Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IExplorer continually hijacked in background following multiple fake MS programs


  • This topic is locked This topic is locked
19 replies to this topic

#1 wbmcelroy

wbmcelroy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 30 March 2015 - 02:03 PM

Hello, last night I somehow stumbled into what I think was malware, zapping my memory and CPU and grinding everything to a halt. When I opened task manager I could see the bulk of resources were being taken be multiple presumably fake instances of programs that google indicated to be standard Windows programs. I remember msiexec.exe was one that had around 3 instances running at once, and even "notepad" was taking a suspiciously large amount of memory (80,000 k?) even though I wasn't running notepad. There were also about 10 instances of iexplore.exe taking a relatively small amount of memory each.
 
I had to force restart with my PC's power button several times, and each time I'd be granted a few minutes of being able to use the computer before the resource drain made it unusable. After the first restart I was no longer allowed to close any of the runaway programs via task manager, whereas before their proliferation was simply faster than I could keep up with.
 
I managed to download Malwarebytes and run it a few times. During the first scan it detected "trojan.fakems.ed" and the computer crashed before the scan could complete, but upon reviewing the logs after more scans it shows that it has quarantined many instances of that trojan along with "trojan.agent.ed" and several "PUP" items. Additionally, my computer seems to be running almost as normal now that Malwarebytes is running in realtime at startup.
 
However, I'm still getting alerts from Malwarebytes pretty frequently that it is blocking access from an IP "217.23.3.200" and sometimes a strange .com as well, and task manager still shows several instances of iexplore.exe running even though I use firefox, and any attempts to close them just result on more springing up to take their place. Interestingly, there may sometimes be a lull in these alerts from Malwarebytes, but they seem to increase to near constant frequency if ever I open a program like task manager or control panel. I don't actually SEE any internet explorer windows open, and it's not slowing my computer down so noticeably anymore, but I'm still concerned that my passwords and other data could be at risk.
 
(Note: I downloaded some programs like HijackThis and autoruns last night to try to wade into some amateur PC sleuthing, but thought better of it and came here before really doing anything with them)
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Will (administrator) on WILL-PC on 30-03-2015 12:44:10
Running from C:\Users\Will\Desktop
Loaded Profiles: Will &  (Available profiles: Will & Administrator)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Labs) C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
(Creative Technology Ltd) C:\Windows\System32\CTSVCCDA.EXE
(Digidesign, A Division of Avid Technology, Inc.) C:\Program Files\Digidesign\Drivers\MMERefresh.exe
(Avid Technology, Inc.) C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Motive Communications, Inc.) C:\Program Files\Common Files\Motive\McciCMService.exe
(Locktime Software) C:\Program Files\NetLimiter 3\nlsvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Creative Technology Ltd) C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
() C:\Program Files\Winamp\winampa.exe
(Avid Technology, Inc.) C:\Windows\System32\M-AudioTaskBarIcon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
() C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Locktime Software) C:\Program Files\NetLimiter 3\NLClientApp.exe
() C:\Users\Will\AppData\Roaming\FrameworkUpdate\ChromeUpdate.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Trend Micro Inc.) C:\Users\Will\Desktop\HijackThis.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_17_0_0_134.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_17_0_0_134.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_16_0_0_305_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_16_0_0_305_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [VolPanel] => C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe [180224 2006-11-27] (Creative Technology Ltd)
HKLM\...\Run: [WinampAgent] => C:\Program Files\Winamp\winampa.exe [37888 2009-04-10] ()
HKLM\...\Run: [M-Audio Taskbar Icon] => C:\Windows\System32\M-AudioTaskBarIcon.exe [356864 2008-05-15] (Avid Technology, Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6687264 2008-11-12] (Realtek Semiconductor)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems

Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27]

(Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] => C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems

Incorporated)
HKLM\...\Run: [AdobeCS6ServiceManager] => C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-

09] (Adobe Systems Incorporated)
HKLM\...\Run: [DivXMediaServer] => C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe [455512 2014-05-27] (DivX, LLC)
HKLM\...\Run: [DivXUpdate] => C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1861968 2014-01-10] ()
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [NetLimiter] => C:\Program Files\NetLimiter 3\NLClientApp.exe [1844864 2013-

10-10] (Locktime Software)
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [e810ea3] => C:\e810ea39\e810ea39.exe [241725 2015-03-29] ()
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [e810ea39] => C:\Users\Will\AppData\Roaming\e810ea39.exe [241725 2015-03-29]

()
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [ChromeUpdate] =>

C:\Users\Will\AppData\Roaming\FrameworkUpdate\ChromeUpdate.exe [14622612 2015-03-29] ()
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [FlashPlayerUpdate] => C:\Users\Will\AppData\Local\Macromedia\Flash

Player\FlashPlayerUpdateService.exe [169472 2015-03-30] ()
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\MountPoints2: {f3932003-02ca-11de-bfae-001d099ee848} - H:\Autorun.exe
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->

