Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Data files encrypted with Cryptowall 3.0


  • This topic is locked This topic is locked
5 replies to this topic

#1 gjcs

gjcs

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 27 March 2015 - 02:45 PM

I have scanned my computer using Malwarebytes, Spybot, and Avast 2015 antivirus, and quarantined/fixed whatever was found.  BUT I cannot open my data files.  There are files named help_decrypt, and when I open the help_decrypt.txt, it says: All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.  When I open help_decrypt, it takes me to the following website: paytoc4gtpn5czl2.torpaysolutions.com/zzcQYe

 

I ran FRST, and below is the text from the FRST.txt file.  I have also attached the Addition.txt file

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Rosie (administrator) on GW-LPTP on 27-03-2015 11:34:34
Running from C:\Documents and Settings\Rosie\Desktop
Loaded Profiles: Rosie & Administrator (Available profiles: Rosie & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(SigmaTel, Inc.) C:\WINDOWS\stsystra.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
() C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
() C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
(Webroot) C:\Program Files\Webroot\WRSA.exe
(Webroot) C:\Program Files\Webroot\WRSA.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPLpr] => C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [98394 2004-11-05] (Synaptics, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [688218 2004-11-05] (Synaptics, Inc.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\Common Files\Real\Update_OB\realsched.exe [185896 2008-05-13] (RealNetworks, Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] => C:\WINDOWS\stsystra.exe [282624 2006-02-13] (SigmaTel, Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3710416 2015-02-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [WRSVC] => C:\Program Files\Webroot\WRSA.exe [817584 2015-03-27] (Webroot)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKLM\...\Policies\Explorer: [ForceClassicControlPanel] 1
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\Run: [HP Officejet 6700 (NET)] => C:\Program Files\HP\HP Officejet 6700\Bin\ScanToPCActivationApp.exe [1804648 2011-09-09] (Hewlett-Packard Co.)
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2008-06-16] (Google Inc.)
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\Policies\system: [EnableProfileQuota] 1
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\MountPoints2: {209c38cd-2ac4-11e3-9382-001b77513ad5} - F:\setup.exe -a
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\MountPoints2: {3bd3769c-ae45-11e3-93d7-001b77513ad5} - F:\setup.exe -a
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\MountPoints2: {6cface90-95e1-11de-94d1-001b77513ad5} - F:\LaunchU3.exe -a
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\MountPoints2: {89704650-7d17-11de-94b8-00e0b89ce286} - F:\LaunchU3.exe -a
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\MountPoints2: {dda903ce-7398-11df-90de-001b77513ad5} - F:\LaunchU3.exe -a
HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\MountPoints2: {f3bc6834-7242-11de-94ae-001b77513ad5} - H:\LaunchU3.exe -a
HKU\S-1-5-21-195908757-649669058-3365430507-500\...\Run: [Power2GoExpress] => NA
HKU\S-1-5-21-195908757-649669058-3365430507-500\...\RunOnce: [avg_spchecker] => "C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe" /start
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\Rosie\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet 6700 (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Officejet 6700 (Network).lnk -> C:\Program Files\HP\HP Officejet 6700\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\Rosie\Start Menu\Programs\Startup\VZAccess Manager.lnk
ShortcutTarget: VZAccess Manager.lnk -> C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe (Smith Micro Software, Inc.)
BootExecute: autocheck autochk * sdnclean.exeC:\PROGRA~1\AVG\AVG2015\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=SMB&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX860XL
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=SMB&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX860XL
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-195908757-649669058-3365430507-1006\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-195908757-649669058-3365430507-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?mtmhp=acm50mtmhpunauthgreeting
HKU\S-1-5-21-195908757-649669058-3365430507-500\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=SMB&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX860XL
HKU\S-1-5-21-195908757-649669058-3365430507-500\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=SMB&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX860XL
HKU\S-1-5-21-195908757-649669058-3365430507-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-195908757-649669058-3365430507-1006 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> {6F9CF7B0-AD7C-4C61-B323-BF4B09373575} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=16ECFF65-0EEB-4452-90AC-17AE9D64F35F&apn_sauid=437D62E3-37D2-4897-B605-EDB2E52DD06E
SearchScopes: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> {A531D99C-5A22-449b-83DA-872725C6D0ED} URL = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=5485EAA001CC98CA04AFE120&install_time=2011-11-01T19:13:23Z&src_id=30046&camp_id=3229&tb_version=1.1.2000.2(B)
BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2010-05-28] (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06] (Adobe Systems Incorporated)
