:58 - 2015-02-06 21:59 - 00108216 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SMR430.SYS
2015-02-06 21:58 - 2015-02-06 21:59 - 00000020 _____ () C:\Windows\system32\Drivers\SMR430.dat
2015-02-06 21:42 - 2015-02-06 21:51 - 00000000 ____D () C:\NPE
2015-02-06 21:41 - 2015-02-06 21:56 - 00000000 ____D () C:\Users\LIZA1\AppData\Local\NPE
2015-02-06 21:41 - 2015-02-06 21:41 - 03060320 ____N (Symantec Corporation) C:\Users\LIZA1\Downloads\NPE.exe
2015-02-06 21:41 - 2015-02-06 21:41 - 00000000 ____D () C:\ProgramData\Norton
2015-02-06 16:15 - 2015-02-06 16:15 - 00000000 ____D () C:\Users\LIZA1\Downloads\Kaspersky Rescue2Usb
2015-02-06 16:09 - 2015-02-06 16:09 - 00387584 _____ () C:\Users\LIZA1\Downloads\rescue2usb.exe
2015-02-06 16:07 - 2015-02-06 16:11 - 317419520 _____ () C:\Users\LIZA1\Downloads\kav_rescue_10.iso
2015-02-06 15:55 - 2015-02-06 15:55 - 00852594 _____ () C:\Users\LIZA1\Downloads\SecurityCheck.exe
2015-02-06 15:01 - 2015-02-06 15:01 - 00021383 _____ () C:\ComboFix.txt
2015-02-06 14:46 - 2015-02-06 14:46 - 05611380 ____R (Swearware) C:\Users\LIZA1\Desktop\ComboFix.exe
2015-02-06 11:34 - 2015-02-06 11:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-06 10:19 - 2015-02-06 12:17 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2015-02-04 17:44 - 2015-02-04 17:44 - 05070512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-02-01 16:04 - 2015-02-01 16:04 - 00525536 _____ () C:\Windows\Minidump\020115-39421-01.dmp
2015-02-01 15:48 - 2015-02-01 15:48 - 00549160 _____ () C:\Windows\Minidump\020115-40544-01.dmp
2015-02-01 09:54 - 2015-02-01 09:54 - 00881560 _____ () C:\Windows\Minidump\020115-39967-01.dmp
2015-01-31 18:31 - 2015-01-31 18:31 - 00539160 _____ () C:\Windows\Minidump\013115-39390-01.dmp
2015-01-31 18:21 - 2015-01-31 18:21 - 00719600 _____ () C:\Windows\Minidump\013115-40263-01.dmp
2015-01-31 13:46 - 2015-01-31 13:46 - 00914176 _____ () C:\Windows\Minidump\013115-39296-01.dmp
2015-01-30 19:37 - 2015-01-30 19:37 - 00790008 _____ () C:\Windows\Minidump\013015-26286-01.dmp
2015-01-30 19:29 - 2015-01-30 19:29 - 00923144 _____ () C:\Windows\Minidump\013015-25131-01.dmp
2015-01-28 22:15 - 2015-01-28 22:15 - 00072608 _____ () C:\Users\ManuelGerardo\Downloads\FLVPlayer-Chrome.exe
2015-01-28 22:15 - 2015-01-28 22:15 - 00000800 _____ () C:\Users\ManuelGerardo\Desktop\FLVPlayer.lnk
2015-01-28 22:15 - 2015-01-28 22:15 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FLVPlayer
2015-01-26 22:02 - 2015-01-26 22:02 - 00839984 _____ () C:\Windows\Minidump\012615-29374-01.dmp
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\Public\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\Public\Documents\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\ManuelGerardo\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\Public\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\Public\Documents\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\ManuelGerardo\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\Public\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\Public\Documents\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\ManuelGerardo\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.URL
2015-01-25 10:12 - 2015-01-25 10:12 - 00001248 _____ () C:\Users\ManuelGerardo\AppData\Roaming\DDWJWDY
2015-01-24 15:34 - 2015-01-24 15:34 - 00008528 _____ () C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-24 15:34 - 2015-01-24 15:34 - 00008528 _____ () C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.HTML
2015-01-24 15:34 - 2015-01-24 15:34 - 00008528 _____ () C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.HTML
2015-01-24 15:34 - 2015-01-24 15:34 - 00004204 _____ () C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-24 15:34 - 2015-01-24 15:34 - 00004204 _____ () C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.TXT
2015-01-24 15:34 - 2015-01-24 15:34 - 00004204 _____ () C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.TXT
2015-01-24 15:34 - 2015-01-24 15:34 - 00000272 _____ () C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.URL
2015-01-24 15:34 - 2015-01-24 15:34 - 00000272 _____ () C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.URL
2015-01-24 15:34 - 2015-01-24 15:34 - 00000272 _____ () C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.URL
2015-01-24 15:31 - 2015-01-24 15:31 - 00008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-24 15:31 - 2015-01-24 15:31 - 00004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-24 15:31 - 2015-01-24 15:31 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-24 15:24 - 2015-02-01 15:50 - 00000648 _____ () C:\ProgramData\@system.temp
2015-01-24 15:23 - 2015-02-02 22:00 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Roaming\FrameworkUpdate
2015-01-24 15:23 - 2015-01-24 15:23 - 00000480 ____H () C:\Users\ManuelGerardo\AppData\Roaming\麽鎒駓覜
2015-01-24 15:22 - 2015-01-24 15:22 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-22 17:39 - 2015-01-22 17:39 - 00889344 _____ () C:\Windows\Minidump\012215-28220-01.dmp