C:\Users\Will\AppData\Local\Temp\.peazip_tmp2255\3D Christmas in the City.exe
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Startup: C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e810ea39.exe ()
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>

C:\Users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>

C:\Users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>

C:\Users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-3201667610-412620177-4289885976-1000] => actsvr.comcastonline.com:8100
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-

usuk&channel=us&ibd=4080917
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080917
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com
HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080917
HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080917
SearchScopes: HKLM -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}

&SearchSource=4&ctid=CT2504091
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {674658B3-D94C-4E34-A590-F49E219117A1} URL =
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {A175D078-DCB0-43C7-BEA6-0D0CA0251869} URL =

http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=994519&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {E163AE6E-254C-5FF4-BE33-4CBD31D63F5C} URL =

http://dm.startnow.com/s/?q={searchTerms}

&src=defsearch&provider=bing&provider_name=bing&provider_code=Z055&partner_id=195&product_id=611&affiliate_id=&channel=dm6&toolbar_id=20

0&toolbar_version=2.1.0&install_country=US&install_date=20110722&user_guid=B3D4A5B3538E46E9B64452206E1C0E4F&machine_id=e9ddd0003751eb9e7

bb5e5dcc18f0ed1&browser=IE&os=win&os_version=6.0-x86-SP2&iesrc={referrer:source}
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0 -> {70D46D94-BF1E-45ED-B567-

48701376298E} URL = http://127.0.0.1:4664/search&s=WSzOKVMe8bHmHXu6nVBSAYUhLls?q={searchTerms}
BHO: SSVHelper Class -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2015-01-16] (Oracle

Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2015-01-16]

(Oracle Corporation)
Toolbar: HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0 -> No Name - {2318C2B1-4965-11D4-

9B18-009027A5CD4F} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_71-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0071-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_71-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_71-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information

Retrieval\msitss.dll [2007-11-28] (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\a1iydv5s.default-1422117613929
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: hxxp://www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-03-21] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1205146.dll [2013-10-25] (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2014-05-22] (DivX, LLC.)
FF Plugin: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll [2014-06-02] (DivX,

LLC)
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-01-16] (Oracle

Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2015-01-16] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft

Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07

-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google

Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google

Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28]

(Adobe Systems)
FF Plugin HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0: @emusic.com/dlm-plugin ->

C:\Program Files\eMusic Download Manager\plugin\npemusic.dll No File
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npmusicn.dll [2009-05-07] (Musicnotes, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-11-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-11-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-11-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-11-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-11-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPSibelius.dll [2009-03-10] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll [2008-10-02] (CNN)
FF Extension: Skype extension for Firefox - C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED} [2015-03

-22]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation

Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation

Foundation\DotNetAssistantExtension [2009-05-28]

Chrome:
=======
CHR Profile: C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Wallet) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

[2013-08-29]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed

separately.)

R2 Creative Labs Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe [72704 2008-09-17]

(Creative Labs) [File not signed]
R2 Creative Service for CDROM Access; C:\Windows\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd) [File not signed]
R2 DigiRefresh; C:\Program Files\Digidesign\Drivers\MMERefresh.exe [77824 2007-10-31] (Digidesign, A Division of Avid Technology, Inc.)

[File not signed]
R2 FastTrackInstallerService; C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe [81920 2007-03-07] (Avid Technology, Inc.) [File

not signed]
S3 GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [16680 2008-09-17] (Citrix Online, a division of Citrix Systems,

Inc.)
S2 gupdate1c993e4f38ed1fd; C:\Program Files\Google\Update\GoogleUpdate.exe [107912 2014-10-22] (Google Inc.)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation)

[File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [303104 2008-09-23] (Motive Communications, Inc.) [File not

signed]
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe [234776 2012-09-05] (McAfee, Inc.)
R2 nlsvc; C:\Program Files\NetLimiter 3\nlsvc.exe [1132160 2013-10-10] (Locktime Software)
S3 SwitchBoard; C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File

not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed

separately.)

R2 Aspi32; C:\Windows\System32\drivers\aspi32.sys [16512 2002-07-17] (Adaptec) [File not signed]
S3 dalwdmservice; C:\Windows\System32\drivers\dalwdm.sys [97808 2007-10-31] (Digidesign, A Division of Avid Technology, Inc.)
R2 DigiNet; C:\Windows\System32\DRIVERS\diginet.sys [16400 2007-10-31] (Digidesign, A Division of Avid Technology, Inc.)
S3 MAUSBFT; C:\Windows\System32\DRIVERS\mausbft.sys [119808 2007-03-07] (Avid Technology, Inc.)
R3 MAUSBFTP; C:\Windows\System32\DRIVERS\mausb.sys [143624 2008-03-11] (Avid Technology, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-30] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2008-09-23] (Printing Communications Assoc., Inc. (PCAUSA)) [File

not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2008-09-23] (Printing Communications Assoc., Inc. (PCAUSA)) [File