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-05-13] (RealPlayer)
BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-07-27] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll [2015-03-05] (Google Inc.)
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> c:\windows\system32\BAE.dll [2006-02-01] (Gateway Inc.)
BHO: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll [2010-08-24] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-10-13] (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-10-13] (Sun Microsystems, Inc.)
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2010-05-28] (Hewlett-Packard Co.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKLM - @C:\Program Files\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll [2010-08-24] (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
Toolbar: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
Toolbar: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2001-06-20] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Rosie\Application Data\Mozilla\Firefox\Profiles\eyvsveon.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF DefaultSearchUrl: hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.aol.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-27] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2010-07-21] ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll [2011-10-13] (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.46 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2008-05-13] (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.3.46 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll [2008-05-13] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.46 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll [2008-05-13] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-06-06] (Adobe Systems Inc.)
FF user.js: detected! => C:\Documents and Settings\Rosie\Application Data\Mozilla\Firefox\Profiles\eyvsveon.default\user.js [2012-11-15]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2011-10-13] (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npnul32.dll [2011-04-24] (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2011-06-06] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2008-05-13] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2010-08-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2010-08-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2010-08-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2010-08-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2010-08-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2010-08-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2010-08-23] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll [2008-05-13] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll [2008-05-13] (RealNetworks, Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml [2011-04-24]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml [2011-04-24]
FF Extension: Google Toolbar for Firefox - C:\Documents and Settings\Rosie\Application Data\Mozilla\Firefox\Profiles\eyvsveon.default\Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2011-09-27]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Rosie\Application Data\Mozilla\Firefox\Profiles\eyvsveon.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2015-02-27]
FF Extension: Real Networks Settings - C:\Program Files\Mozilla Firefox\extensions\real-networks@partners.mozilla.com [2008-05-13]
FF Extension: Google Toolbar for Firefox - C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2008-05-13]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Program Files\Real\RealPlayer\browserrecord
FF Extension: RealPlayer Browser Record Plugin - C:\Program Files\Real\RealPlayer\browserrecord [2008-05-13]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-10-26]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011-10-13]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012-03-10]
FF HKLM\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2012-11-15]
FF HKLM\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension
FF Extension: Default Manager - C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension [2012-11-15]
FF HKU\S-1-5-21-195908757-649669058-3365430507-1006\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\41.0.2272.101\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\41.0.2272.101\pdf.dll ()
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\Rosie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2210_0\plugins/avgnpss.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.270.7) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U27) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Shockwave for Director) - C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (2007 Microsoft Office system) - C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll (RealNetworks, Inc.)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Documents and Settings\Rosie\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Rosie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-26]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Rosie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-16]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3411408 2015-02-19] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [308720 2015-02-19] (AVG Technologies CZ, s.r.o.)
S3 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [434176 2006-08-02] (Intel Corporation) [File not signed]
