Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with farbar, got hit with the Cryptowall 3.0


  • This topic is locked This topic is locked
53 replies to this topic

#1 tophat1

tophat1

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 14 February 2015 - 01:57 AM

Attached scans of both FRST and Addition 

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:49 PM

Posted 15 February 2015 - 01:22 PM

Hello tophat1,

  •  

     

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

Currently there is no way to decrypt your files. we can get rid of the infection.

 

1.

Please move FRST from your downloads folder to your desktop before following these instructions.

 

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   16.48KB   8 downloads

 

How is the machine running after this fix?

 

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 tophat1

tophat1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 February 2015 - 01:37 PM

Thank you so much for your help fireman4it.  Not sure how to run the files?



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:49 PM

Posted 15 February 2015 - 01:42 PM

what do you mean not sure how to run the files?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 tophat1

tophat1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 February 2015 - 01:50 PM

How to create the shortcut in the start up menu.  Never mind figured it out, do i add the addition file as well?



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:49 PM

Posted 15 February 2015 - 01:52 PM

Please read the directions carefully. You are not creating a shortcut you are moving FRST to the desktop only. not the FRST.txt. THe FRST program itsself to Desktop.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 tophat1

tophat1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 February 2015 - 01:57 PM

Right, the scan I have from the farbar is FRST program right?  I'm confused then when you say 'run' the program is that shutting down my laptop and turning it back on?  Sorry,i really appreciate your patience I just want to make sure I get it right.


Also when does the option to click on fix pop up?



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:49 PM

Posted 15 February 2015 - 02:10 PM

FRST is the program you downloaded. Not the file it produced from running it. The fixlist.txt i provided must be in the same place FRST program is not the FRST.txt.

 ONce you run the FRST program you will see the FIX button.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 tophat1