not signed]
R3 NLNdisMP; C:\Windows\System32\DRIVERS\nlndis.sys [5229360 2013-06-12] (Locktime Software)
S3 NLNdisPT; C:\Windows\System32\DRIVERS\nlndis.sys [5229360 2013-06-12] (Locktime Software)
R1 nltdi; C:\Program Files\NetLimiter 3\nltdi.sys [5280944 2013-06-12] (Locktime Software)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [717296 2009-02-24] () [File not signed]
S3 SynasUSB; C:\Windows\System32\drivers\SynasUSB.sys [23288 2007-10-24] (SIA Syncrosoft)
R0 TPkd; C:\Windows\system32\Drivers\TPkd.sys [79408 2007-09-05] (PACE Anti-Piracy, Inc.)
S4 adfs; No ImagePath
S4 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 mcdbus; system32\DRIVERS\mcdbus.sys [X]
S4 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S4 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S4 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S4 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 uti5mzy3; \??\C:\Windows\system32\Drivers\uti5mzy3.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be

moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-30 12:44 - 2015-03-30 12:47 - 00020428 _____ () C:\Users\Will\Desktop\FRST.txt
2015-03-30 12:38 - 2015-03-30 12:44 - 00000000 ____D () C:\FRST
2015-03-30 12:36 - 2015-03-30 12:36 - 01135104 _____ (Farbar) C:\Users\Will\Desktop\FRST.exe
2015-03-30 03:24 - 2015-03-30 03:24 - 00063828 _____ () C:\Users\Will\Desktop\RogueKiller.exe
2015-03-30 02:40 - 2015-03-30 02:40 - 00000000 ____D () C:\Users\Will\Desktop\autoruns
2015-03-30 02:31 - 2015-03-30 02:31 - 00008598 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-30 02:31 - 2015-03-30 02:31 - 00008598 _____ () C:\Users\Will\AppData\HELP_DECRYPT.HTML
2015-03-30 02:31 - 2015-03-30 02:31 - 00004242 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-30 02:31 - 2015-03-30 02:31 - 00004242 _____ () C:\Users\Will\AppData\HELP_DECRYPT.TXT
2015-03-30 02:31 - 2015-03-30 02:31 - 00000280 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.URL
2015-03-30 02:31 - 2015-03-30 02:31 - 00000280 _____ () C:\Users\Will\AppData\HELP_DECRYPT.URL
2015-03-30 02:25 - 2015-03-30 02:25 - 00008598 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.HTML
2015-03-30 02:25 - 2015-03-30 02:25 - 00004242 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.TXT
2015-03-30 02:25 - 2015-03-30 02:25 - 00000280 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.URL
2015-03-30 02:17 - 2015-03-30 02:23 - 00000000 ____D () C:\Users\Will\Desktop\backups
2015-03-30 02:13 - 2015-03-30 02:31 - 00008373 _____ () C:\Users\Will\Desktop\hijackthis.log
2015-03-30 02:06 - 2015-03-30 02:06 - 00388608 _____ (Trend Micro Inc.) C:\Users\Will\Desktop\HijackThis.exe
2015-03-30 02:05 - 2015-03-30 02:05 - 00388608 _____ (Trend Micro Inc.) C:\Users\Will\Downloads\HijackThis.exe
2015-03-30 00:35 - 2015-03-30 00:35 - 00160160 _____ () C:\Windows\Minidump\Mini033015-01.dmp
2015-03-30 00:03 - 2015-03-30 00:03 - 00000861 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-30 00:03 - 2015-03-30 00:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-30 00:02 - 2015-03-30 00:03 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-30 00:02 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-30 00:02 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-29 23:41 - 2015-03-29 23:44 - 21540440 _____ (Malwarebytes Corporation ) C:\Users\Will\Downloads\mbam-setup-2.1.4.1018(1).exe
2015-03-29 23:33 - 2015-03-29 23:33 - 00008598 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-29 23:33 - 2015-03-29 23:33 - 00004242 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-29 23:33 - 2015-03-29 23:33 - 00000280 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-03-29 23:30 - 2015-03-29 23:31 - 21540440 _____ (Malwarebytes Corporation ) C:\Users\Will\Downloads\mbam-setup-2.1.4.1018.exe
2015-03-29 22:56 - 2015-03-30 12:03 - 00000600 ____H () C:\ProgramData\@system.temp
2015-03-29 22:56 - 2015-03-30 12:03 - 00000336 ____H () C:\ProgramData\@system3.att