S4 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2011-10-13] (Sun Microsystems, Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-03-17] (Malwarebytes Corporation)
R2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [226624 2011-01-27] ()
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S4 PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [196608 2008-05-08] (New Boundary Technologies, Inc.) [File not signed]
S3 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [327680 2006-08-02] (Intel Corporation) [File not signed]
S3 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [937984 2006-08-02] (Intel Corporation ) [File not signed]
S4 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S4 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S4 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 WRSVC; C:\Program Files\Webroot\WRSA.exe [817584 2015-03-27] (Webroot)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21419 2008-05-08] (Meetinghouse Data Communications) [File not signed]
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [202208 2015-02-19] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [154904 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [192792 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [265184 2015-02-03] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [107488 2015-01-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [210400 2015-01-16] (AVG Technologies CZ, s.r.o.)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2006-03-19] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2006-03-19] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2006-03-19] (HP)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-03-17] (Malwarebytes Corporation)
R3 NETw3x32; C:\WINDOWS\System32\DRIVERS\NETw3x32.sys [1709696 2006-09-27] (Intel® Corporation)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [12544 2006-08-02] (Intel Corporation) [File not signed]
S3 SMNDIS5; C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys [16936 2002-11-26] (Smith Micro Software, Inc.) [File not signed]
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1106888 2006-02-13] (SigmaTel, Inc.)
R0 WRkrn; C:\WINDOWS\System32\drivers\WRkrn.sys [118296 2015-03-27] (Webroot)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2008-05-01] () [File not signed]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-27 11:34 - 2015-03-27 11:35 - 00027257 _____ () C:\Documents and Settings\Rosie\Desktop\FRST.txt
2015-03-27 11:33 - 2015-03-27 11:34 - 00000000 ____D () C:\FRST
2015-03-27 11:23 - 2015-03-27 11:03 - 01135104 _____ (Farbar) C:\Documents and Settings\Rosie\Desktop\FRST.exe
2015-03-27 10:41 - 2015-03-27 11:33 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\WRData
2015-03-27 10:41 - 2015-03-27 10:41 - 00166128 _____ (Webroot) C:\WINDOWS\system32\WRusr.dll
2015-03-27 10:41 - 2015-03-27 10:41 - 00118296 _____ (Webroot) C:\WINDOWS\system32\Drivers\WRkrn.sys
2015-03-27 10:41 - 2015-03-27 10:41 - 00000000 ____D () C:\Program Files\Webroot
2015-03-27 10:41 - 2015-03-27 10:41 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Webroot SecureAnywhere
2015-03-26 15:23 - 2015-03-26 15:23 - 00008228 _____ () C:\Documents and Settings\Rosie\Desktop\test.xlsx
2015-03-26 15:17 - 2015-03-26 15:17 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Application Data\LogMeIn Rescue Calling Card
2015-03-19 02:46 - 2015-03-19 02:46 - 00000632 _____ () C:\WINDOWS\Tasks\AVG_SYS_TASK_0215av_RUN.job
2015-03-19 02:46 - 2015-03-19 02:46 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Avg_Update_0215av
2015-02-27 12:16 - 2015-02-27 12:16 - 00000000 ____D () C:\Documents and Settings\Rosie\Application Data\AVG2015
2015-02-27 12:15 - 2015-02-27 12:15 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2015-02-27 12:14 - 2015-02-27 12:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-02-27 12:14 - 2015-02-27 12:14 - 00000000 ___HD () C:\$AVG
2015-02-27 12:08 - 2015-02-27 12:25 - 00000000 ____D () C:\Documents and Settings\Rosie\Local Settings\Application Data\Avg2015
2015-02-27 12:08 - 2015-02-27 12:08 - 00000000 ____D () C:\Documents and Settings\Rosie\Local Settings\Application Data\MFAData
2015-02-27 12:00 - 2015-02-27 12:00 - 00000000 ____D () C:\Documents and Settings\Rosie\Application Data\TuneUp Software
2015-02-27 11:53 - 2015-02-27 11:53 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2015-02-27 11:53 - 2015-02-27 11:53 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-02-27 11:53 - 2015-02-27 11:53 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Mozilla
2015-02-27 11:47 - 2015-03-27 10:20 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-27 11:47 - 2015-03-27 10:20 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-02-27 11:47 - 2015-02-27 11:47 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2015-02-27 11:46 - 2015-03-27 11:31 - 00321959 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-27 11:39 - 2015-02-27 11:46 - 00065536 _____ () C:\WINDOWS\system32\config\SpybotSD.evt
2015-02-27 11:39 - 2015-02-27 11:42 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2015-02-27 11:39 - 2015-02-27 11:39 - 00001860 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-02-27 11:39 - 2015-02-27 11:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
2015-02-27 11:39 - 2013-09-20 11:49 - 00018968 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean.exe
2015-02-27 11:33 - 2015-03-27 11:22 - 00014214 _____ () C:\WINaDOWS\setupapi.log
2015-02-27 11:27 - 2015-02-27 11:27 - 00000000 ____D () C:\WINDOWS\CSC

