Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

remove cryptowall 3.0 help !


  • This topic is locked This topic is locked
2 replies to this topic

#1 rodmanc4s

rodmanc4s

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 05 March 2015 - 06:07 PM

I am infected with this nasty thing, many files are locked up. I have run ADW cleaner but I am not sure if the ransomware is still running. I have hundreds of these HELP_DECRYPT files all over my computer. Here are the logs FRST per your directions

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2015 01
Ran by RODMAN (administrator) on RODMAN-RODDYNEW on 05-03-2015 17:48:36
Running from C:\Users\RODMAN\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9E5SQFMD
Loaded Profiles: UpdatusUser & RODMAN (Available profiles: UpdatusUser & RODMAN)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\41.0.2272.41\remoting_host.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2svc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\41.0.2272.41\remoting_host.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2comm.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2pre.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2tray.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\Teco.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
(Safer Networking Limited) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
() C:\Program Files\TOSHIBA\FlashCards\Hotkey\TCrdKBB.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_287_ActiveX.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10134560 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [896032 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [ThpSrv] => C:\windows\system32\thpsrv /logon
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-06] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-25] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1489760 2010-04-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] => C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-19] (TOSHIBA Corporation)
HKLM-x32\...\Run: [KeNotify] => C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2009-12-25] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [HWSetup] => C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [423936 2010-03-04] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [SVPWUTIL] => C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe [352256 2010-02-22] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [TWebCamera] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [252728 2010-03-17] (TOSHIBA)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [2641272 2012-08-18] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [295512 2013-04-29] (RealNetworks, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$e2893d004e22192be624c40e3e6a1cba\n. ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-2517334315-1348520328-1251245395-1000\...\Run: [] => [X]
HKU\S-1-5-21-2517334315-1348520328-1251245395-1000\...\RunOnce: [SysOff] => C:\Windows\SysWOW64\SYSPREP\ClosespV.exe
HKU\S-1-5-21-2517334315-1348520328-1251245395-1002\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKU\S-1-5-21-2517334315-1348520328-1251245395-1002\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-2517334315-1348520328-1251245395-1002\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-2517334315-1348520328-1251245395-1002\...\RunOnce: [FlashPlayerUpdate] => C:\windows\system32\Macromed\Flash\FlashUtil64_16_0_0_287_ActiveX.exe [651440 2015-01-26] (Adobe Systems Incorporated)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\RODMAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\RODMAN\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2517334315-1348520328-1251245395-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
HKU\S-1-5-21-2517334315-1348520328-1251245395-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
HKU\S-1-5-21-2517334315-1348520328-1251245395-1002\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
SearchScopes: HKLM -> {9EBFC08D-4E3A-4762-BAAE-80516539C272} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM-x32 -> {6C822E1E-73F4-437F-8269-A5001877AD30} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2517334315-1348520328-1251245395-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2517334315-1348520328-1251245395-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKU\S-1-5-21-2517334315-1348520328-1251245395-1000 -> {7CC94BCA-8E5E-4FAD-ACE5-798C208642BC} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-2517334315-1348520328-1251245395-1002 -> DefaultScope {9EBFC08D-4E3A-4762-BAAE-80516539C272} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKU\S-1-5-21-2517334315-1348520328-1251245395-1002 -> {9EBFC08D-4E3A-4762-BAAE-80516539C272} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-2517334315-1348520328-1251245395-1002 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-2517334315-1348520328-1251245395-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-2517334315-1348520328-1251245395-1002 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Handler-x32: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files (x86)\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=16.0.1.18 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.1.18 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn
FF Extension: Norton IPS - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn [2013-01-24]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn_2010_9_0_6
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn_2010_9_0_6 [2015-03-05]
FF HKLM-x32\...\Firefox\Extensions: [{DAC3F861-B30D-40dd-9166-F4E75327FAC7}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-04-29]