2015-03-29 22:55 - 2015-03-29 22:55 - 00000480 ____H () C:\Users\Will\AppData\Roaming\麽鎒駓覜
2015-03-29 22:55 - 2015-03-29 22:55 - 00000000 ____D () C:\Users\Will\AppData\Roaming\FrameworkUpdate
2015-03-29 22:42 - 2015-03-29 22:42 - 00241725 _____ () C:\Users\Will\AppData\Roaming\e810ea39.exe
2015-03-29 22:42 - 2015-03-29 22:42 - 00000000 ___HD () C:\e810ea39
2015-03-29 22:41 - 2015-03-30 00:50 - 00000000 ___HD () C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}
2015-03-29 22:41 - 2015-03-29 22:53 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-03-27 00:57 - 2015-03-27 00:57 - 00003338 _____ () C:\Users\Will\.recently-used.xbel
2015-03-22 03:01 - 2015-03-22 03:01 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-03-10 15:33 - 2015-02-25 19:18 - 02064384 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-03-10 15:33 - 2015-01-28 20:35 - 00975360 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-03-10 15:33 - 2015-01-28 20:35 - 00369664 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2015-03-10 15:23 - 2015-02-25 21:01 - 03604408 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-03-10 15:23 - 2015-02-25 21:01 - 03552184 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-03-10 15:23 - 2015-02-19 21:03 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-03-10 15:23 - 2015-02-19 19:28 - 00296960 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-03-10 15:23 - 2015-01-08 21:04 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-03-10 15:23 - 2015-01-08 19:18 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-03-10 15:22 - 2015-03-05 23:01 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-03-10 15:22 - 2015-01-20 21:02 - 00807936 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-03-10 15:21 - 2014-10-12 20:12 - 02264064 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-03-10 15:20 - 2015-02-17 21:02 - 11587584 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-03-10 13:49 - 2015-02-21 12:34 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-03-10 13:49 - 2015-02-21 12:29 - 09747968 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-03-10 13:49 - 2015-02-21 12:28 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-03-10 13:49 - 2015-02-21 12:22 - 01139200 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-03-10 13:49 - 2015-02-21 12:21 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-03-10 13:49 - 2015-02-21 12:21 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-03-10 13:49 - 2015-02-21 12:20 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-03-10 13:49 - 2015-02-21 12:20 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-03-10 13:49 - 2015-02-21 12:19 - 01803264 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-03-10 13:49 - 2015-02-21 12:19 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-03-10 13:49 - 2015-02-21 12:19 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-03-10 13:49 - 2015-02-21 12:19 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-03-10 13:49 - 2015-02-21 12:19 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-03-10 13:49 - 2015-02-21 12:18 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-03-10 13:49 - 2015-02-21 12:18 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-03-10 13:49 - 2015-02-21 12:18 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-03-10 13:49 - 2015-02-21 12:18 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-03-10 13:49 - 2015-02-21 12:18 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-03-10 13:48 - 2015-02-21 12:37 - 12375040 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-03-10 13:48 - 2015-02-21 12:18 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-03-10 13:48 - 2015-02-21 12:18 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-03-10 13:48 - 2015-02-21 12:17 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-03-10 01:50 - 2015-03-10 01:52 - 28509232 _____ () C:\Users\Will\Downloads\vlc-2.2.0-win32.exe
2015-02-28 22:02 - 2015-02-28 22:02 - 08248242 _____ () C:\Users\Will\Desktop\End of the rope.m4a