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-27 11:35 - 2008-05-07 17:27 - 00000000 ____D () C:\Documents and Settings\Rosie\Local Settings\Temp
2015-03-27 10:48 - 2015-02-05 23:33 - 00119512 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-03-27 10:25 - 2011-09-06 07:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-03-27 10:20 - 2006-05-31 20:17 - 00001158 ____C () C:\WINDOWS\system32\wpa.dbl
2015-03-26 16:56 - 2008-05-07 17:27 - 00000178 __SHC () C:\Documents and Settings\Rosie\ntuser.ini
2015-03-26 16:55 - 2009-06-16 15:00 - 00000000 ____D () C:\Documents and Settings\Rosie\Local Settings\Application Data\LogMeIn Rescue Calling Card
2015-03-26 16:51 - 2009-05-06 13:38 - 00000000 ____D () C:\Documents and Settings\Rosie\Desktop\Household
2015-03-26 15:30 - 2015-02-05 23:33 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-26 15:30 - 2015-02-05 23:33 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-26 15:24 - 2008-05-23 11:01 - 00002473 ____C () C:\Documents and Settings\Rosie\Desktop\Microsoft Office Excel 2007.lnk
2015-03-26 15:17 - 2009-06-16 14:59 - 00000000 ____D () C:\Program Files\LogMeIn Rescue Calling Card
2015-03-26 15:16 - 2009-06-16 14:59 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Rescue Calling Card
2015-03-26 14:40 - 2012-03-10 16:30 - 00000000 ____D () C:\Documents and Settings\Rosie\Desktop\My Scans
2015-03-20 14:29 - 2008-05-07 17:27 - 00000000 ____D () C:\Documents and Settings\Rosie
2015-03-20 14:00 - 2011-06-15 16:32 - 00001815 ____C () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-03-19 13:36 - 2008-05-23 10:20 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help
2015-03-19 13:35 - 2013-08-15 03:04 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-03-19 13:24 - 2008-05-07 19:41 - 119837696 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-03-18 13:33 - 2006-05-31 13:24 - 00522638 ____C () C:\WINDOWS\system32\PerfStringBackup.INI
2015-03-17 06:15 - 2015-02-05 23:33 - 00120024 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-03-17 06:15 - 2009-06-16 15:10 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-03-05 18:43 - 2008-05-07 17:34 - 00000000 ____D () C:\Documents and Settings\Rosie\Local Settings\Application Data\Google
2015-02-27 15:07 - 2008-05-13 13:40 - 00000000 ____D () C:\Documents and Settings\Rosie\Desktop\Maintenance
2015-02-27 13:51 - 2008-05-13 22:07 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2015-02-27 12:13 - 2009-07-11 19:55 - 00000000 ____D () C:\Program Files\AVG
2015-02-27 12:02 - 2011-09-06 09:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2012
2015-02-27 12:00 - 2011-09-06 09:50 - 00000000 ____D () C:\WINDOWS\system32\Drivers\AVG
2015-02-27 11:55 - 2012-06-01 20:32 - 00701616 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-02-27 11:55 - 2012-06-01 20:32 - 00000830 ____C () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-27 11:55 - 2011-10-28 15:02 - 00071344 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-02-27 11:55 - 2008-05-13 12:12 - 00000000 ____D () C:\Documents and Settings\Rosie\Local Settings\Application Data\Adobe
2015-02-27 11:53 - 2008-05-13 13:36 - 00000724 ____C () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2015-02-27 11:53 - 2008-05-13 13:36 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-02-27 11:46 - 2008-06-09 20:27 - 00000000 ____D () C:\WINDOWS\pss
2015-02-27 11:46 - 2006-05-31 20:17 - 00000512 ____C () C:\WINDOWS\win.ini
2015-02-27 11:46 - 2006-05-31 20:17 - 00000282 ____C () C:\WINDOWS\system.ini
2015-02-27 11:46 - 2006-05-31 20:17 - 00000211 __RSH () C:\boot.ini
2015-02-27 11:39 - 2008-05-13 22:07 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
2015-02-27 11:30 - 2015-02-05 23:48 - 00000000 ____D () C:\WINDOWS\Minidump
2015-02-27 11:30 - 2008-05-07 17:35 - 00000000 __SHD () C:\Documents and Settings\Rosie\UserData