Chrome:
=======
CHR HomePage: Default -> https://www.google.com/
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3298580&SearchSource=48&CUI=UN23155782051507179&UM=2"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.170.4) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeploytk.dll No File
CHR Plugin: (Java™ Platform SE 6 U17) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.3.0\\npsitesafety.dll No File
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Download Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealDownloader Plugin) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Profile: C:\Users\RODMAN\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\RODMAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-07]
CHR Extension: (MixiDJ V44) - C:\Users\RODMAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpfboklmeiefoedekjeigdcnfbpjeaii [2013-09-09]
CHR Extension: (Chrome Remote Desktop) - C:\Users\RODMAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2014-11-27]
CHR Extension: (RealDownloader) - C:\Users\RODMAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-04-29]
CHR Extension: (Skype Click to Call) - C:\Users\RODMAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-07-05]
CHR Extension: (Google Wallet) - C:\Users\RODMAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-06-30]
CHR HKU\S-1-5-21-2517334315-1348520328-1251245395-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bpfboklmeiefoedekjeigdcnfbpjeaii] - C:\Users\RODMAN\AppData\Local\CRE\bpfboklmeiefoedekjeigdcnfbpjeaii.crx [2013-09-08]
CHR HKLM-x32\...\Chrome\Extension: [bpfboklmeiefoedekjeigdcnfbpjeaii] - C:\Users\RODMAN\AppData\Local\CRE\bpfboklmeiefoedekjeigdcnfbpjeaii.crx [2013-09-08]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-03-06]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\41.0.2272.41\remoting_host.exe [56648 2015-02-01] (Google Inc.)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [126400 2011-08-03] (Symantec Corporation)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2012-08-18] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2011-08-19] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-08-19] (Intuit Inc.) [File not signed]
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-03-06] ()
S2 RealtekCU; C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RtlService.exe [36864 2012-05-10] (Realtek Semiconductor Corp.) [File not signed]
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 athrusb; C:\Windows\System32\DRIVERS\athrxusb.sys [1075712 2008-07-29] (Atheros Communications, Inc.)
R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20150224.001\BHDrvx64.sys [1622744 2015-02-24] (Symantec Corporation)
R1 ccHP; C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [593544 2011-08-03] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2015-03-05] (Symantec Corporation)
U3 EraserUtilDrv11411; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11411.sys [142640 2015-03-05] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20150304.001\IDSvia64.sys [669400 2015-03-04] (Symantec Corporation)
R2 monblanking; C:\Windows\System32\DRIVERS\monblanking.sys [34960 2014-09-04] (Citrix Systems, Inc.)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20150304.037\ENG64.SYS [129752 2015-03-05] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20150304.037\EX64.SYS [2137304 2015-03-05] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\NISx64\1109000.00C\SRTSP64.SYS [505392 2010-04-21] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1109000.00C\SRTSPX64.SYS [32304 2010-04-21] (Symantec Corporation)
S3 SVK9PL; C:\Windows\System32\DRIVERS\SVK9PL64.sys [158720 2012-12-17] (Gigaware)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMDS64.SYS [433200 2009-10-14] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [221304 2011-08-21] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2013-01-24] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [150064 2010-04-29] (Symantec Corporation)
R1 SYMTDIv; C:\Windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [451704 2011-08-21] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-05 17:23 - 2015-03-05 17:48 - 00000000 ____D () C:\FRST
2015-03-05 11:48 - 2015-03-05 11:48 - 00003224 _____ () C:\windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2517334315-1348520328-1251245395-1002
2015-03-05 11:25 - 2015-03-05 11:44 - 00000000 ____D () C:\AdwCleaner
2015-03-04 13:22 - 2015-03-04 13:22 - 00008630 _____ () C:\Users\RODMAN\Downloads\HELP_DECRYPT.HTML
2015-03-04 13:22 - 2015-03-04 13:22 - 00004258 _____ () C:\Users\RODMAN\Downloads\HELP_DECRYPT.TXT