tophat1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 February 2015 - 02:14 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2015
Ran by capital at 2015-02-15 13:13:16 Run:1
Running from C:\Users\capital\Downloads
Loaded Profiles: capital (Available profiles: capital)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2020704 2014-08-05] (Wondershare)
HKU\S-1-5-21-2963937243-2449309144-3420111183-1001\...\Run: [Advanced SystemCare 8] => C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe [2428704 2015-01-20] (IObit)
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
AppInit_DLLs:  C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL => C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL File Not Found
AppInit_DLLs-x32: c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll => "c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll" File Not Found
AppInit_DLLs-x32:  c:\progra~2\optimi~1\optpro~1.dll => "c:\progra~2\optimi~1\optpro~1.dll" File Not Found
Startup: C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTGuard Updates.lnk
ShortcutTarget: BTGuard Updates.lnk -> C:\BTGUARD\settings.exe ()
Startup: C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.optionstorpay22.com/1cUYpjL
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKU\S-1-5-21-2963937243-2449309144-3420111183-1001 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = 
SearchScopes: HKU\S-1-5-21-2963937243-2449309144-3420111183-1001 -> {627C4FEE-4BD3-4C98-B5C4-C5B001BEEEEF} URL = 
SearchScopes: HKU\S-1-5-21-2963937243-2449309144-3420111183-1001 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = 
SearchScopes: HKU\S-1-5-21-2963937243-2449309144-3420111183-1001 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = 
SearchScopes: HKU\S-1-5-21-2963937243-2449309144-3420111183-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = 
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (IObit)
BHO: No Name -> {88BD9D50-779D-81FA-84A2-7A685A189B61} ->  No File
BHO: No Name -> {9AE76A68-7400-0D61-AE0A-538B849A7FF9} ->  No File
ShellExecuteHooks-x32: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWOW64\ezUPBHook.dll [52920 2011-05-13] (EasyBits Software Corp.)
BHO-x32: No Name -> {451C804F-C205-4F03-B48E-537EC94937BF} ->  No File
BHO-x32: No Name -> {88BD9D50-779D-81FA-84A2-7A685A189B61} ->  No File
BHO-x32: No Name -> {9AE76A68-7400-0D61-AE0A-538B849A7FF9} ->  No File
BHO-x32: Advanced SystemCare Surfing Protection -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll (IObit)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Handler: WSWSVCUchrome - No CLSID Value
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com
FF Extension: Wondershare Video Converter Ultimate - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com [2014-08-29]
S2 70e6ca8c; "C:\Windows\system32\rundll32.exe" "c:\progra~2\optimi~1\OptProCrashSvc.dll",ServiceMain
c:\progra~2\optimi~1
2015-02-13 22:42 - 2015-02-13 22:42 - 00008722 _____ () C:\Users\capital\HELP_DECRYPT.HTML
2015-02-13 22:42 - 2015-02-13 22:42 - 00008722 _____ () C:\Users\capital\Desktop\HELP_DECRYPT.HTML
2015-02-13 22:42 - 2015-02-13 22:42 - 00004304 _____ () C:\Users\capital\HELP_DECRYPT.TXT
2015-02-13 22:42 - 2015-02-13 22:42 - 00004304 _____ () C:\Users\capital\Desktop\HELP_DECRYPT.TXT
2015-02-13 22:42 - 2015-02-13 22:42 - 00000304 _____ () C:\Users\capital\HELP_DECRYPT.URL
2015-02-13 22:42 - 2015-02-13 22:42 - 00000304 _____ () C:\Users\capital\Desktop\HELP_DECRYPT.URL
2015-02-13 21:23 - 2015-02-13 21:23 - 00983112 _____ (Wondershare) C:\Users\capital\Downloads\video-editor_setup_full846.exe
2015-02-13 21:12 - 2015-02-13 21:12 - 00000939 _____ () C:\Users\capital\Desktop\Zero Assumption Recovery.lnk