==================== Files in the root of some directories =======

2012-03-10 16:22 - 2012-03-10 20:39 - 0001109 ____C () C:\Documents and Settings\Rosie\Application Data\ConvAPIPlugin.log
2015-02-05 17:02 - 2015-02-05 17:02 - 0008632 _____ () C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.HTML
2015-02-05 17:02 - 2015-02-05 17:02 - 0045980 _____ () C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.PNG
2015-02-05 17:02 - 2015-02-05 17:02 - 0004256 _____ () C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.TXT
2015-02-05 17:02 - 2015-02-05 17:02 - 0000300 _____ () C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.URL
2009-06-16 09:26 - 2009-06-18 16:11 - 0001487 ____C () C:\Documents and Settings\Rosie\Application Data\messanger1.dat
2009-06-16 09:26 - 2009-06-18 17:01 - 0000000 ____C () C:\Documents and Settings\Rosie\Application Data\messanger2.dat
2008-05-07 17:31 - 2015-02-04 18:54 - 0046196 ____C () C:\Documents and Settings\Rosie\Application Data\wklnhst.dat
2008-06-22 00:15 - 2012-06-13 17:05 - 0004608 ____C () C:\Documents and Settings\Rosie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-30 16:52 - 2012-08-30 16:52 - 0027520 ____C () C:\Documents and Settings\Rosie\Local Settings\Application Data\dt.dat
2015-02-05 18:37 - 2015-02-05 18:37 - 0008632 _____ () C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 18:37 - 2015-02-05 18:37 - 0045980 _____ () C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-02-05 18:37 - 2015-02-05 18:37 - 0004256 _____ () C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 18:37 - 2015-02-05 18:37 - 0000300 _____ () C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 17:01 - 2015-02-05 17:01 - 0008632 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-05 17:01 - 2015-02-05 17:01 - 0045980 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-02-05 17:01 - 2015-02-05 17:01 - 0004256 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-05 17:01 - 2015-02-05 17:01 - 0000300 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL

Files to move or delete:
====================
C:\Documents and Settings\Rosie\Application DatadMb.dat


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================Attached File  Addition.txt   30.62KB   1 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:53 AM

Posted 28 March 2015 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is the infection - CryptoWall and HELP_DECRYPT Ransomware Information Guide
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Other than paying the ransom if it's not too late there is nothing we can do to restore your files.
I know one thing I would not trust them, your call.

We can only clean your computer of the bad files. Hope you have a good backup of your important files.

Execute the following to clean the computer.

===
 

ATTENTION: System Restore is disabled.


Before proceeding with this fix restore it.
How to:
http://support.microsoft.com/en-us/kb/310405
===


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
URLSearchHook: HKU\S-1-5-21-195908757-649669058-3365430507-1006 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> {6F9CF7B0-AD7C-4C61-B323-BF4B09373575} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=16ECFF65-0EEB-4452-90AC-17AE9D64F35F&apn_sauid=437D62E3-37D2-4897-B605-EDB2E52DD06E
SearchScopes: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> {A531D99C-5A22-449b-83DA-872725C6D0ED} URL = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=5485EAA001CC98CA04AFE120&install_time=2011-11-01T19:13:23Z&src_id=30046&camp_id=3229&tb_version=1.1.2000.2(B)
BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
FF user.js: detected! => C:\Documents and Settings\Rosie\Application Data\Mozilla\Firefox\Profiles\eyvsveon.default\user.js [2012-11-15]
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\Rosie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2210_0\plugins/avgnpss.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
U1 WS2IFSL; No ImagePath
C:\WINDOWS\pss\HELP_DECRYPT.HTMLStartup
C:\WINDOWS\pss\HELP_DECRYPT.TXTStartup
C:\WINDOWS\pss\HELP_DECRYPT.URLStartup
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
C:\Documents and Settings\All Users\HELP_DECRYPT.URL

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

How is the computer running now?

#3 gjcs

gjcs
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 March 2015 - 01:26 PM

I followed your instructions.  My computer is running okay.  I have some concerns on whether if I create new files, will they become infected?  Also, if I back up all my files onto a new external device, and if I copy those files onto another computer, will those files infect my other computer.