2015-03-04 13:22 - 2015-03-04 13:22 - 00000292 _____ () C:\Users\RODMAN\Downloads\HELP_DECRYPT.URL
2015-03-04 13:20 - 2015-03-05 11:58 - 00008630 _____ () C:\Users\RODMAN\Documents\HELP_DECRYPT.HTML
2015-03-04 13:20 - 2015-03-05 11:58 - 00004258 _____ () C:\Users\RODMAN\Documents\HELP_DECRYPT.TXT
2015-03-04 13:20 - 2015-03-05 11:58 - 00000292 _____ () C:\Users\RODMAN\Documents\HELP_DECRYPT.URL
2015-03-04 08:32 - 2015-03-04 08:32 - 00008630 _____ () C:\Users\RODMAN\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-04 08:32 - 2015-03-04 08:32 - 00008630 _____ () C:\Users\RODMAN\AppData\HELP_DECRYPT.HTML
2015-03-04 08:32 - 2015-03-04 08:32 - 00004258 _____ () C:\Users\RODMAN\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-04 08:32 - 2015-03-04 08:32 - 00004258 _____ () C:\Users\RODMAN\AppData\HELP_DECRYPT.TXT
2015-03-04 08:32 - 2015-03-04 08:32 - 00000292 _____ () C:\Users\RODMAN\AppData\Roaming\HELP_DECRYPT.URL
2015-03-04 08:32 - 2015-03-04 08:32 - 00000292 _____ () C:\Users\RODMAN\AppData\HELP_DECRYPT.URL
2015-03-04 08:28 - 2015-03-04 08:28 - 00008630 _____ () C:\Users\RODMAN\AppData\Local\HELP_DECRYPT.HTML
2015-03-04 08:28 - 2015-03-04 08:28 - 00004258 _____ () C:\Users\RODMAN\AppData\Local\HELP_DECRYPT.TXT
2015-03-04 08:28 - 2015-03-04 08:28 - 00000292 _____ () C:\Users\RODMAN\AppData\Local\HELP_DECRYPT.URL
2015-03-04 08:26 - 2015-03-04 08:26 - 00008630 _____ () C:\Users\Public\HELP_DECRYPT.HTML
2015-03-04 08:26 - 2015-03-04 08:26 - 00008630 _____ () C:\Users\Public\Documents\HELP_DECRYPT.HTML
2015-03-04 08:26 - 2015-03-04 08:26 - 00004258 _____ () C:\Users\Public\HELP_DECRYPT.TXT
2015-03-04 08:26 - 2015-03-04 08:26 - 00004258 _____ () C:\Users\Public\Documents\HELP_DECRYPT.TXT
2015-03-04 08:26 - 2015-03-04 08:26 - 00000292 _____ () C:\Users\Public\HELP_DECRYPT.URL
2015-03-04 08:26 - 2015-03-04 08:26 - 00000292 _____ () C:\Users\Public\Documents\HELP_DECRYPT.URL
2015-03-04 08:21 - 2015-03-05 10:19 - 01982752 _____ () C:\Users\RODMAN\Documents\list-TN240.mdb
2015-03-04 07:45 - 2015-03-05 11:48 - 00003356 _____ () C:\windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2517334315-1348520328-1251245395-1002
2015-03-01 10:49 - 2015-03-03 07:53 - 01982752 _____ () C:\Users\RODMAN\Documents\list-TN239.mdb
2015-02-27 15:45 - 2015-02-27 15:45 - 01216320 _____ () C:\Users\RODMAN\Downloads\0315xls2.xlsx
2015-02-27 15:44 - 2015-02-27 15:44 - 01642192 _____ () C:\Users\RODMAN\Downloads\0315 (1).csv
2015-02-26 15:31 - 2015-02-27 19:04 - 01974560 _____ () C:\Users\RODMAN\Documents\list-TN238.mdb
2015-02-25 21:26 - 2015-02-25 21:26 - 00008630 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-02-25 21:26 - 2015-02-25 21:26 - 00004258 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-02-25 21:26 - 2015-02-25 21:26 - 00000292 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-02-25 20:38 - 2015-02-25 20:38 - 00000000 ___HD () C:\9f40d3d
2015-02-24 18:56 - 2015-02-26 15:39 - 01974560 _____ () C:\Users\RODMAN\Documents\list-TN237.mdb
2015-02-24 08:11 - 2015-02-25 11:09 - 01974560 _____ () C:\Users\RODMAN\Documents\list-TN236.mdb
2015-02-23 20:40 - 2015-02-23 20:40 - 00026912 _____ () C:\Users\RODMAN\Downloads\Auction 1530.xls
2015-02-22 15:03 - 2015-02-24 08:15 - 01974560 _____ () C:\Users\RODMAN\Documents\list-TN235.mdb
2015-02-20 10:38 - 2015-03-05 10:19 - 168980768 _____ () C:\Users\RODMAN\Documents\dade-walker-mar2015.accdb
2015-02-20 10:37 - 2015-02-20 10:37 - 01216304 _____ () C:\Users\RODMAN\Downloads\0315xls.xlsx
2015-02-20 10:36 - 2015-02-20 10:36 - 01642192 _____ () C:\Users\RODMAN\Downloads\0315.csv
2015-02-18 18:41 - 2015-02-20 10:37 - 01958176 _____ () C:\Users\RODMAN\Documents\list-TN234.mdb
2015-02-17 11:46 - 2015-02-17 11:47 - 00290984 _____ () C:\windows\Minidump\021715-49889-01.dmp
2015-02-17 11:46 - 2015-02-17 11:46 - 544518441 _____ () C:\windows\MEMORY.DMP
2015-02-17 08:04 - 2015-02-17 08:04 - 01958176 _____ () C:\Users\RODMAN\Documents\list-TN233.mdb
2015-02-17 08:04 - 2015-02-17 08:04 - 00000064 _____ () C:\Users\RODMAN\Documents\list-TN233.ldb
2015-02-15 16:02 - 2015-02-15 16:03 - 01958176 _____ () C:\Users\RODMAN\Documents\list-TN232.mdb
2015-02-15 16:02 - 2015-02-15 16:02 - 00000064 _____ () C:\Users\RODMAN\Documents\list-TN232.ldb
2015-02-10 20:44 - 2015-02-11 19:53 - 01945888 _____ () C:\Users\RODMAN\Documents\list-TN231.mdb
2015-02-10 20:44 - 2015-02-10 20:44 - 00000064 _____ () C:\Users\RODMAN\Documents\list-TN231.ldb
2015-02-08 15:52 - 2015-02-10 20:55 - 01945888 _____ () C:\Users\RODMAN\Documents\list-TN230.mdb
2015-02-05 18:47 - 2015-02-08 15:58 - 01937696 _____ () C:\Users\RODMAN\Documents\list-TN229.mdb
2015-02-04 08:30 - 2015-02-08 15:58 - 01933600 _____ () C:\Users\RODMAN\Documents\list-TN228.mdb