2015-01-22 17:31 - 2015-01-22 17:32 - 01296352 _____ () C:\Windows\Minidump\012215-34991-01.dmp
2015-01-18 16:23 - 2015-01-18 16:23 - 00000000 ____H () C:\Users\LIZA1\Documents\Default.rdp
2015-01-18 16:00 - 2015-02-01 16:04 - 00000000 ____D () C:\Windows\Minidump
2015-01-18 16:00 - 2015-01-18 16:00 - 00552392 _____ () C:\Windows\Minidump\011815-35849-01.dmp
2015-01-18 15:30 - 2014-12-11 11:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-18 15:30 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-18 15:30 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-18 15:30 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-18 15:30 - 2013-04-09 17:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-01-18 15:30 - 2013-04-02 16:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-01-17 14:05 - 2015-02-06 21:57 - 00004750 _____ () C:\Windows\setupact.log
2015-01-17 14:05 - 2015-01-17 14:05 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-17 14:01 - 2015-01-17 14:04 - 00000000 ____D () C:\Users\LIZA1\AppData\Local\Unity
2015-01-17 13:58 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-17 13:58 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-17 13:58 - 2014-12-11 23:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-17 13:58 - 2014-12-11 23:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-17 13:58 - 2014-12-11 23:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-17 13:58 - 2014-12-11 23:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-17 13:58 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-17 13:58 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-17 13:58 - 2014-12-11 23:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-08 04:46 - 2013-06-04 16:10 - 01882669 _____ () C:\Windows\WindowsUpdate.log
2015-02-08 04:44 - 2013-06-04 20:44 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-08 04:05 - 2013-06-26 06:33 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-07 16:44 - 2013-06-26 06:33 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-07 13:26 - 2009-07-13 22:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-07 13:26 - 2009-07-13 22:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-06 22:06 - 2013-09-14 17:58 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-02-06 21:57 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-06 21:54 - 2009-07-13 23:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-06 18:23 - 2014-07-12 00:17 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-06 15:11 - 2013-06-04 20:44 - 00000000 ____D () C:\Users\LIZA1\AppData\Roaming\Adobe
2015-02-06 15:02 - 2013-06-04 20:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-06 15:02 - 2010-11-20 21:47 - 00304164 _____ () C:\Windows\PFRO.log
2015-02-06 15:01 - 2013-12-25 23:01 - 00000000 ____D () C:\Qoobox
2015-02-06 14:59 - 2009-07-13 20:34 - 00000215 _____ () C:\Windows\system.ini
2015-02-06 13:35 - 2013-08-04 01:46 - 00000000 ____D () C:\Users\LIZA1\Desktop\pictures to print out
2015-02-06 00:52 - 2013-06-26 06:33 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-05 12:46 - 2013-06-26 06:33 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-05 12:46 - 2013-06-26 06:33 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-04 17:44 - 2013-06-04 20:44 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-04 17:44 - 2013-06-04 20:44 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-04 17:44 - 2013-06-04 20:44 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-03 21:10 - 2014-10-22 17:35 - 00000000 ____D () C:\Users\ManuelGerardo\Desktop\Movies
2015-02-01 15:37 - 2014-06-26 19:52 - 00000000 ____D () C:\Program Files\Blue Coat K9 Web Protection
2015-01-28 23:49 - 2014-12-02 22:28 - 00044032 ___SH () C:\Users\LIZA1\Desktop\Thumbs.db
2015-01-26 23:37 - 2014-09-18 17:57 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Roaming\Smilebox
2015-01-26 21:45 - 2014-08-22 12:14 - 00000000 ____D () C:\Users\ManuelGerardo
2015-01-26 21:45 - 2013-06-04 20:58 - 00000000 ____D () C:\Users\Public\Documents\Adobe PDF
2015-01-24 15:34 - 2014-11-30 21:47 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Roaming\Roxio
2015-01-24 15:34 - 2014-09-03 18:59 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Roaming\SUPERAntiSpyware.com
2015-01-24 15:34 - 2014-08-22 12:14 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Roaming\Adobe
2015-01-24 15:34 - 2014-08-22 12:14 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Local\Google
2015-01-24 15:31 - 2014-08-22 19:29 - 00000000 ____D () C:\Users\ManuelGerardo\AppData\Local\Apple Computer
2015-01-24 15:31 - 2013-06-04 21:25 - 00000000 ___HD () C:\ProgramData\CanonBJ
2015-01-24 15:31 - 2013-06-04 20:58 - 00000000 ____D () C:\ProgramData\Adobe
2015-01-24 15:31 - 2013-06-04 20:56 - 00000000 ____D () C:\CS2
2015-01-18 19:30 - 2009-07-13 23:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-01-18 15:38 - 2013-07-15 02:00 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-18 15:31 - 2013-06-04 21:58 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
==================== Files in the root of some directories =======
 