 

Here is the fixlog.txt info:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Rosie at 2015-03-28 10:55:51 Run:2
Running from C:\Documents and Settings\Rosie\Desktop
Loaded Profiles: Rosie & Administrator (Available profiles: Rosie & Administrator)
Boot Mode: Normala

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
URLSearchHook: HKU\S-1-5-21-195908757-649669058-3365430507-1006 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> {6F9CF7B0-AD7C-4C61-B323-BF4B09373575} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=16ECFF65-0EEB-4452-90AC-17AE9D64F35F&apn_sauid=437D62E3-37D2-4897-B605-EDB2E52DD06E
SearchScopes: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> {A531D99C-5A22-449b-83DA-872725C6D0ED} URL = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=5485EAA001CC98CA04AFE120&install_time=2011-11-01T19:13:23Z&src_id=30046&camp_id=3229&tb_version=1.1.2000.2(B)
BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKU\S-1-5-21-195908757-649669058-3365430507-1006 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
FF user.js: detected! => C:\Documents and Settings\Rosie\Application Data\Mozilla\Firefox\Profiles\eyvsveon.default\user.js [2012-11-15]
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\Rosie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2210_0\plugins/avgnpss.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
U1 WS2IFSL; No ImagePath
C:\WINDOWS\pss\HELP_DECRYPT.HTMLStartup
C:\WINDOWS\pss\HELP_DECRYPT.TXTStartup
C:\WINDOWS\pss\HELP_DECRYPT.URLStartup
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
C:\Documents and Settings\All Users\HELP_DECRYPT.URL

End
*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck => Value not found.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => Key not found.
HKU\S-1-5-21-195908757-649669058-3365430507-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Value not found.
"HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" => Key deleted successfully.
"HKU\S-1-5-21-195908757-649669058-3365430507-1006\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6F9CF7B0-AD7C-4C61-B323-BF4B09373575}" => Key deleted successfully.
HKCR\CLSID\{6F9CF7B0-AD7C-4C61-B323-BF4B09373575} => Key not found.
"HKU\S-1-5-21-195908757-649669058-3365430507-1006\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}" => Key deleted successfully.
HKCR\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key deleted successfully.
"HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => value deleted successfully.
HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Key not found.
HKU\S-1-5-21-195908757-649669058-3365430507-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => value deleted successfully.
HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Key not found.
HKU\S-1-5-21-195908757-649669058-3365430507-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => value deleted successfully.
HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.
C:\Documents and Settings\Rosie\Application Data\Mozilla\Firefox\Profiles\eyvsveon.default\user.js => Moved successfully.
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll not found.
C:\Program Files\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll not found.
C:\Documents and Settings\Rosie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2210_0\plugins/avgnpss.dll not found.
C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll not found.
c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll not found.
WS2IFSL => Service deleted successfully.
C:\WINDOWS\pss\HELP_DECRYPT.HTMLStartup => Moved successfully.
C:\WINDOWS\pss\HELP_DECRYPT.TXTStartup => Moved successfully.
C:\WINDOWS\pss\HELP_DECRYPT.URLStartup => Moved successfully.
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.HTML => Moved successfully.
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.PNG => Moved successfully.
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.TXT => Moved successfully.
C:\Documents and Settings\Rosie\Application Data\HELP_DECRYPT.URL => Moved successfully.
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.HTML => Moved successfully.
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.PNG => Moved successfully.
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.TXT => Moved successfully.
C:\Documents and Settings\Rosie\Local Settings\Application Data\HELP_DECRYPT.URL => Moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML => Moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG => Moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT => Moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.URL => Moved successfully.


The system needed a reboot.

==== End of Fixlog 10:55:51 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:53 AM

Posted 29 March 2015 - 07:35 AM

My computer is running okay. I have some concerns on whether if I create new files, will they become infected? Also, if I back up all my files onto a new external device, and if I copy those files onto another computer, will those files infect my other computer.


I do not think that new files will be infected.
Create a dummy word processor file. Save it and the open it should be OK.

This infection only crypt you files so that you can no longer open them.
No Virus or worm are attached to them. So you should be safe to backup your good file.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 gjcs

gjcs
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 29 March 2015 - 04:35 PM

Thank you for all your help and your quick responses. 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:53 AM

Posted 30 March 2015 - 08:05 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users