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-05 17:48 - 2012-06-05 09:26 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-05 17:41 - 2012-12-17 17:18 - 00000000 ____D () C:\RODDY
2015-03-05 17:41 - 2012-06-23 12:00 - 00000000 ____D () C:\Users\RODMAN\Documents\Outlook Files
2015-03-05 17:26 - 2009-07-13 23:45 - 00016304 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-05 17:26 - 2009-07-13 23:45 - 00016304 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-05 16:46 - 2013-02-08 08:25 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\CrashDumps
2015-03-05 12:13 - 2014-10-24 07:34 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\B17046D4-D90A-4275-A5C2-585C19E00FA9.aplzod
2015-03-05 12:06 - 2012-06-03 13:55 - 00000000 ____D () C:\Users\RODMAN
2015-03-05 12:05 - 2013-01-12 11:11 - 00000000 ___RD () C:\Users\RODMAN\Dropbox
2015-03-05 11:50 - 2013-01-12 11:02 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Dropbox
2015-03-05 11:48 - 2012-06-05 09:26 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-05 11:47 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-03-05 11:46 - 2014-10-02 09:19 - 00002856 _____ () C:\windows\setupact.log
2015-03-05 11:46 - 2010-05-28 20:53 - 00065004 _____ () C:\windows\PFRO.log
2015-03-04 13:20 - 2013-01-23 17:31 - 00000000 ____D () C:\Users\RODMAN\Documents\Street Smart Forms
2015-03-04 13:18 - 2013-09-11 11:09 - 00000000 ___SD () C:\Users\RODMAN\Documents\My Data Sources
2015-03-04 13:13 - 2013-06-05 21:06 - 00000000 ____D () C:\Users\RODMAN\Documents\Fugawi
2015-03-04 12:58 - 2013-06-02 10:05 - 00000000 ____D () C:\Users\RODMAN\Desktop\Street2013
2015-03-04 12:55 - 2013-06-27 12:49 - 00000000 ____D () C:\Users\RODMAN\Desktop\IAIN
2015-03-04 10:21 - 2009-07-14 00:13 - 00778834 _____ () C:\windows\system32\PerfStringBackup.INI
2015-03-04 08:32 - 2013-06-06 19:13 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Skype
2015-03-04 08:32 - 2013-04-29 07:03 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\RealNetworks
2015-03-04 08:32 - 2013-04-29 07:01 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Real
2015-03-04 08:32 - 2013-01-09 20:47 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Opera
2015-03-04 08:32 - 2012-06-03 15:04 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Toshiba
2015-03-04 08:31 - 2013-06-05 21:04 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Fugawi
2015-03-04 08:31 - 2013-04-21 09:33 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Apple Computer
2015-03-04 08:29 - 2012-06-03 14:56 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Adobe
2015-03-04 08:28 - 2014-04-11 10:41 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\Skype
2015-03-04 08:28 - 2013-06-13 16:59 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\WinZip Courier
2015-03-04 08:28 - 2013-02-08 20:03 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\PokerStars.NET
2015-03-04 08:28 - 2013-01-09 20:47 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\Opera
2015-03-04 08:27 - 2013-07-12 12:09 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\HP