2014-01-28 14:39 - 2014-01-28 14:39 - 0000000 _____ () C:\Users\LIZA1\AppData\Roaming\pdfconverter
2013-06-10 21:28 - 2013-11-15 19:41 - 0000581 _____ () C:\Users\LIZA1\AppData\Local\cookies.ini
2015-01-24 15:24 - 2015-02-01 15:50 - 0000648 _____ () C:\ProgramData\@system.temp
2015-01-24 15:31 - 2015-01-24 15:31 - 0008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-24 15:31 - 2015-01-24 15:31 - 0045509 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-24 15:31 - 2015-01-24 15:31 - 0004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-24 15:31 - 2015-01-24 15:31 - 0000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
 
Files to move or delete:
====================
C:\Users\LIZA1\CTX.DAT
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-03 00:18
 
==================== End Of Log ============================
 
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-02-2015
Ran by LIZA1 at 2015-02-09 17:28:30
Running from D:\FRST
Boot Mode: Safe Mode (minimal)
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Symantec Endpoint Protection (Disabled - Out of date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Symantec Endpoint Protection (Disabled - Out of date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-785029809-3937339692-3893416616-1000\...\uTorrent) (Version: 3.4.1.30740 - BitTorrent Inc.)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.8.0.1430 - Adobe Systems Incorporated)
Adobe Creative Suite 2 (HKLM-x32\...\{0134A1A1-C283-4A47-91A1-92F19F960372}) (Version:  - )
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe SVG Viewer 3.0 (HKLM-x32\...\Adobe SVG Viewer) (Version:  3.0 - Adobe Systems, Inc.)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Blue Coat K9 Web Protection (HKLM\...\Blue Coat K9 Web Protection) (Version: 4.4.276 - Blue Coat Systems, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Canon IJ Network Scan Utility (HKLM-x32\...\Canon_IJ_Network_Scan_UTILITY) (Version:  - )
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version:  - )
Canon MP Navigator EX 3.1 (HKLM-x32\...\MP Navigator EX 3.1) (Version:  - )
Canon MX340 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX340_series) (Version:  - )
Canon MX340 series User Registration (HKLM-x32\...\Canon MX340 series User Registration) (Version:  - )
Canon Speed Dial Utility (HKLM-x32\...\Speed Dial Utility) (Version:  - )
Canon Utilities Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version:  - )
Canon Utilities My Printer (HKLM-x32\...\CanonMyPrinter) (Version:  - )
Canon Utilities Solution Menu (HKLM-x32\...\CanonSolutionMenu) (Version:  - )
Dell Resource CD (HKLM-x32\...\{42929F0F-CE14-47AF-9FC7-FF297A603021}) (Version: 1.00.0000 - Dell Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
Google Earth Plug-in (HKLM-x32\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Intel® Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel® Active Management Technology (HKLM\...\MESOL) (Version:  - Intel Corporation)
iTunes (HKLM\...\{427174C0-096E-40D9-9684-9C109BEE2CBF}) (Version: 11.0.5.5 - Apple Inc.)
Java 7 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
Jobulator (HKLM-x32\...\Jobulator) (Version: 3.07 - Frontline Technologies)
Jobulator (x32 Version: 3.07 - Frontline Technologies) Hidden
Learning Lodge™ (HKLM-x32\...\VTechDownloadManager) (Version:  - VTech)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.0.102 - Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 35.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 35.0.1 (x86 en-US)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.4 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (HKLM\...\NVIDIA nView Desktop Manager) (Version: 125.14 - NVIDIA Corporation)
Roxio Creator DE 10.3 (HKLM-x32\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.3 - Roxio)
SoundMAX (HKLM-x32\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.2.7250 - Analog Devices)
Suite Specific (x32 Version: 2.0.0 - Adobe Systems, Incorporated) Hidden
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.6.1032 - SUPERAntiSpyware.com)
Symantec Endpoint Protection (HKLM\...\{5C75DA6D-F5E3-4D4B-A381-B52B8CA5B1CF}) (Version: 11.0.7000.975 - Symantec Corporation)
TeamViewer 8 (HKLM-x32\...\TeamViewer 8) (Version: 8.0.26038 - TeamViewer)
TimeStamp 1.30 (HKLM-x32\...\TimeStamp) (Version: 1.30 - Orange Lamp Software Solutions)
ValueApps (HKLM-x32\...\ValueApps) (Version: 1.1.1.1 - Conduit LTD) <==== ATTENTION
VTech Download Agent Library (x32 Version: 1.00.0000 - VTech) Hidden
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
06-02-2015 20:12:02 Scheduled Checkpoint
06-02-2015 21:56:04 Norton_Power_Eraser_20150206215603290
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 20:34 - 2015-02-06 14:59 - 00000027 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {0974B216-389A-4DFD-AA33-0D02838A4F0A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-26] (Google Inc.)
Task: {13F57EF6-79E3-43F6-BD94-E73238BAFCC7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-04] (Adobe Systems Incorporated)
Task: {1BDD39E9-2D37-46E3-AADB-7891AAD05BF6} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {46A7C48C-292E-4A2E-88F5-E3FDDB2E3F70} - \Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 No Task File <==== ATTENTION
Task: {7086475A-79FA-4AE3-9037-E899444CDEBC} - \Advanced System Protector No Task File <==== ATTENTION
Task: {87C8B034-7335-4E6E-8644-7D7F372D5B17} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe <==== ATTENTION
Task: {A603DDD8-05A3-4341-9EEF-397CD0006EEF} - \Advanced System Protector_startup No Task File <==== ATTENTION
Task: {C0335A86-0899-4A5D-9ABE-B655ED99BE2C} - \RegClean Pro No Task File <==== ATTENTION
Task: {C59BB5DE-1F2F-4CD2-B268-D1BD26EABA86} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-26] (Google Inc.)
Task: {EDD185F0-7F87-4DCA-A936-B09D795A7367} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) ==============
 
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Registry Areas =====================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\LIZA1\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-785029809-3937339692-3893416616-500 - Administrator - Disabled)
DANAE (S-1-5-21-785029809-3937339692-3893416616-1003 - Limited - Enabled) => C:\Users\DANAE
Guest (S-1-5-21-785029809-3937339692-3893416616-501 - Administrator - Disabled)
HomeGroupUser$ (S-1-5-21-785029809-3937339692-3893416616-1002 - Administrator - Enabled)
LIZA1 (S-1-5-21-785029809-3937339692-3893416616-1000 - Administrator - Enabled) => C:\Users\LIZA1
ManuelGerardo (S-1-5-21-785029809-3937339692-3893416616-1004 - Limited - Enabled) => C:\Users\ManuelGerardo
 
==================== Faulty Device Manager Devices =============
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/09/2015 05:27:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/07/2015 10:00:00 PM) (Source: Customer Experience Improvement Program) (EventID: 1006) (User: )
Description: 80004005
 
Error: (02/07/2015 03:00:02 AM) (Source: Customer Experience Improvement Program) (EventID: 1006) (User: )
Description: 80004005
 
Error: (02/06/2015 09:58:57 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/06/2015 09:48:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/06/2015 09:44:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/06/2015 09:08:13 PM) (Source: SescLU) (EventID: 13) (User: )
Description: LiveUpdate returned a non-critical error.  Available content updates may have failed to install.
 