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-30 12:48 - 2012-04-12 13:36 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-30 12:42 - 2009-06-30 21:00 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-30 12:13 - 2006-11-02 07:47 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-

439d-8115-601632D005A0
2015-03-30 12:13 - 2006-11-02 07:47 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-

439d-8115-601632D005A0
2015-03-30 09:27 - 2011-03-21 13:24 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2015-03-30 04:57 - 2010-06-16 22:46 - 00000000 ____D () C:\Users\Will\Documents\mkmasterrev
2015-03-30 04:56 - 2010-06-16 22:46 - 00000000 ____D () C:\Users\Will\Documents\mkmaster
2015-03-30 04:55 - 2014-02-15 13:53 - 00000000 ____D () C:\Users\Will\Documents\mkfl
2015-03-30 04:55 - 2013-10-11 14:26 - 00000000 ____D () C:\Users\Will\Documents\mellotron
2015-03-30 04:54 - 2014-12-19 21:30 - 00000000 ____D () C:\Users\Will\Documents\malfuturesamplebankD
2015-03-30 04:54 - 2014-12-10 22:45 - 00000000 ____D () C:\Users\Will\Documents\malfuturesamplebankC
2015-03-30 04:54 - 2010-08-11 21:29 - 00000000 ____D () C:\Users\Will\Documents\Magic Kids - Memphis
2015-03-30 04:54 - 2010-06-15 19:59 - 00000000 ____D () C:\Users\Will\Documents\Magic Kids Proofs
2015-03-30 04:53 - 2010-02-25 21:09 - 00000000 ____D () C:\Users\Will\Documents\Lemonade- Pure Moods EP
2015-03-30 04:53 - 2010-01-26 02:54 - 00000000 ____D () C:\Users\Will\Documents\lowtomdm
2015-03-30 04:52 - 2011-04-26 00:36 - 00000000 ____D () C:\Users\Will\Documents\Law of the Coyote [2006]
2015-03-30 04:52 - 2009-01-24 18:36 - 00000000 ____D () C:\Users\Will\Documents\katherinesongs
2015-03-30 04:51 - 2011-09-22 12:50 - 00000000 ____D () C:\Users\Will\Documents\Jomic
2015-03-30 04:51 - 2010-02-25 21:09 - 00000000 ____D () C:\Users\Will\Documents\Janka Nabay- Bubu King EP
2015-03-30 04:50 - 2011-01-28 14:08 - 00000000 ____D () C:\Users\Will\Documents\Headbangers In Ecstacy
2015-03-30 04:50 - 2010-06-21 18:40 - 00000000 ____D () C:\Users\Will\Documents\hey boy rev2 mix and stems
2015-03-30 04:50 - 2010-02-26 19:12 - 00000000 ____D () C:\Users\Will\Documents\Hunx and His Punx- Gay Singles
2015-03-30 04:50 - 2010-01-26 02:57 - 00000000 ____D () C:\Users\Will\Documents\hitomdm
2015-03-30 04:50 - 2008-09-21 22:58 - 00000000 ____D () C:\Users\Will\Documents\HeroMachine
2015-03-30 04:48 - 2013-10-24 14:20 - 00000000 ____D () C:\Users\Will\Documents\GOTG_TheLastRealHouseparty
2015-03-30 04:48 - 2010-08-20 20:54 - 00000000 ____D () C:\Users\Will\Documents\Good to Be
2015-03-30 04:48 - 2010-07-06 14:05 - 00000000 ____D () C:\Users\Will\Documents\gotg
2015-03-30 04:47 - 2009-08-20 15:25 - 00000000 ____D () C:\Users\Will\Documents\Girls- Album
2015-03-30 04:46 - 2013-09-05 11:38 - 00000000 ____D () C:\Users\Will\Documents\early chinks
2015-03-30 04:46 - 2011-08-05 01:01 - 00000000 ____D () C:\Users\Will\Documents\frenchie
2015-03-30 04:45 - 2013-08-08 21:16 - 00000000 ___RD () C:\Users\Will\Documents\disasterableton Project
2015-03-30 04:45 - 2011-11-01 13:45 - 00000000 ____D () C:\Users\Will\Documents\DirectShow FilterPack
2015-03-30 04:45 - 2011-02-01 17:11 - 00000000 ____D () C:\Users\Will\Documents\Don't Fence Me In
2015-03-30 04:45 - 2010-01-07 17:44 - 00000000 ____D () C:\Users\Will\Documents\Delorean- Subiza
2015-03-30 04:45 - 2008-10-22 18:18 - 00000000 ____D () C:\Users\Will\Documents\digidesign_audio_drivers_v74_42004
2015-03-30 04:44 - 2013-07-28 14:04 - 00000000 ____D () C:\Users\Will\Documents\Cretin Stompers
2015-03-30 04:44 - 2011-06-13 18:51 - 00000000 ____D () C:\Users\Will\Documents\Dazed Paraders - Pidgeon Road
2015-03-30 04:43 - 2013-12-21 19:53 - 00000000 ____D () C:\Users\Will\Documents\chipmunks
2015-03-30 04:42 - 2012-07-23 12:07 - 00000000 ____D () C:\Users\Will\Documents\Carnivores- Second Impulse (MP3 Final Masters)
2015-03-30 04:42 - 2010-08-15 12:34 - 00000000 ____D () C:\Users\Will\Documents\Cheap Time II