2015-03-04 08:27 - 2013-04-21 09:33 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\Apple Computer
2015-03-04 08:27 - 2012-07-19 20:52 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\Microsoft Games
2015-03-04 08:27 - 2012-06-23 12:00 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\Lookeen
2015-03-04 08:27 - 2012-06-03 14:56 - 00000000 ____D () C:\Users\RODMAN\AppData\Local\Google
2015-03-04 08:26 - 2013-01-11 08:30 - 00000000 ____D () C:\Users\Public\Documents\Intuit
2015-03-04 07:59 - 2013-04-29 07:01 - 00002194 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-26 18:42 - 2014-12-02 15:22 - 00003378 _____ () C:\windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2517334315-1348520328-1251245395-1002
2015-02-26 18:42 - 2014-12-02 15:22 - 00003246 _____ () C:\windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2517334315-1348520328-1251245395-1002
2015-02-25 21:53 - 2015-01-09 12:59 - 00000000 ____D () C:\pstfiles
2015-02-25 21:32 - 2013-02-08 20:03 - 00000000 ____D () C:\Program Files (x86)\PokerStars.NET
2015-02-25 21:26 - 2013-04-29 07:02 - 00000000 ____D () C:\ProgramData\RealNetworks
2015-02-25 21:26 - 2013-04-29 06:50 - 00000000 ____D () C:\ProgramData\Real
2015-02-25 21:26 - 2013-01-23 10:31 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-25 21:26 - 2012-06-03 14:30 - 00000000 __HDC () C:\ProgramData\{249B9E04-F0FC-434D-B0D8-12D3EDFF3B77}
2015-02-25 21:26 - 2010-05-28 20:38 - 00000000 ____D () C:\ProgramData\Toshiba
2015-02-25 21:25 - 2012-06-03 14:27 - 00000000 ____D () C:\ProgramData\Norton
2015-02-25 21:22 - 2013-07-12 12:13 - 00000000 ____D () C:\ProgramData\HP
2015-02-25 21:22 - 2013-06-05 21:03 - 00000000 ____D () C:\ProgramData\Fugawi
2015-02-25 21:22 - 2013-01-11 08:30 - 00000000 ____D () C:\ProgramData\Intuit
2015-02-25 21:21 - 2014-11-13 09:04 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2015-02-25 21:21 - 2014-02-17 20:45 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2015-02-25 21:21 - 2012-12-17 16:36 - 00000000 ____D () C:\OLD-COMP
2015-02-25 20:42 - 2013-03-23 10:23 - 00000000 ____D () C:\CruiseEmail
2015-02-25 20:39 - 2012-06-03 13:53 - 01181332 _____ () C:\windows\WindowsUpdate.log
2015-02-20 10:38 - 2015-01-20 19:19 - 165355808 _____ () C:\Users\RODMAN\Documents\dade-walker-feb20151.accdb
2015-02-18 18:58 - 2013-01-12 11:11 - 00001039 _____ () C:\Users\RODMAN\Desktop\Dropbox.lnk
2015-02-18 18:58 - 2013-01-12 11:07 - 00000000 ____D () C:\Users\RODMAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-02-17 11:46 - 2012-06-28 00:43 - 00000000 ____D () C:\windows\Minidump
2015-02-14 19:11 - 2013-06-06 19:13 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-02-14 19:11 - 2013-06-06 19:13 - 00000000 ____D () C:\ProgramData\Skype
2015-02-12 20:31 - 2010-05-28 20:42 - 00000000 ____D () C:\Program Files (x86)\Google
2015-02-05 18:43 - 2012-06-05 09:26 - 00003894 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-05 18:43 - 2012-06-05 09:26 - 00003642 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-03 07:57 - 2015-02-01 16:20 - 01933600 _____ () C:\Users\RODMAN\Documents\list-TN227.mdb