Error: (02/06/2015 06:20:57 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/06/2015 03:06:55 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Photoshop.exe version 9.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 804
 
Start Time: 01d04250af3db405
 
Termination Time: 16
 
Application Path: C:\CS2\Adobe Photoshop CS2\Photoshop.exe
 
Report Id: 0f9b6d04-ae44-11e4-8511-0024e8434f2a
 
Error: (02/06/2015 03:04:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (02/09/2015 05:27:13 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (02/09/2015 05:27:13 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}
 
Error: (02/09/2015 05:27:13 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}
 
Error: (02/09/2015 05:26:13 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (02/09/2015 05:26:13 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (02/09/2015 05:26:13 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (02/09/2015 05:26:13 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (02/09/2015 05:26:13 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (02/09/2015 05:26:12 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (02/09/2015 05:26:12 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}
 
 
Microsoft Office Sessions:
=========================
Error: (08/19/2014 11:13:42 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 14 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (07/01/2014 08:29:11 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 10 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (05/23/2014 10:19:05 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 11 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (05/12/2014 08:09:19 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 21 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (02/24/2014 08:40:03 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 10 seconds with 0 seconds of active time.  This session ended with a crash.
 
 
CodeIntegrity Errors:
===================================
  Date: 2015-02-06 14:55:08.071
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-02-06 14:55:08.040
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-02-06 14:55:08.024
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-02-06 14:55:08.009
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-04-30 19:45:17.111
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-04-30 19:45:17.080
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU E8600 @ 3.33GHz
Percentage of memory in use: 8%
Total physical RAM: 8027.59 MB
Available physical RAM: 7306.5 MB
Total Pagefile: 16053.37 MB
Available Pagefile: 15272.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:148.87 GB) (Free:22.69 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Removable) (Total:14.9 GB) (Free:14.56 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: A42D04A3)
Partition 1: (Not Active) - (Size=141 MB) - (Type=DE)
Partition 2: (Active) - (Size=148.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (Size: 14.9 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================

 



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 AM

Posted 10 February 2015 - 05:29 PM

Hello juad and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

 

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
 

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

 

  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

---------------------------------------------------------------------------------------------------------

 

Are you still with us?

 

Have a nice day.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 juad

juad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 10 February 2015 - 05:43 PM

As Administrator I can open the computer just fine.  I do not get any pop ups.  I can access my files and browse the internet.  I realized that the PC was infected because when I was logged in as administrator, I was attempting to open Photoshop and received error messages when attempting to open.  I then logged in as a regular user to test Photoshop and that is when I noticed the popup saying basically that the files had been encrypted and that I had to pay money to have access to them again.  Fortunately, it appears that the only files that were encrypted were those from the user account that got the infection and not the Administrator.  I have disabled the AntiVirus/AntiSpyware applications.  Thank you.



#4 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 AM

Posted 10 February 2015 - 06:45 PM

Hi juad,
 

As Administrator I can open the computer just fine.  I do not get any pop ups.  I can access my files and browse the internet.  I realized that the PC was infected because when I was logged in as administrator, I was attempting to open Photoshop and received error messages when attempting to open.  I then logged in as a regular user to test Photoshop and that is when I noticed the popup saying basically that the files had been encrypted and that I had to pay money to have access to them again.  Fortunately, it appears that the only files that were encrypted were those from the user account that got the infection and not the Administrator.  I have disabled the AntiVirus/AntiSpyware applications.  Thank you.

i understand

We can clear only to  the virus. Recover the files not possible.
Shall we continue?

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 juad

juad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 10 February 2015 - 07:02 PM

Yes, lets continue.

#6 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 AM

Posted 11 February 2015 - 06:13 PM

Hi juad,
 
Sorry for the delay

------------------------------------

P2P:

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

-------------------------------------------

Uninstalling a Program using Add/Remove Program

I recommend the uninstalling of the below listed program(s).

  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

µTorrent
ValueApps

  • Reboot your computer

-----------------------------------------------------------------------------
 
Step 1:
 
FRST Script:

Ensure your external and/or USB drives are inserted during the scan

 

İmportant: Running from D:\FRST --> No        C:\FRST -->Desktop
 
Please download this attached txt.gif  fixlist.txt   6.19KB  0 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
  • Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

 

Step 2:

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:

 

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

 

Have a great day.

Attached Files


Edited by olgun52, 11 February 2015 - 06:24 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 juad

juad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 February 2015 - 05:54 PM

Thank you Olgun52.

 

Step 1 Complete.

 

I will continue with Step 2.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
Ran by LIZA1 at 2015-02-12 14:16:36 Run:1
Running from C:\Users\LIZA1\Desktop\FRST
Loaded Profiles: LIZA1 (Available profiles: LIZA1 & DANAE & ManuelGerardo)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
 