2015-03-30 04:42 - 2008-09-21 22:29 - 00000000 ____D () C:\Users\Will\Documents\cakewalkcreations
2015-03-30 04:41 - 2008-09-21 22:58 - 00000000 ____D () C:\Users\Will\Documents\Cakewalk
2015-03-30 04:40 - 2012-02-25 17:42 - 00000000 ____D () C:\Users\Will\Documents\Bosco Delrey Shea Stadium
2015-03-30 04:39 - 2011-06-27 17:29 - 00000000 ____D () C:\Users\Will\Documents\Barbaras Home Recordings
2015-03-30 04:39 - 2011-02-17 14:17 - 00000000 ____D () C:\Users\Will\Documents\Bosco Delrey - Everybody Wah
2015-03-30 04:38 - 2012-07-14 02:14 - 00000000 ____D () C:\Users\Will\Documents\barbaras album photos
2015-03-30 04:37 - 2012-07-12 11:35 - 00000000 ____D () C:\Users\Will\Documents\barb sequence
2015-03-30 03:46 - 2011-02-23 15:34 - 00000000 ____D () C:\Users\Will\Documents\and the people
2015-03-30 03:46 - 2009-02-25 03:42 - 00000000 ____D () C:\Users\Will\Documents\AltoMP3
2015-03-30 03:45 - 2009-01-26 21:27 - 00000000 ____D () C:\Users\Will\Documents\Ableton
2015-03-30 03:42 - 2011-02-26 23:27 - 00000000 ____D () C:\Users\Will\Documents\3d Acid Glasses - steal my sunshine remix
2015-03-30 03:41 - 2014-11-16 02:35 - 00000000 ____D () C:\Users\Will\Desktop\xwing
2015-03-30 03:40 - 2014-12-10 01:09 - 00000000 ____D () C:\Users\Will\Desktop\tr-8 update
2015-03-30 03:40 - 2014-11-05 03:34 - 00000000 ____D () C:\Users\Will\Desktop\Univers Font Family
2015-03-30 03:40 - 2014-10-30 21:09 - 00000000 ____D () C:\Users\Will\Desktop\toxiephonetrax
2015-03-30 03:40 - 2014-06-20 20:35 - 00000000 ____D () C:\Users\Will\Desktop\screenplays
2015-03-30 03:40 - 2010-09-25 12:54 - 00000000 ____D () C:\Users\Will\Desktop\superball
2015-03-30 03:39 - 2015-02-10 13:37 - 00000000 ____D () C:\Users\Will\Desktop\processexplorer
2015-03-30 03:39 - 2015-01-24 11:40 - 00000000 ____D () C:\Users\Will\Desktop\Old Firefox Data
2015-03-30 03:39 - 2014-09-22 19:58 - 00000000 ____D () C:\Users\Will\Desktop\rideshareapplication
2015-03-30 03:39 - 2014-09-15 21:55 - 00000000 ____D () C:\Users\Will\Desktop\punish bleep
2015-03-30 03:38 - 2009-02-19 03:48 - 00000000 ____D () C:\Users\Will\Desktop\kashmir samples
2015-03-30 03:00 - 2008-09-16 20:58 - 01549121 _____ () C:\Windows\WindowsUpdate.log
2015-03-30 02:35 - 2014-11-11 19:05 - 00000000 ____D () C:\Users\Will\Desktop\jpegmini
2015-03-30 02:35 - 2011-05-01 12:16 - 00000000 ____D () C:\Users\Will\Desktop\Heaven's Magic - New Worlds to Conquer
2015-03-30 02:34 - 2014-07-28 00:14 - 00000000 ____D () C:\Users\Will\Desktop\dems
2015-03-30 02:34 - 2012-12-18 00:59 - 00000000 ____D () C:\Users\Will\Desktop\Demz
2015-03-30 02:33 - 2014-06-10 20:22 - 00000000 ____D () C:\Users\Will\Desktop\A55 Conducta U Touch Me EP
2015-03-30 02:33 - 2010-09-23 16:42 - 00000000 ____D () C:\Users\Will\Desktop\comics
2015-03-30 02:31 - 2015-01-01 18:32 - 00000000 ____D () C:\Users\Will\AppData\Roaming\TunesKit for Windows
2015-03-30 02:31 - 2013-10-24 14:20 - 00000000 ___HD () C:\Users\Will\Desktop\.peazip_tmp1592
2015-03-30 02:31 - 2013-07-28 22:16 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Spotify
2015-03-30 02:31 - 2010-08-18 14:40 - 00000000 ___HD () C:\Users\Will\Desktop\.peazip_tmp1201
2015-03-30 02:31 - 2008-10-22 20:13 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Steinberg
2015-03-30 02:31 - 2008-10-03 11:48 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Winamp
2015-03-30 02:30 - 2011-03-21 13:24 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Malwarebytes
2015-03-30 02:30 - 2008-11-20 22:44 - 00000000 ____D () C:\Users\Will\AppData\Roaming\PeaZip
2015-03-30 02:30 - 2008-10-25 16:48 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Roxio
2015-03-30 02:30 - 2008-10-22 20:18 - 00000000 ____D () C:\Users\Will\AppData\Roaming\PACE Anti-Piracy
2015-03-30 02:30 - 2008-09-22 15:10 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Propellerhead Software
2015-03-30 02:30 - 2008-09-21 21:46 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Mozilla