==================== Files in the root of some directories =======

2015-03-04 08:32 - 2015-03-04 08:32 - 0008630 _____ () C:\Users\RODMAN\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-04 08:32 - 2015-03-04 08:32 - 0045781 _____ () C:\Users\RODMAN\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-04 08:32 - 2015-03-04 08:32 - 0004258 _____ () C:\Users\RODMAN\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-04 08:32 - 2015-03-04 08:32 - 0000292 _____ () C:\Users\RODMAN\AppData\Roaming\HELP_DECRYPT.URL
2012-12-18 09:16 - 2013-05-01 21:49 - 0000756 _____ () C:\Users\RODMAN\AppData\Roaming\wklnhst.dat
2013-06-05 21:04 - 2013-06-05 21:25 - 0000017 ____H () C:\Users\RODMAN\AppData\Local\19720201.dat
2015-03-04 08:28 - 2015-03-04 08:28 - 0008630 _____ () C:\Users\RODMAN\AppData\Local\HELP_DECRYPT.HTML
2015-03-04 08:28 - 2015-03-04 08:28 - 0045781 _____ () C:\Users\RODMAN\AppData\Local\HELP_DECRYPT.PNG
2015-03-04 08:28 - 2015-03-04 08:28 - 0004258 _____ () C:\Users\RODMAN\AppData\Local\HELP_DECRYPT.TXT
2015-03-04 08:28 - 2015-03-04 08:28 - 0000292 _____ () C:\Users\RODMAN\AppData\Local\HELP_DECRYPT.URL
2013-01-24 10:33 - 2013-01-24 10:33 - 0007605 _____ () C:\Users\RODMAN\AppData\Local\Resmon.ResmonCfg
2013-07-12 12:11 - 2013-07-12 12:11 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-02-25 21:26 - 2015-02-25 21:26 - 0008630 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-02-25 21:26 - 2015-02-25 21:26 - 0045783 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-02-25 21:26 - 2015-02-25 21:26 - 0004258 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-02-25 21:26 - 2015-02-25 21:26 - 0000292 _____ () C:\ProgramData\HELP_DECRYPT.URL

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2517334315-1348520328-1251245395-1002\$e2893d004e22192be624c40e3e6a1cba

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$e2893d004e22192be624c40e3e6a1cba

Some content of TEMP:
====================
C:\Users\RODMAN\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpul_unr.dll
C:\Users\RODMAN\AppData\Local\Temp\ose00001.exe
C:\Users\RODMAN\AppData\Local\Temp\Quarantine.exe
C:\Users\RODMAN\AppData\Local\Temp\SkypeSetup.exe
C:\Users\RODMAN\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-03-05 00:54

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 11 March 2015 - 08:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/569209 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 16 March 2015 - 08:50 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users