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\...\Policies\system: [LogonHoursAction] 2
Startup: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/Yi94b0
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
GroupPolicyUsers\S-1-5-21-785029809-3937339692-3893416616-1004\User: Group Policy restriction detected <======= ATTENTION
GroupPolicyUsers\S-1-5-21-785029809-3937339692-3893416616-1003\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
Toolbar: HKU\S-1-5-21-785029809-3937339692-3893416616-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
CHR HKLM-x32\...\Chrome\Extension: [lcnnhcneegeeojhgpfijnlnocjdmlaon] - C:\ProgramData\ValueApps\CH\ValueApps.crx [2014-01-10]
CHR HKLM-x32\...\Chrome\Extension: [llohkdhljoeoekfieamifonacjllceol] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta592\ch\VideoPlayerV3beta592.crx [Not Found]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S0 sjfp; System32\drivers\npub.sys 
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\Public\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\Public\Documents\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\ManuelGerardo\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00008528 _____ () C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.HTML
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\Public\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\Public\Documents\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\ManuelGerardo\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00004204 _____ () C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.TXT
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\Public\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\Public\Documents\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\ManuelGerardo\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.URL
2015-01-26 21:45 - 2015-01-26 21:45 - 00000272 _____ () C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.URL
2015-01-25 10:12 - 2015-01-25 10:12 - 00001248 _____ () C:\Users\ManuelGerardo\AppData\Roaming\DDWJWDY
2015-01-24 15:34 - 2015-01-24 15:34 - 00008528 _____ () C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-24 15:34 - 2015-01-24 15:34 - 00008528 _____ () C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.HTML
2015-01-24 15:34 - 2015-01-24 15:34 - 00008528 _____ () C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.HTML
2015-01-24 15:34 - 2015-01-24 15:34 - 00004204 _____ () C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-24 15:34 - 2015-01-24 15:34 - 00004204 _____ () C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.TXT
2015-01-24 15:34 - 2015-01-24 15:34 - 00004204 _____ () C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.TXT
2015-01-24 15:34 - 2015-01-24 15:34 - 00000272 _____ () C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.URL
2015-01-24 15:34 - 2015-01-24 15:34 - 00000272 _____ () C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.URL
2015-01-24 15:34 - 2015-01-24 15:34 - 00000272 _____ () C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.URL
2015-01-24 15:31 - 2015-01-24 15:31 - 00008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-24 15:31 - 2015-01-24 15:31 - 00004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-24 15:31 - 2015-01-24 15:31 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
C:\ProgramData\@system.temp
C:\Users\ManuelGerardo\AppData\Roaming\麽鎒駓覜
C:\Users\LIZA1\Desktop\Thumbs.db
2015-01-24 15:24 - 2015-02-01 15:50 - 0000648 _____ () C:\ProgramData\@system.temp
2015-01-24 15:31 - 2015-01-24 15:31 - 0008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-24 15:31 - 2015-01-24 15:31 - 0045509 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-24 15:31 - 2015-01-24 15:31 - 0004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-24 15:31 - 2015-01-24 15:31 - 0000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
Task: {46A7C48C-292E-4A2E-88F5-E3FDDB2E3F70} - \Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 No Task File <==== ATTENTION
Task: {7086475A-79FA-4AE3-9037-E899444CDEBC} - \Advanced System Protector No Task File <==== ATTENTION
Task: {87C8B034-7335-4E6E-8644-7D7F372D5B17} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe <==== ATTENTION
Task: {A603DDD8-05A3-4341-9EEF-397CD0006EEF} - \Advanced System Protector_startup No Task File <==== ATTENTION
Task: {C0335A86-0899-4A5D-9ABE-B655ED99BE2C} - \RegClean Pro No Task File <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
 
 
*****************
 
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\\LogonHoursAction => value deleted successfully.
C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-785029809-3937339692-3893416616-1004\User => Moved successfully.
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-785029809-3937339692-3893416616-1003\User => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-785029809-3937339692-3893416616-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKU\S-1-5-21-785029809-3937339692-3893416616-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found. 
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lcnnhcneegeeojhgpfijnlnocjdmlaon" => Key deleted successfully.
C:\ProgramData\ValueApps\CH\ValueApps.crx => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\llohkdhljoeoekfieamifonacjllceol" => Key deleted successfully.
catchme => Service deleted successfully.
sjfp => Service deleted successfully.
C:\Users\Public\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Public\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\ManuelGerardo\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Public\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Public\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\ManuelGerardo\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Public\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Public\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\ManuelGerardo\HELP_DECRYPT.URL => Moved successfully.
C:\Users\ManuelGerardo\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\ManuelGerardo\Desktop\HELP_DECRYPT.URL => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\DDWJWDY => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\ManuelGerardo\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\Users\ManuelGerardo\AppData\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.
C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.
C:\Users\ManuelGerardo\AppData\Roaming\麽鎒駓覜 => Moved successfully.
C:\Users\LIZA1\Desktop\Thumbs.db => Moved successfully.
"C:\ProgramData\@system.temp" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.HTML" => File/Directory not found.
C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
"C:\ProgramData\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.URL" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{46A7C48C-292E-4A2E-88F5-E3FDDB2E3F70}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{46A7C48C-292E-4A2E-88F5-E3FDDB2E3F70}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7086475A-79FA-4AE3-9037-E899444CDEBC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7086475A-79FA-4AE3-9037-E899444CDEBC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Advanced System Protector" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{87C8B034-7335-4E6E-8644-7D7F372D5B17}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87C8B034-7335-4E6E-8644-7D7F372D5B17}" => Key deleted successfully.
C:\Windows\System32\Tasks\pcreg => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\pcreg" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A603DDD8-05A3-4341-9EEF-397CD0006EEF}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A603DDD8-05A3-4341-9EEF-397CD0006EEF}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Advanced System Protector_startup" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C0335A86-0899-4A5D-9ABE-B655ED99BE2C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C0335A86-0899-4A5D-9ABE-B655ED99BE2C}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro => Key not found. 
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to cancel {F393910A-9181-42D4-9E1F-0E5B68DD04A3}.
Unable to cancel {54F68CD8-7161-40B7-A28C-8C38358CC0EC}.
Unable to cancel {8BB3D64C-A6C4-4A5E-938F-57F635186482}.
Unable to cancel {5914097B-6115-4204-8D3D-AF90CFCE7244}.
Unable to cancel {BAC81462-E365-4861-A498-99A6D8A407A7}.
Unable to cancel {6664A906-BEBE-4C49-963F-85553073F28A}.
Unable to cancel {E5834AB6-8ADB-40D5-AEF5-36699AC7B93C}.
Unable to cancel {F933694B-0898-4C4E-95BF-19D998D019D3}.
Unable to cancel {5C7C9510-1714-4ABB-9CAB-B29C609ED3BD}.
Unable to cancel {80794A8C-CDD7-4A43-AADD-7BCC5DA091F2}.
Unable to cancel {F56CC753-3C8D-45E6-839F-52E92868E0A1}.
Unable to cancel {382F1799-EDE6-4D5F-80B2-6A307BFF48C3}.
{72995515-0371-4D61-93ED-FEC386941E4B} canceled.
{E2D90F2F-4A7C-4769-85DE-BC414F0798AB} canceled.
2 out of 14 jobs canceled.
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv4 reset =========
 
