Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 3.0 Assistance


  • This topic is locked This topic is locked
8 replies to this topic

#1 davmac

davmac

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 20 March 2015 - 10:20 PM

Thanks in advance!!

 

I switced to using iMac a year ago  and haven't used this windows PC in a long time, as you can see it is running XP. Very rarely got on the web since switching to Mac, ocassionally turned it on to get some files or pictures off of it. When  I turned it on the other day it seemed like it took way longer than normal afterward this CryptoWall 3.0 infection popped up on the screen.

 

Assistance needed  to restore, if that is even possible,

 

I have found out that system restore was disabled before the infection. I do have the biggest majority of the files saved to an external harddrive and do I am glad that it was not hooked up to the PC when this infection popped up.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by David McLain (administrator) on MCLAIN1 on 20-03-2015 22:54:19
Running from C:\Documents and Settings\David McLain\Desktop
Loaded Profiles: David McLain (Available profiles: David McLain & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
(Seagate LLC) C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
(Seagate Technology LLC) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(HP) C:\WINDOWS\system32\HPZipm12.exe
(US Tech Support LLC) C:\Program Files\USTechSupport\SchedulerService\SchedulerService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Creative Technology Ltd.) C:\WINDOWS\system32\devldr32.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Roxio) C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
(Runtime Software) C:\Program Files\Runtime Software\DriveImage XML\dixml.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [MaxMenuMgr] => c:\program files\seagate\seagatemanager\freeagent status\stxmenumgr.exe [185640 2009-09-25] (Seagate LLC)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [SpyHunter Security Suite] => C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [7125376 2015-03-20] (Enigma Software Group USA, LLC.)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"pe5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridmm# (the data entry has 361 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] rundll32.exe javascript:"pe5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridmm# (the data entry has 27827 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-73586283-484763869-1060284298-1004\...\Run: [qupdate] => D:/Advice/update4.exe
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [434080 2011-07-27] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [WinCalendarV3] => "D:\WinCalendarV3\WinCalendarV3_SysTray.exe" /q /c
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-73586283-484763869-1060284298-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-73586283-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKU\S-1-5-21-73586283-484763869-1060284298-1004 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll [2008-04-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-05-26]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 FreeAgentGoNext Service; C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe [189736 2009-09-25] (Seagate Technology LLC)
S3 ImapiService; C:\WINDOWS\system32\ImapiRox.exe [192512 2001-08-10] (Roxio Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [73728 2007-08-09] (HP) [File not signed]
R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [771456 2015-03-20] (Enigma Software Group USA, LLC.)
R2 USTSScheduler; C:\Program Files\USTechSupport\SchedulerService\SchedulerService.exe [737600 2013-01-17] (US Tech Support LLC)
S2 USTSPCODiskOptimizer; C:\Program Files\USTechSupport\PC Optimizer\USTSPCODefragSrv.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [55216 2009-10-24] (Roxio) [File not signed]
R1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [22713 2009-10-24] (Roxio) [File not signed]
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [233344 2001-09-04] (Roxio) [File not signed]
R3 ctljystk; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [3712 2001-08-17] (Creative Technology Ltd.)
S3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [17990 2001-09-04] (Roxio) [File not signed]
R3 emu10k; C:\WINDOWS\System32\drivers\emu10k1m.sys [283904 2001-08-17] (Creative Technology Ltd.)
R3 emu10k1; C:\WINDOWS\System32\drivers\ctlfacem.sys [6912 2001-08-17] (Creative Technology Ltd.)
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [13192 2011-07-29] () [File not signed]
S3 EsgScanner; C:\WINDOWS\System32\DRIVERS\EsgScanner.sys [19984 2015-03-20] ()
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [8456 2011-07-29] () [File not signed]
R3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
R3 HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [907456 2001-08-17] (Conexant)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49664 2005-10-27] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2005-10-27] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2005-10-27] (HP)
R1 Imapi; C:\WINDOWS\System32\drivers\ImapiRox.sys [25472 2001-08-20] (Roxio Inc.) [File not signed]
R3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [19702 2001-09-04] (Roxio) [File not signed]
S3 nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [731648 2001-08-17] (NVIDIA Corporation)
R1 pwd_2K; C:\WINDOWS\system32\Drivers\pwd_2K.sys [78454 2001-09-04] (Roxio) [File not signed]
R3 RTL8023xp; C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys [104704 2008-05-05] (Dynex                                                       )
R3 sfman; C:\WINDOWS\System32\drivers\sfmanm.sys [36480 2001-08-17] (Creative Technology Ltd.)
R1 UdfReadr_xp; C:\WINDOWS\system32\Drivers\UdfReadr_xp.sys [205824 2001-09-10] (Roxio)
S3 USBAAPL; C:\WINDOWS\System32\Drivers\usbaapl.sys [44544 2012-09-28] (Apple, Inc.) [File not signed]
S3 USB_RNDIS; C:\WINDOWS\System32\DRIVERS\usb8023.sys [12928 2013-02-11] (Microsoft Corporation)
S4 hpt3xx; No ImagePath