2015-02-13 20:16 - 2015-02-13 20:16 - 00000000 ____D () C:\Users\capital\AppData\Local\{1DFB93AA-6D51-432C-8BCD-F49590B2C82A}
2015-02-13 16:44 - 2015-02-13 16:44 - 00008722 _____ () C:\Users\capital\Downloads\HELP_DECRYPT.HTML
2015-02-13 16:44 - 2015-02-13 16:44 - 00004304 _____ () C:\Users\capital\Downloads\HELP_DECRYPT.TXT
2015-02-13 16:44 - 2015-02-13 16:44 - 00000304 _____ () C:\Users\capital\Downloads\HELP_DECRYPT.URL
2015-02-13 16:31 - 2015-02-13 16:31 - 00008722 _____ () C:\Users\capital\Documents\HELP_DECRYPT.HTML
2015-02-13 16:31 - 2015-02-13 16:31 - 00004304 _____ () C:\Users\capital\Documents\HELP_DECRYPT.TXT
2015-02-13 16:31 - 2015-02-13 16:31 - 00000304 _____ () C:\Users\capital\Documents\HELP_DECRYPT.URL
2015-02-13 16:20 - 2015-02-13 16:20 - 00008722 _____ () C:\Users\capital\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-13 16:20 - 2015-02-13 16:20 - 00008722 _____ () C:\Users\capital\AppData\Local\HELP_DECRYPT.HTML
2015-02-13 16:20 - 2015-02-13 16:20 - 00008722 _____ () C:\Users\capital\AppData\HELP_DECRYPT.HTML
2015-02-13 16:20 - 2015-02-13 16:20 - 00008722 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-02-13 16:20 - 2015-02-13 16:20 - 00004304 _____ () C:\Users\capital\AppData\Roaming\HELP_DECRYPT.TXT
2015-02-13 16:20 - 2015-02-13 16:20 - 00004304 _____ () C:\Users\capital\AppData\Local\HELP_DECRYPT.TXT
2015-02-13 16:20 - 2015-02-13 16:20 - 00004304 _____ () C:\Users\capital\AppData\HELP_DECRYPT.TXT
2015-02-13 16:20 - 2015-02-13 16:20 - 00004304 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-02-13 16:20 - 2015-02-13 16:20 - 00000304 _____ () C:\Users\capital\AppData\Roaming\HELP_DECRYPT.URL
2015-02-13 16:20 - 2015-02-13 16:20 - 00000304 _____ () C:\Users\capital\AppData\Local\HELP_DECRYPT.URL
2015-02-13 16:20 - 2015-02-13 16:20 - 00000304 _____ () C:\Users\capital\AppData\HELP_DECRYPT.URL
2015-02-13 16:20 - 2015-02-13 16:20 - 00000304 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-02-12 23:07 - 2015-02-12 23:07 - 00015403 _____ () C:\Users\capital\Downloads\Redirected (2014) [1080p] YIFY - YTS.torrent
2015-02-12 23:00 - 2015-02-12 23:00 - 00008239 _____ () C:\Users\capital\Downloads\John Doe Vigilante (2014) [720p] YIFY - YTS.torrent
2015-02-12 22:54 - 2015-02-12 22:54 - 00513784 _____ () C:\Users\capital\Downloads\The.Timber.2015.BRRip.XviD (1).exe
2015-02-12 22:53 - 2015-02-12 22:53 - 00513784 _____ () C:\Users\capital\Downloads\The.Timber.2015.BRRip.XviD.exe
2014-08-17 20:06 - 2014-09-08 16:11 - 0000004 _____ () C:\Users\capital\AppData\Roaming\appdataFr2.bin
2015-02-13 16:20 - 2015-02-13 16:20 - 0008722 _____ () C:\Users\capital\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-13 16:20 - 2015-02-13 16:20 - 0045928 _____ () C:\Users\capital\AppData\Roaming\HELP_DECRYPT.PNG
2015-02-13 16:20 - 2015-02-13 16:20 - 0004304 _____ () C:\Users\capital\AppData\Roaming\HELP_DECRYPT.TXT
2015-02-13 16:20 - 2015-02-13 16:20 - 0000304 _____ () C:\Users\capital\AppData\Roaming\HELP_DECRYPT.URL
2015-02-13 16:20 - 2015-02-13 16:20 - 0008722 _____ () C:\Users\capital\AppData\Local\HELP_DECRYPT.HTML
2015-02-13 16:20 - 2015-02-13 16:20 - 0045928 _____ () C:\Users\capital\AppData\Local\HELP_DECRYPT.PNG
2015-02-13 16:20 - 2015-02-13 16:20 - 0004304 _____ () C:\Users\capital\AppData\Local\HELP_DECRYPT.TXT
2015-02-13 16:20 - 2015-02-13 16:20 - 0000304 _____ () C:\Users\capital\AppData\Local\HELP_DECRYPT.URL
2015-02-13 16:20 - 2015-02-13 16:20 - 0008722 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-02-13 16:20 - 2015-02-13 16:20 - 0045928 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-02-13 16:20 - 2015-02-13 16:20 - 0004304 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-02-13 16:20 - 2015-02-13 16:20 - 0000304 _____ () C:\ProgramData\HELP_DECRYPT.URL
 