Reseting Global, OK!
Reseting Interface, OK!
Reseting Route, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv6 reset =========
 
Reseting Interface, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
EmptyTemp: => Removed 939.8 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 14:17:12 ====


#8 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 AM

Posted 12 February 2015 - 06:44 PM

Now it is time for bed here. I will write the answer tomorrow.
Good night.
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 AM

Posted 13 February 2015 - 03:15 PM

I wait to see your the Logs.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 juad

juad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 February 2015 - 04:23 PM

Step 2 Complete.

 

# AdwCleaner v4.110 - Logfile created 13/02/2015 at 15:11:26
# Updated 05/02/2015 by Xplode
# Database : 2015-02-13.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : LIZA1 - LIZA1-PC
# Running from : C:\Users\LIZA1\Downloads\adwcleaner_4.110.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Systweak
Folder Deleted : C:\ProgramData\ValueApps
Folder Deleted : C:\Program Files\pcreg
Folder Deleted : C:\Users\DANAE\Documents\Updater
Folder Deleted : C:\Users\LIZA1\AppData\Local\DownloadManager
Folder Deleted : C:\Users\LIZA1\Documents\Updater
Folder Deleted : C:\Users\ManuelGerardo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FlvPlayer
File Deleted : C:\Users\ManuelGerardo\Desktop\FlvPlayer.lnk
File Deleted : C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsmode.com_0.localstorage
File Deleted : C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsmode.com_0.localstorage-journal
File Deleted : C:\Users\LIZA1\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Deleted : C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage-journal
File Deleted : C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Deleted : C:\Users\LIZA1\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Deleted : C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal
File Deleted : C:\Users\ManuelGerardo\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.search.ask.com_0.localstorage
File Deleted : C:\Users\ManuelGerardo\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.search.ask.com_0.localstorage-journal
File Deleted : C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\LyricsSay-1
Key Deleted : HKLM\SOFTWARE\Video Player
Key Deleted : HKLM\SOFTWARE\VideoPlayerV3
Key Deleted : HKLM\SOFTWARE\Better-Surf
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ValueApps
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Mozilla Firefox v35.0.1 (x86 en-US)
 
 
-\\ Google Chrome v40.0.2214.111
 
[C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\DANAE\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.k9safesearch.com/search.jsp?r=o&q={searchTerms}
[C:\Users\ManuelGerardo\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\ManuelGerardo\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\ManuelGerardo\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://dts.search.ask.com/sr?src=crb&gct=ds&appid=120&systemid=406&v=n13970-478&apn_uid=3904514174104375&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
[C:\Users\ManuelGerardo\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_42_ch&cd=2XzuyEtN2Y1L1QzuyBzzyEyD0CyE0CyC0AtBzzzy0B0E0ByDtN0D0Tzu0StCtDtBtAtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByByEyE0C0EyEyCtG0DtC0DzztGzz0F0FyEtGtAtC0DtBtGtB0C0C0AyByB0AyEyDyDzy0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0C0A0DtCyE0C0E0CtGzy0AyE0BtGyEtCtCtBtG0A0AyEyDtGyE0EtBzztDyD0AyEyEzztDzz2Q&cr=937601416&ir=
[C:\Users\ManuelGerardo\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://astromenda.com/?results.php?&q={searchTerms}&f=4&a=&cd=&cr=&ir=
 
*************************
 
AdwCleaner[R0].txt - [27978 bytes] - [30/04/2014 20:03:10]
AdwCleaner[R1].txt - [5003 bytes] - [13/02/2015 15:05:59]
AdwCleaner[S0].txt - [26991 bytes] - [30/04/2014 20:06:28]
AdwCleaner[S1].txt - [4959 bytes] - [13/02/2015 15:11:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5018  bytes] ##########


#11 juad

juad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 February 2015 - 04:28 PM

Step 3 Complete.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Professional x64
Ran by LIZA1 on Fri 02/13/2015 at 15:23:41.39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\update wiseenhance
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\util wiseenhance
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Successfully deleted the following from C:\Users\LIZA1\AppData\Roaming\mozilla\firefox\profiles\z5beaip3.default-1383851963037\prefs.js
 
user_pref("extensions.wips.stats.last_false_url", "www.dnsrsearch.com");
user_pref("valueApps.storage.mam_gk_currentVersion", "312E31332E302E3137");
user_pref("valueApps.storage.mam_gk_userId", "38666664343465332D393939642D346236362D393237622D303462316564656336636466");
user_pref("{21EAF666-26B3-4a3c-ABD0-CA2F5A326744}.ScriptData_VBATES_executeCode", "var VBATES_IsValidUrl=function(currentUrl,currentBrowser,queryParam){try{var urlParts=curren
user_pref("{21EAF666-26B3-4a3c-ABD0-CA2F5A326744}.ScriptData_VBATES_partners", "{\"www.brandalley.co.uk\":\"www.awin1.com/awclick.php?mid=3676&id=178119\",\"www.currys.co.uk\"
Emptied folder: C:\Users\LIZA1\AppData\Roaming\mozilla\firefox\profiles\z5beaip3.default-1383851963037\minidumps [18 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 02/13/2015 at 15:25:59.29
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#12 juad

juad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 February 2015 - 04:42 PM

Step 4 Complete.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2/13/2015
Scan Time: 3:29:37 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.02.13.07
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: LIZA1
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 439121
Time Elapsed: 7 min, 15 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#13 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 AM

Posted 13 February 2015 - 08:25 PM

Hi juad,

Thanks for the Logs,

 

Please be sure to run our tools with administrator rights.