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; No ImagePath
S3 MRENDIS5; No ImagePath
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-20 22:54 - 2015-03-20 22:55 - 00010141 _____ () C:\Documents and Settings\David McLain\Desktop\FRST.txt
2015-03-20 22:53 - 2015-03-20 22:54 - 01135104 _____ (Farbar) C:\Documents and Settings\David McLain\Desktop\FRST.exe
2015-03-20 22:29 - 2015-03-20 22:29 - 00000772 _____ () C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
2015-03-20 22:29 - 2015-03-20 22:29 - 00000000 ____D () C:\Program Files\Runtime Software
2015-03-20 22:27 - 2015-03-20 22:28 - 02026456 _____ () C:\Documents and Settings\David McLain\Desktop\dixmlsetup.exe
2015-03-20 21:51 - 2015-03-20 21:51 - 00219635 _____ () C:\Documents and Settings\David McLain\Desktop\ESET Scan.txt
2015-03-20 18:01 - 2015-03-20 21:41 - 00000935 _____ () C:\Documents and Settings\David McLain\Desktop\SpyHunter.lnk
2015-03-20 18:01 - 2015-03-20 21:41 - 00000000 ____D () C:\Documents and Settings\David McLain\Start Menu\Programs\SpyHunter
2015-03-20 18:01 - 2015-03-20 18:01 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\Enigma Software Group
2015-03-20 18:00 - 2015-03-20 18:00 - 00000000 ____D () C:\sh4ldr
2015-03-20 17:59 - 2015-03-20 17:59 - 00019984 _____ () C:\WINDOWS\system32\Drivers\EsgScanner.sys
2015-03-20 17:59 - 2015-03-20 17:59 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-03-20 03:04 - 2015-03-20 03:04 - 00017122 _____ () C:\Documents and Settings\David McLain\Desktop\Addition.txt
2015-03-19 17:02 - 2015-03-19 17:02 - 00000843 _____ () C:\Documents and Settings\David McLain\Desktop\fixlist,txt.txt
2015-03-19 16:59 - 2015-03-20 22:54 - 00000000 ____D () C:\FRST
2015-03-19 16:52 - 2015-03-19 16:52 - 04492916 _____ () C:\Documents and Settings\David McLain\Desktop\ListCWall1.txt
2015-03-19 16:51 - 2015-03-19 16:51 - 01541133 _____ () C:\Documents and Settings\David McLain\Desktop\Infected with CryptoWall 3_0 - Virus, Trojan, Spyware, and Malware Removal Logs.mht
2015-03-19 15:48 - 2015-03-19 15:48 - 00452424 _____ (Bleeping Computer, LLC) C:\Documents and Settings\David McLain\My Documents\ListCWall.exe
2015-03-19 15:36 - 2015-03-19 16:48 - 04492916 _____ () C:\Documents and Settings\David McLain\Desktop\ListCWall.txt
2015-03-18 15:55 - 2015-03-18 15:55 - 00008604 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML
2015-03-18 15:55 - 2015-03-18 15:55 - 00008604 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML
2015-03-18 15:55 - 2015-03-18 15:55 - 00008604 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-03-18 15:55 - 2015-03-18 15:55 - 00008604 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML
2015-03-18 15:55 - 2015-03-18 15:55 - 00004242 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT
2015-03-18 15:55 - 2015-03-18 15:55 - 00004242 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT
2015-03-18 15:55 - 2015-03-18 15:55 - 00004242 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-03-18 15:55 - 2015-03-18 15:55 - 00004242 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT
2015-03-18 15:55 - 2015-03-18 15:55 - 00000288 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL
2015-03-18 15:55 - 2015-03-18 15:55 - 00000288 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
2015-03-18 15:55 - 2015-03-18 15:55 - 00000288 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-03-18 15:55 - 2015-03-18 15:55 - 00000288 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
2015-03-18 15:55 - 2015-03-18 15:55 - 00000288 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-03-18 15:54 - 2015-03-18 15:54 - 00008604 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-03-18 15:54 - 2015-03-18 15:54 - 00008604 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-03-18 15:54 - 2015-03-18 15:54 - 00008604 _____ () C:\Documents and Settings\David McLain\HELP_DECRYPT.HTML
2015-03-18 15:54 - 2015-03-18 15:54 - 00004242 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
2015-03-18 15:54 - 2015-03-18 15:54 - 00004242 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
2015-03-18 15:54 - 2015-03-18 15:54 - 00004242 _____ () C:\Documents and Settings\David McLain\HELP_DECRYPT.TXT
2015-03-18 15:54 - 2015-03-18 15:54 - 00000288 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-03-18 15:54 - 2015-03-18 15:54 - 00000288 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-03-18 15:54 - 2015-03-18 15:54 - 00000288 _____ () C:\Documents and Settings\David McLain\HELP_DECRYPT.URL
2015-03-18 14:15 - 2015-03-18 14:15 - 00008604 _____ () C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.HTML
2015-03-18 14:15 - 2015-03-18 14:15 - 00008604 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-03-18 14:15 - 2015-03-18 14:15 - 00004242 _____ () C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.TXT
2015-03-18 14:15 - 2015-03-18 14:15 - 00004242 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-03-18 14:15 - 2015-03-18 14:15 - 00000288 _____ () C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.URL
2015-03-18 14:15 - 2015-03-18 14:15 - 00000288 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL
2015-03-15 16:00 - 2015-03-15 16:00 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2015-03-15 16:00 - 2015-03-15 16:00 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2015-03-15 15:47 - 2015-03-15 15:47 - 00008604 _____ () C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.HTML
2015-03-15 15:47 - 2015-03-15 15:47 - 00004242 _____ () C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.TXT
2015-03-15 15:47 - 2015-03-15 15:47 - 00000288 _____ () C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.URL
2015-03-15 15:26 - 2015-03-15 15:26 - 00000288 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-03-15 15:26 - 2015-03-15 15:26 - 00000288 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-03-15 15:19 - 2015-03-15 15:19 - 00000288 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-03-15 15:18 - 2015-03-15 15:18 - 00000288 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-03-09 11:46 - 2015-03-15 20:22 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{6E6594D0-DB4A-4815-9727-D673AB693C96}