2015-03-30 02:29 - 2011-09-22 12:51 - 00000000 ____D () C:\Users\Will\AppData\Roaming\jomic
2015-03-30 02:28 - 2014-09-20 13:42 - 00000000 ____D () C:\Users\Will\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2015-03-30 02:28 - 2014-03-30 23:52 - 00000000 ____D () C:\Users\Will\AppData\Roaming\DiskSpaceFan
2015-03-30 02:28 - 2014-03-17 15:35 - 00000000 ____D () C:\Users\Will\AppData\Roaming\CANON INC
2015-03-30 02:28 - 2014-03-17 15:16 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Canon_Inc_IC
2015-03-30 02:28 - 2011-11-18 16:43 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Dropbox
2015-03-30 02:28 - 2010-09-21 21:20 - 00000000 ____D () C:\Users\Will\AppData\Roaming\cYo
2015-03-30 02:28 - 2009-02-24 03:15 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Chicken Systems
2015-03-30 02:28 - 2009-02-07 04:59 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Cakewalk
2015-03-30 02:27 - 2009-09-12 13:00 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Apple Computer
2015-03-30 02:26 - 2009-01-26 21:27 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Ableton
2015-03-30 02:26 - 2008-09-21 21:30 - 00000000 ____D () C:\Users\Will\AppData\Roaming\Adobe
2015-03-30 02:25 - 2013-07-28 22:17 - 00000000 ____D () C:\Users\Will\AppData\Local\Spotify
2015-03-30 02:24 - 2008-11-18 16:38 - 00000000 ____D () C:\Users\Will\AppData\Local\Microsoft Games
2015-03-30 02:24 - 2008-09-21 21:46 - 00000000 ____D () C:\Users\Will\AppData\Local\Mozilla
2015-03-30 02:14 - 2006-11-02 05:33 - 00759542 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-30 02:09 - 2009-06-30 21:00 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-30 02:07 - 2006-11-02 08:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-30 02:00 - 2006-11-02 08:01 - 00032630 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-30 01:21 - 2008-01-20 21:47 - 00250126 _____ () C:\Windows\PFRO.log
2015-03-30 01:12 - 2012-07-26 02:39 - 00000000 ____D () C:\Users\Will\AppData\Local\CRE
2015-03-30 01:12 - 2012-07-25 00:21 - 00000000 ____D ()
C:\Windows\MEMORY.DMP
2015-03-30 00:35 - 2011-06-05 16:44 - 00000000 ____D () C:\Windows\Minidump
2015-03-30 00:30 - 2006-11-02 06:18 - 00000000 ____D () C:\Windows\LiveKernelReports
2015-03-30 00:02 - 2011-03-21 13:24 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-29 23:33 - 2014-06-20 20:36 - 00000000 ____D () C:\Users\Will\AppData\Local\Adobe
2015-03-29 23:33 - 2011-03-21 00:18 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-03-29 23:33 - 2009-11-30 01:02 - 00000000 ____D () C:\ProgramData\Skype
2015-03-29 23:33 - 2008-11-15 23:05 - 00000000 ____D () C:\Users\Will\AppData\Local\Apple Computer
2015-03-29 23:33 - 2008-09-21 21:21 - 00000000 ____D () C:\Users\Will\AppData\Local\Google
2015-03-29 23:31 - 2014-03-17 15:12 - 00000000 ____D () C:\ProgramData\Canon_Inc_IC
2015-03-29 23:31 - 2010-06-15 18:12 - 00000000 ____D () C:\ProgramData\Motive
2015-03-29 23:31 - 2009-09-12 12:57 - 00000000 ____D () C:\ProgramData\Apple Computer
2015-03-29 23:23 - 2012-04-25 12:36 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-03-29 23:17 - 2013-08-02 00:05 - 00000000 ____D () C:\ProgramData\Ableton
2015-03-29 22:44 - 2014-11-16 02:39 - 00000000 ____D () C:\GOG Games
2015-03-27 02:08 - 2008-11-28 19:40 - 00000000 ____D () C:\Users\Will\.gimp-2.6
2015-03-27 00:57 - 2008-11-28 19:54 - 00000000 ____D () C:\Users\Will\AppData\Roaming\gtk-2.0
2015-03-27 00:57 - 2008-09-21 21:20 - 00000000 ____D () C:\Users\Will
2015-03-26 16:37 - 2011-05-05 21:35 - 00000000 ____D () C:\Users\Will\AppData\Roaming\vlc
2015-03-21 11:56 - 2012-04-12 13:36 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-03-21 11:56 - 2011-05-26 01:56 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-03-10 16:18 - 2006-11-02 07:47 - 03871968 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-10 15:33 - 2013-08-01 03:11 - 00000000 ____D () C:\Windows\system32\MRT
2015-03-10 15:24 - 2006-11-02 05:24 - 119837696 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