 

ComboFix run:

 

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 juad

juad
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 15 February 2015 - 01:40 AM

Thx Olgun52.  Here is the Combofix log.

 

ComboFix 15-02-13.02 - LIZA1 02/14/2015  23:49:32.5.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8028.5940 [GMT -6:00]
Running from: c:\users\LIZA1\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
.
.
(((((((((((((((((((((((((   Files Created from 2015-01-15 to 2015-02-15  )))))))))))))))))))))))))))))))
.
.
2015-02-15 05:54 . 2015-02-15 05:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2015-02-15 05:54 . 2015-02-15 05:54 -------- d-----w- c:\users\ManuelGerardo\AppData\Local\temp
2015-02-15 05:54 . 2015-02-15 05:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-02-15 05:54 . 2015-02-15 05:54 -------- d-----w- c:\users\DANAE\AppData\Local\temp
2015-02-10 23:57 . 2015-02-10 23:57 -------- d-----w- c:\users\LIZA1\AppData\Local\CrashDumps
2015-02-09 23:27 . 2015-02-12 20:17 -------- d-----w- C:\FRST
2015-02-07 03:42 . 2015-02-07 03:51 -------- d-----w- C:\NPE
2015-02-07 03:41 . 2015-02-07 03:56 -------- d-----w- c:\users\LIZA1\AppData\Local\NPE
2015-02-07 03:41 . 2015-02-07 03:41 -------- d-----w- c:\programdata\Norton
2015-02-06 16:19 . 2015-02-06 18:17 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2015-02-04 23:44 . 2015-02-04 23:44 5070512 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2015-01-24 21:23 . 2015-02-03 04:00 -------- d-----w- c:\users\ManuelGerardo\AppData\Roaming\FrameworkUpdate
2015-01-18 21:30 . 2014-12-11 17:47 52736 ----a-w- c:\windows\system32\TSWbPrxy.exe
2015-01-18 21:30 . 2014-12-06 04:17 303616 ----a-w- c:\windows\system32\nlasvc.dll
2015-01-18 21:30 . 2014-12-06 03:50 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll
2015-01-18 21:30 . 2014-12-06 03:50 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
2015-01-18 21:30 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2015-01-18 21:30 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2015-01-17 20:01 . 2015-01-17 20:04 -------- d-----w- c:\users\LIZA1\AppData\Local\Unity
2015-01-17 19:58 . 2014-12-19 03:06 210432 ----a-w- c:\windows\system32\profsvc.dll
2015-01-17 19:58 . 2014-12-19 01:46 141312 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2015-01-17 19:58 . 2014-12-12 05:35 5553592 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-01-17 19:58 . 2014-12-12 05:31 503808 ----a-w- c:\windows\system32\srcore.dll
2015-01-17 19:58 . 2014-12-12 05:31 50176 ----a-w- c:\windows\system32\srclient.dll
2015-01-17 19:58 . 2014-12-12 05:31 296960 ----a-w- c:\windows\system32\rstrui.exe
2015-01-17 19:58 . 2014-12-12 05:11 3971512 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2015-01-17 19:58 . 2014-12-12 05:11 3916728 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2015-01-17 19:58 . 2014-12-12 05:07 43008 ----a-w- c:\windows\SysWow64\srclient.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-13 21:29 . 2014-07-12 06:17 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-02-12 09:00 . 2013-06-05 03:58 116773704 ----a-w- c:\windows\system32\MRT.exe
2015-02-04 23:44 . 2013-06-05 02:44 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-04 23:44 . 2013-06-05 02:44 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-01-07 12:58 . 2014-12-01 07:56 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-12-13 05:09 . 2014-12-17 18:58 144384 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-13 03:33 . 2014-12-17 18:58 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-12-04 02:50 . 2014-12-10 05:01 413184 ----a-w- c:\windows\system32\generaltel.dll
2014-12-04 02:50 . 2014-12-10 05:01 741376 ----a-w- c:\windows\system32\invagent.dll
2014-12-04 02:50 . 2014-12-10 05:01 396800 ----a-w- c:\windows\system32\devinv.dll
2014-12-04 02:50 . 2014-12-10 05:01 830976 ----a-w- c:\windows\system32\appraiser.dll
2014-12-04 02:50 . 2014-12-10 05:01 227328 ----a-w- c:\windows\system32\aepdu.dll
2014-12-04 02:50 . 2014-12-10 05:01 192000 ----a-w- c:\windows\system32\aepic.dll
2014-12-04 02:44 . 2014-12-10 05:01 1083392 ----a-w- c:\windows\system32\aeinv.dll
2014-12-01 23:28 . 2014-12-10 05:01 1232040 ----a-w- c:\windows\system32\aitstatic.exe
2014-11-27 01:43 . 2014-12-10 05:00 389296 ----a-w- c:\windows\system32\iedkcs32.dll
2014-11-22 03:13 . 2014-12-10 05:00 25059840 ----a-w- c:\windows\system32\mshtml.dll
2014-11-22 03:06 . 2014-12-10 05:00 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-11-22 03:06 . 2014-12-10 05:00 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:50 . 2014-12-10 05:00 66560 ----a-w- c:\windows\system32\iesetup.dll
2014-11-22 02:50 . 2014-12-10 05:00 580096 ----a-w- c:\windows\system32\vbscript.dll
2014-11-22 02:49 . 2014-12-10 05:00 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:49 . 2014-12-10 05:00 2885120 ----a-w- c:\windows\system32\iertutil.dll
2014-11-22 02:48 . 2014-12-10 05:00 88064 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-11-22 02:41 . 2014-12-10 05:00 54784 ----a-w- c:\windows\system32\jsproxy.dll
2014-11-22 02:40 . 2014-12-10 05:00 34304 ----a-w- c:\windows\system32\iernonce.dll