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-20 22:55 - 2012-01-30 01:20 - 00000000 ____D () C:\Documents and Settings\David McLain\Local Settings\temp
2015-03-20 22:41 - 2009-10-24 07:25 - 00000000 ____D () C:\WINDOWS\repair
2015-03-20 22:38 - 2012-01-30 07:31 - 00000012 ____C () C:\Documents and Settings\All Users\Application Data\DirectCDUserName.txt
2015-03-20 22:34 - 2013-08-16 14:36 - 00075273 _____ () C:\WINDOWS\setupapi.log
2015-03-20 22:33 - 2009-10-24 12:39 - 00000000 ____D () C:\WINDOWS\Registration
2015-03-20 22:29 - 2009-10-24 12:37 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2015-03-20 22:05 - 2009-10-24 07:28 - 00000327 ___SH () C:\boot.ini
2015-03-20 22:05 - 2001-08-23 08:00 - 00000875 _____ () C:\WINDOWS\win.ini
2015-03-20 22:05 - 2001-08-23 08:00 - 00000227 _____ () C:\WINDOWS\system.ini
2015-03-20 21:55 - 2012-01-26 14:50 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-03-20 21:55 - 2009-10-24 07:32 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-03-20 21:54 - 2014-10-31 17:50 - 00012984 _____ () C:\WINDOWS\system32\wpa.dbl
2015-03-20 21:54 - 2014-03-14 14:18 - 00000236 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-03-20 21:54 - 2009-10-24 12:51 - 00032450 _____ () C:\WINDOWS\SchedLgU.Txt
2015-03-20 21:54 - 2009-10-24 12:42 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-03-20 21:54 - 2009-10-24 12:07 - 01494198 _____ () C:\WINDOWS\WindowsUpdate.log
2015-03-20 21:53 - 2009-10-24 12:57 - 00000178 ___SH () C:\Documents and Settings\David McLain\ntuser.ini
2015-03-20 17:48 - 2009-10-24 12:51 - 00069232 ____C () C:\Documents and Settings\David McLain\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-03-20 16:49 - 2009-10-24 20:00 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\Apple Computer
2015-03-19 18:05 - 2012-12-02 16:23 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2015-03-19 18:05 - 2010-10-23 16:21 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-03-19 18:05 - 2009-10-24 19:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple Computer
2015-03-19 18:04 - 2010-10-23 18:25 - 00000000 ____D () C:\Dell
2015-03-19 17:06 - 2014-10-31 18:03 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-03-19 15:28 - 2009-10-24 07:29 - 00267800 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-03-19 15:16 - 2011-07-26 07:19 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\KERRY'S RESUMES
2015-03-19 15:06 - 2011-12-15 19:51 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\New Folder
2015-03-19 15:06 - 2010-02-20 14:53 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\2010 TAXES
2015-03-19 14:25 - 2013-03-12 11:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\H&R Block 2012
2015-03-19 14:21 - 2014-11-25 21:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2015-03-19 14:21 - 2012-03-24 10:43 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-03-18 15:55 - 2012-08-21 18:18 - 00000000 __SHD () C:\found.001
2015-03-18 15:55 - 2011-11-07 10:43 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
2015-03-18 15:55 - 2009-10-24 12:51 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-03-18 15:55 - 2009-10-24 12:51 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-03-18 15:54 - 2011-07-26 07:22 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Woodworking Plans
2015-03-18 15:54 - 2009-10-24 12:57 - 00000000 ____D () C:\Documents and Settings\David McLain
2015-03-18 15:53 - 2013-06-14 11:11 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\WalMart 401K Statements
2015-03-18 15:53 - 2012-06-01 01:55 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Wal Mart Stock Purchase Statements
2015-03-18 15:53 - 2009-10-29 11:14 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\WAL MART
2015-03-18 15:52 - 2011-12-29 10:23 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\USAA Policies
2015-03-18 15:51 - 2011-01-13 15:09 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Stuff for Sale on Ebay
2015-03-18 15:48 - 2012-07-13 10:20 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\PFCU VISA Statements 2012
2015-03-18 15:48 - 2011-07-17 11:44 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\PFCU VISA Statements
2015-03-18 15:48 - 2011-07-17 11:37 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\PFCU Monthly Statements
2015-03-18 15:23 - 2009-12-07 16:37 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\My Scans
2015-03-18 15:05 - 2009-12-07 21:25 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Keeghans School Work
2015-03-18 15:02 - 2009-11-24 08:32 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Keeghans 4 H project
2015-03-18 14:59 - 2012-10-29 20:37 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Gun Stuff
2015-03-18 14:59 - 2010-10-23 11:31 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\girl scouts