 
 
 
 
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Wondershare Helper Compact.exe => value deleted successfully.
HKU\S-1-5-21-2963937243-2449309144-3420111183-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced SystemCare 8 => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnableShellExecuteHooks => value deleted successfully.
"C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll" => Value Data removed successfully.
" C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL" => Value Data removed successfully.
"c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll" => Value Data removed successfully.
" c:\progra~2\optimi~1\optpro~1.dll" => Value Data removed successfully.
C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTGuard Updates.lnk => Moved successfully.
C:\BTGUARD\settings.exe => Moved successfully.
C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found. 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{627C4FEE-4BD3-4C98-B5C4-C5B001BEEEEF}" => Key deleted successfully.
HKCR\CLSID\{627C4FEE-4BD3-4C98-B5C4-C5B001BEEEEF} => Key not found. 
"HKU\S-1-5-21-2963937243-2449309144-3420111183-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found. 
"HKU\S-1-5-21-2963937243-2449309144-3420111183-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{627C4FEE-4BD3-4C98-B5C4-C5B001BEEEEF}" => Key deleted successfully.
HKCR\CLSID\{627C4FEE-4BD3-4C98-B5C4-C5B001BEEEEF} => Key not found. 
"HKU\S-1-5-21-2963937243-2449309144-3420111183-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}" => Key deleted successfully.
HKCR\CLSID\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} => Key not found. 
"HKU\S-1-5-21-2963937243-2449309144-3420111183-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}" => Key deleted successfully.
HKCR\CLSID\{d43b3890-80c7-4010-a95d-1e77b5924dc3} => Key not found. 
"HKU\S-1-5-21-2963937243-2449309144-3420111183-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}" => Key deleted successfully.
"HKCR\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88BD9D50-779D-81FA-84A2-7A685A189B61}" => Key deleted successfully.
HKCR\CLSID\{88BD9D50-779D-81FA-84A2-7A685A189B61} => Key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9AE76A68-7400-0D61-AE0A-538B849A7FF9}" => Key deleted successfully.
HKCR\CLSID\{9AE76A68-7400-0D61-AE0A-538B849A7FF9} => Key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{E54729E8-BB3D-4270-9D49-7389EA579090} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{E54729E8-BB3D-4270-9D49-7389EA579090}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{451C804F-C205-4F03-B48E-537EC94937BF}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{451C804F-C205-4F03-B48E-537EC94937BF} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88BD9D50-779D-81FA-84A2-7A685A189B61}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{88BD9D50-779D-81FA-84A2-7A685A189B61} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9AE76A68-7400-0D61-AE0A-538B849A7FF9}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{9AE76A68-7400-0D61-AE0A-538B849A7FF9} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value deleted successfully.
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Key not found. 
"HKCR\PROTOCOLS\Handler\WSWSVCUchrome" => Key deleted successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\WSVCU@Wondershare.com => value deleted successfully.
C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com => Moved successfully.
70e6ca8c => Service deleted successfully.
"c:\progra~2\optimi~1" => File/Directory not found.
C:\Users\capital\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\Desktop\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\Desktop\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\HELP_DECRYPT.URL => Moved successfully.
C:\Users\capital\Desktop\HELP_DECRYPT.URL => Moved successfully.
C:\Users\capital\Downloads\video-editor_setup_full846.exe => Moved successfully.
C:\Users\capital\Desktop\Zero Assumption Recovery.lnk => Moved successfully.
C:\Users\capital\AppData\Local\{1DFB93AA-6D51-432C-8BCD-F49590B2C82A} => Moved successfully.
C:\Users\capital\Downloads\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\Downloads\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\Downloads\HELP_DECRYPT.URL => Moved successfully.
C:\Users\capital\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\capital\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\capital\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\AppData\HELP_DECRYPT.TXT => Moved successfully.
C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\capital\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\capital\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\Users\capital\AppData\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.
C:\Users\capital\Downloads\Redirected (2014) [1080p] YIFY - YTS.torrent => Moved successfully.
C:\Users\capital\Downloads\John Doe Vigilante (2014) [720p] YIFY - YTS.torrent => Moved successfully.
C:\Users\capital\Downloads\The.Timber.2015.BRRip.XviD (1).exe => Moved successfully.
C:\Users\capital\Downloads\The.Timber.2015.BRRip.XviD.exe => Moved successfully.
C:\Users\capital\AppData\Roaming\appdataFr2.bin => Moved successfully.
"C:\Users\capital\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\capital\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
"C:\Users\capital\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\capital\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\capital\AppData\Local\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\capital\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.
"C:\Users\capital\AppData\Local\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\capital\AppData\Local\HELP_DECRYPT.URL" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.HTML" => File/Directory not found.
C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
"C:\ProgramData\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.URL" => File/Directory not found.
 
==== End of Fixlog 13:13:19 ====


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:49 PM

Posted 15 February 2015 - 02:22 PM

Please do the following:
 

  •    
  • Run the FRST program.

       
  • Type the following in the edit box after "Search:" :

        *decrypt*


    Click Search FILES button and post the log it makes to your reply.


Edited by fireman4it, 15 February 2015 - 02:22 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 tophat1

tophat1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 February 2015 - 02:39 PM

The file is too big to upload..



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:49 PM

Posted 15 February 2015 - 02:46 PM

Split the log up into multiple posts if you have to


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 tophat1

tophat1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 February 2015 - 02:48 PM

sent an email to your yahoo account 



#14 tophat1

tophat1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 February 2015 - 02:49 PM

will that work? or should I split it up?



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:49 PM

Posted 15 February 2015 - 02:58 PM

Please split it up here.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users