2014-11-22 02:37 . 2014-12-10 05:00 633856 ----a-w- c:\windows\system32\ieui.dll
2014-11-22 02:35 . 2014-12-10 05:00 114688 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-11-22 02:34 . 2014-12-10 05:00 814080 ----a-w- c:\windows\system32\jscript9diag.dll
2014-11-22 02:34 . 2014-12-10 05:00 6039552 ----a-w- c:\windows\system32\jscript9.dll
2014-11-22 02:26 . 2014-12-10 05:00 968704 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 02:22 . 2014-12-10 05:00 490496 ----a-w- c:\windows\system32\dxtmsft.dll
2014-11-22 02:20 . 2014-12-10 05:00 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14 . 2014-12-10 05:00 77824 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 02:09 . 2014-12-10 05:00 199680 ----a-w- c:\windows\system32\msrating.dll
2014-11-22 02:08 . 2014-12-10 05:00 92160 ----a-w- c:\windows\system32\mshtmled.dll
2014-11-22 02:07 . 2014-12-10 05:00 501248 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-11-22 02:07 . 2014-12-10 05:00 62464 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-11-22 02:06 . 2014-12-10 05:00 47616 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05 . 2014-12-10 05:00 64000 ----a-w- c:\windows\SysWow64\MshtmlDac.dll
2014-11-22 02:05 . 2014-12-10 05:00 316928 ----a-w- c:\windows\system32\dxtrans.dll
2014-11-22 01:54 . 2014-12-10 05:00 620032 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:49 . 2014-12-10 05:00 718848 ----a-w- c:\windows\system32\ie4uinit.exe
2014-11-22 01:49 . 2014-12-10 05:00 800768 ----a-w- c:\windows\system32\msfeeds.dll
2014-11-22 01:47 . 2014-12-10 05:00 1359360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:46 . 2014-12-10 05:00 2125312 ----a-w- c:\windows\system32\inetcpl.cpl
2014-11-22 01:43 . 2014-12-10 05:00 14412800 ----a-w- c:\windows\system32\ieframe.dll
2014-11-22 01:40 . 2014-12-10 05:00 60416 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29 . 2014-12-10 05:00 4299264 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-11-22 01:28 . 2014-12-10 05:00 2358272 ----a-w- c:\windows\system32\wininet.dll
2014-11-22 01:22 . 2014-12-10 05:00 2052096 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21 . 2014-12-10 05:00 1155072 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:15 . 2014-12-10 05:00 1548288 ----a-w- c:\windows\system32\urlmon.dll
2014-11-22 01:03 . 2014-12-10 05:00 800768 ----a-w- c:\windows\system32\ieapfltr.dll
2014-11-22 01:00 . 2014-12-10 05:00 1888256 ----a-w- c:\windows\SysWow64\wininet.dll
2014-11-21 12:14 . 2014-07-12 06:16 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 12:14 . 2014-07-12 06:16 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 12:14 . 2013-12-24 21:49 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 14:39 369152 --sh--w- c:\windows\SysWOW64\avisynth.dll
2005-07-14 17:31 32256 --sh--w- c:\windows\SysWOW64\AVSredirect.dll
2004-02-22 15:11 719872 --sh--w- c:\windows\SysWOW64\devil.dll
2004-01-25 05:00 70656 --sh--w- c:\windows\SysWOW64\i420vfw.dll
2004-01-25 05:00 70656 --sh--w- c:\windows\SysWOW64\yv12vfw.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-04-23 1314816]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2012-10-25 115624]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
"AgentMonitor"="c:\program files (x86)\VTech\DownloadManager\System\AgentMonitor.exe" [2014-06-20 401280]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"Acrobat Assistant 7.0"="c:\cs2\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys;c:\windows\SYSNATIVE\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 bckd;bckd;c:\windows\system32\drivers\bckd.sys;c:\windows\SYSNATIVE\drivers\bckd.sys [x]
S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe;c:\program files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k60x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1k60x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-06 06:51 1086280 ----a-w- c:\program files (x86)\Google\Chrome\Application\40.0.2214.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-05 23:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-21 796696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1712672]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"pcreg"="c:\program files\pcreg\service.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\LIZA1\AppData\Roaming\Mozilla\Firefox\Profiles\z5beaip3.default-1383851963037\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-02-14  23:55:15
ComboFix-quarantined-files.txt  2015-02-15 05:55
ComboFix2.txt  2015-02-06 21:01
ComboFix3.txt  2014-05-01 00:47
ComboFix4.txt  2014-01-13 06:06
ComboFix5.txt  2015-02-15 05:48
.
Pre-Run: 25,065,066,496 bytes free
Post-Run: 24,712,986,624 bytes free
.
- - End Of File - - CA89DF864F515B3AF94AEABD5B8B6E2E
A36C5E4F47E84449FF07ED3517B43A31


#15 olgun52

olgun52

  • Malware Response Team
  • 3,807 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 AM

Posted 15 February 2015 - 05:30 PM

Hi,

 

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\program files\pcreg\service.exe
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

 

----------------------

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Regards

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users