2015-03-18 14:59 - 2010-07-18 08:03 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Hunting And Fishing Lic
2015-03-18 14:59 - 2010-01-28 21:13 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\HRBlock
2015-03-18 14:57 - 2014-02-09 17:48 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Credit Reports
2015-03-18 14:57 - 2012-07-13 11:11 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\DAvid Resumes
2015-03-18 14:57 - 2011-07-21 12:11 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\Boat For Sale
2015-03-18 14:55 - 2011-01-07 10:46 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\BAR PLANS
2015-03-18 14:17 - 2011-06-05 11:29 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\4H Project
2015-03-18 14:17 - 2011-04-13 19:56 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\album covers
2015-03-18 14:16 - 2013-07-27 09:31 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\1ST Command 2013 Statements
2015-03-18 14:16 - 2012-12-12 12:44 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\2012 TAXES
2015-03-18 14:16 - 2011-03-28 04:49 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\2011 TAXES
2015-03-18 14:16 - 2009-12-22 16:37 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\2009 TAXES
2015-03-18 14:15 - 2012-06-01 02:12 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\1ST Command 2012 Statements
2015-03-18 14:15 - 2011-02-22 11:35 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\1ST Command 2010 Statements
2015-03-18 14:15 - 2011-02-22 11:31 - 00000000 ____D () C:\Documents and Settings\David McLain\My Documents\1ST Command 2011 Statements
2015-03-18 14:15 - 2009-10-24 19:53 - 00000000 ____D () C:\Documents and Settings\David McLain\Local Settings\Application Data\Apple Computer
2015-03-18 14:15 - 2009-10-24 18:18 - 00000000 ____D () C:\Documents and Settings\David McLain\Local Settings\Application Data\Adobe
2015-03-18 14:14 - 2014-12-11 13:06 - 00778928 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-03-18 14:14 - 2014-12-11 13:05 - 00142512 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-03-18 14:13 - 2013-10-23 17:30 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\New Folder
2015-03-18 14:13 - 2013-09-09 17:32 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\TrailCam
2015-03-18 14:13 - 2011-10-27 08:59 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\Unused Desktop Shortcuts
2015-03-18 14:12 - 2013-10-06 22:27 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\Kerry
2015-03-16 16:07 - 2012-12-21 20:24 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\kelly's picture folder
2015-03-16 16:02 - 2015-02-10 16:17 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\Keeghan
2015-03-16 16:01 - 2013-01-06 22:22 - 00000000 ____D () C:\Documents and Settings\David McLain\Desktop\David
2015-03-15 15:47 - 2013-09-06 16:29 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\SPlayer
2015-03-15 15:47 - 2010-01-28 21:17 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\TaxCut
2015-03-15 15:46 - 2012-05-27 09:15 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\Motive
2015-03-15 15:45 - 2012-07-27 09:19 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\FixCleaner
2015-03-15 15:45 - 2011-03-31 20:01 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\LEGO Company
2015-03-15 15:45 - 2010-01-03 10:48 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\Intuit
2015-03-15 15:45 - 2009-10-24 16:05 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\Image Zone Express
2015-03-15 15:26 - 2010-05-11 20:59 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2015-03-15 15:26 - 2009-11-13 21:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Zylom
2015-03-15 15:26 - 2009-10-24 19:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2015-03-15 15:26 - 2009-10-24 14:25 - 00000000 ____D () C:\Documents and Settings\David McLain\Application Data\Adobe
2015-03-15 15:20 - 2012-05-27 09:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Motive
2015-03-15 15:20 - 2009-10-29 11:42 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Seagate
2015-03-11 20:01 - 2009-10-24 14:11 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help
2015-03-11 19:56 - 2013-08-16 14:45 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-03-11 19:50 - 2009-10-24 12:52 - 119837696 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-03-09 19:54 - 2011-07-12 21:32 - 00000000 ___DC () C:\WINDOWS\$NtUninstallKB2492386$
2015-03-09 10:43 - 2014-03-14 14:18 - 00000230 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-02-27 16:15 - 2014-11-25 21:59 - 00004706 _____ () C:\WINDOWS\system32\PerfStringBackup.TMP
2015-02-23 12:17 - 2009-10-25 14:55 - 00205312 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Files in the root of some directories =======

2015-03-15 15:47 - 2015-03-15 15:47 - 0008604 _____ () C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.HTML
2015-03-15 15:47 - 2015-03-15 15:47 - 0045640 _____ () C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.PNG
2015-03-15 15:47 - 2015-03-15 15:47 - 0004242 _____ () C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.TXT
2015-03-15 15:47 - 2015-03-15 15:47 - 0000288 _____ () C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.URL
2009-10-25 14:55 - 2015-02-23 12:17 - 0205312 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-09-06 17:50 - 2013-09-06 17:52 - 0088315 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\FASTWiz.log
2015-03-18 14:15 - 2015-03-18 14:15 - 0008604 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-03-18 14:15 - 2015-03-18 14:15 - 0045821 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-03-18 14:15 - 2015-03-18 14:15 - 0004242 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-03-18 14:15 - 2015-03-18 14:15 - 0000288 _____ () C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL
2015-03-15 15:26 - 2015-03-15 15:26 - 0045640 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-03-15 15:26 - 2015-03-15 15:26 - 0000288 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-123f6cb2.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-1654130a.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-21ba3aae.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-293e1a28.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-29bac138.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-2a87c7fe.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-2f6c1188.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-3443667.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-373daec3.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-399f0c98.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-3cb08c04.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-3f17247d.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-40982fa2.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-41aad17b.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-44ecbc25.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-46006987.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-52c50ff1.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-5ed06640.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-63f17b08.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-6574f254.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-6c97e6e2.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-6cc70919.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-751a9ed4.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-7617607f.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-7f0c5caa.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-7f391e7.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-8c0563d3.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-94462733.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-9708962a.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-9c18d0e8.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-a36e4569.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-a6792618.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-aedd245d.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-c11ad01e.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-cb5afbdc.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-cbc973b3.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-d3a8cfb3.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-d572feac.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-d5fde609.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-d67ee8cb.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-df6393d2.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-e2bacef6.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-e3214e90.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-e3d631b7.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-e8e8472b.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-ee7fb348.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-f2b222f0.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-f427585b.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-f9569baf.exe
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-fa4ed05a.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 23 March 2015 - 08:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Running from C:\Documents and Settings\David McLain\Local Settings\Temporary Internet Files\Content.IE5\KN4QCGG5


Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"pe5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridmm# (the data entry has 361 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] rundll32.exe javascript:"pe5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridmm# (the data entry has 27827 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-73586283-484763869-1060284298-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKU\S-1-5-21-73586283-484763869-1060284298-1004 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
S2 USTSPCODiskOptimizer; C:\Program Files\USTechSupport\PC Optimizer\USTSPCODefragSrv.exe [X]
S4 hpt3xx; No ImagePath
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; No ImagePath
S3 MRENDIS5; No ImagePath
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
U3 TlntSvr; No ImagePath
C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML
C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT
C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
C:\Documents and Settings\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
C:\Documents and Settings\All Users\HELP_DECRYPT.URL

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 28 March 2015 - 08:19 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 28 March 2015 - 09:36 AM

This topic has been re-opened at the request of the person who originally posted.

#5 davmac

davmac
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 29 March 2015 - 12:51 PM

Thanks for re-opening.
Here is the fixlog text.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by David McLain at 2015-03-28 09:43:14 Run:1
Running from C:\Documents and Settings\David McLain\Desktop
Loaded Profiles: David McLain (Available profiles: David McLain & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"pe5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridmm# (the data entry has 361 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] rundll32.exe javascript:"pe5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridmm# (the data entry has 27827 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-73586283-484763869-1060284298-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKU\S-1-5-21-73586283-484763869-1060284298-1004 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
S2 USTSPCODiskOptimizer; C:\Program Files\USTechSupport\PC Optimizer\USTSPCODefragSrv.exe [X]
S4 hpt3xx; No ImagePath
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMPR5; No ImagePath
S3 MRENDIS5; No ImagePath
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [X]
U3 TlntSvr; No ImagePath
C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML
C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT
C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
C:\Documents and Settings\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
C:\Documents and Settings\All Users\HELP_DECRYPT.URL

End
*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MSConfig => value deleted successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\Default => Value was restored successfully.
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\a => Value not found.
[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] => No subkey with invalid name found.
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-73586283-484763869-1060284298-1004\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
HKU\S-1-5-21-73586283-484763869-1060284298-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
"HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}" => Key deleted successfully.
USTSPCODiskOptimizer => Service not found.
hpt3xx => Service deleted successfully.
MREMP50 => Service deleted successfully.
MREMPR5 => Service deleted successfully.
MRENDIS5 => Service deleted successfully.
MRESP50 => Service deleted successfully.
TlntSvr => Service deleted successfully.
C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML => Moved successfully.
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML => Moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML => Moved successfully.
C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML => Moved successfully.
C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT => Moved successfully.
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT => Moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT => Moved successfully.
C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT => Moved successfully.
C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL => Moved successfully.
C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL => Moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL => Moved successfully.
C:\Documents and Settings\LocalService\HELP_DECRYPT.URL => Moved successfully.
"C:\Documents and Settings\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\Default User\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\David McLain\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\Default User\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\David McLain\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\Default User\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\David McLain\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\All Users\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\Administrator\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\David McLain\Application Data\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\David McLain\Local Settings\Application Data\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\All Users\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Documents and Settings\All Users\HELP_DECRYPT.URL" => File/Directory not found.


The system needed a reboot.

==== End of Fixlog 09:43:18 ====

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 29 March 2015 - 01:31 PM

How is the computer running now?

#7 davmac

davmac
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 29 March 2015 - 01:39 PM

The computer is running OK  but I do not have access to ANY of my files, all of them  are encrypted.

 

I did notice that in MSCONFIG startup tab that there are 4 entries of Help_Decrypt ( Startup Item Help_Decrypt Command \Help_Decrypt.HTML Location Common Startup). There is also a .PNG, .URL and a .TXT entry there. Those boxes are NOT check so they do not load.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 29 March 2015 - 01:47 PM

CryptoWall and HELP_DECRYPT Ransomware Information Guide
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Nothing can be done to restore your files.
Hope you have a good backup.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 03 April 2015 - 07:40 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users