==================== Files in the root of some directories =======

2014-11-11 19:46 - 2014-11-11 19:46 - 0000132 _____ () C:\Users\Will\AppData\Roaming\Adobe PNG Format CS6 Prefs
2008-09-23 12:52 - 2009-12-11 15:07 - 0000947 _____ () C:\Users\Will\AppData\Roaming\DataSafeDotNet.exe
2015-03-29 22:42 - 2015-03-29 22:42 - 0241725 _____ () C:\Users\Will\AppData\Roaming\e810ea39.exe
2015-03-30 02:31 - 2015-03-30 02:31 - 0008598 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-30 02:31 - 2015-03-30 02:31 - 0045688 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-30 02:31 - 2015-03-30 02:31 - 0004242 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-30 02:31 - 2015-03-30 02:31 - 0000280 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.URL
2008-10-21 20:44 - 2008-10-21 20:44 - 0001403 _____ () C:\Users\Will\AppData\Roaming\MQPreset.ini
2008-10-21 20:44 - 2008-10-21 20:49 - 0000224 _____ () C:\Users\Will\AppData\Roaming\Multique.ini
2008-10-09 14:52 - 2015-01-31 19:45 - 0005258 _____ () C:\Users\Will\AppData\Roaming\wklnhst.dat
2015-03-29 22:55 - 2015-03-29 22:55 - 0000480 ____H () C:\Users\Will\AppData\Roaming\麽鎒駓覜
2011-06-27 17:38 - 2011-06-27 17:51 - 0011452 ___SH () C:\Users\Will\AppData\Local\7d23l3abdp2i5u1jej48
2014-11-11 20:04 - 2014-11-11 20:08 - 0001456 _____ () C:\Users\Will\AppData\Local\Adobe Save for Web 13.0 Prefs
2009-01-28 16:34 - 2013-10-29 19:34 - 0001356 _____ () C:\Users\Will\AppData\Local\d3d9caps.dat
2008-10-20 00:53 - 2015-02-24 22:56 - 0061952 _____ () C:\Users\Will\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-30 02:25 - 2015-03-30 02:25 - 0008598 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.HTML
2015-03-30 02:25 - 2015-03-30 02:25 - 0045688 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.PNG
2015-03-30 02:25 - 2015-03-30 02:25 - 0004242 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.TXT
2015-03-30 02:25 - 2015-03-30 02:25 - 0000280 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.URL
2008-10-07 17:12 - 2008-10-07 17:12 - 0000026 _____ () C:\Users\Will\AppData\Local\NDFFS.DAT
2008-10-07 17:12 - 2008-10-07 17:12 - 0000026 _____ () C:\Users\Will\AppData\Local\spdlfa.ccr
2011-06-27 17:38 - 2011-06-27 17:51 - 0011452 ___SH () C:\ProgramData\7d23l3abdp2i5u1jej48
2015-03-29 22:56 - 2015-03-30 12:03 - 0000600 ____H () C:\ProgramData\@system.temp
2015-03-29 22:56 - 2015-03-30 12:03 - 0000336 ____H () C:\ProgramData\@system3.att
2009-11-30 01:05 - 2009-11-30 01:05 - 0000048 ____H () C:\ProgramData\ezsidmv.dat
2015-03-29 23:33 - 2015-03-29 23:33 - 0008598 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-29 23:33 - 2015-03-29 23:33 - 0045710 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-03-29 23:33 - 2015-03-29 23:33 - 0004242 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-29 23:33 - 2015-03-29 23:33 - 0000280 _____ () C:\ProgramData\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\i4jdel0.exe
C:\Users\Will\AppData\Local\Temp\DivXSetup.exe
C:\Users\Will\AppData\Local\Temp\i4jdel0.exe
C:\Users\Will\AppData\Local\Temp\i4jdel1.exe
C:\Users\Will\AppData\Local\Temp\i4jdel2.exe
C:\Users\Will\AppData\Local\Temp\i4jdel3.exe
C:\Users\Will\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\Will\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Will\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-30 02:40

==================== End Of Log ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015
Ran by Will at 2015-03-30 12:48:58
Running from C:\Users\Will\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Ableton Live 9 Suite (HKLM\...\{2395BEE6-92D4-4D91-8665-5BAB6B78A346}) (Version: 9.0.0.0 - Ableton)
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 15.0.0.249 - Adobe Systems Incorporated)
Adobe Download Assistant (HKLM\...\com.adobe.downloadassistant.AdobeDownloadAssistant) (Version: 1.2.9 - Adobe Systems Incorporated)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Media Player (HKLM\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated)
Adobe Photoshop CS4 (HKLM\...\Adobe_faf656ef605427ee2f42989c3ad31b8) (Version: 11.0 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM\...\Adobe Shockwave Player) (Version: 12.0.5.146 - Adobe Systems, Inc.)
AmpliTube LE (HKLM\...\{453B6373-7CB2-47F2-8353-A6C95EB16713}) (Version: 1.1.0 - )
AP Tuner 3.08 (HKLM\...\AP Tuner 3.08) (Version: - )
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ASIO4ALL (HKLM\...\ASIO4ALL) (Version: - )
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version: - )
Bome's Mouse Keyboard 2.00 (HKLM\...\Bome's Mouse Keyboard_is1) (Version: - Bome Software)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Browser Address Error Redirector (HKLM\...\{62230596-37E5-4618-A329-0D21F529A86F}) (Version: 1.00.0000 - Dell)
clrmamepro (HKLM\...\clrmamepro) (Version: 3.10.22.3 - Roman Scherzer)
Collab (HKLM\...\Collab) (Version: - Image-Line bvba)
Comcast High-Speed Internet Install Wizard (HKLM\...\ComcastHSI) (Version: - Comcast Cable Communications, LLC)
ComicRack v0.9.153 (HKLM\...\ComicRack) (Version: v0.9.153 - cYo Soft)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Creative MediaSource 5 (HKLM\...\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}) (Version: 5.00 - )
Defraggler (HKLM\...\Defraggler) (Version: 2.15 - Piriform)
Digidesign Audio Drivers 7.4 (HKLM\...\{9F1D8E17-2AE6-4608-901D-42146D7D9C68}) (Version: 7.4 - Digidesign, A Division of Avid Technology, Inc.)
Disk Space Fan 4 Free 4.5.1.129 (HKLM\...\Disk Space Fan 4 Free_is1) (Version: - Disk Space Fan Team)
Dropbox (HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Dropbox) (Version: 1.4.7 - Dropbox, Inc.)
EDocs (HKLM\...\{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}) (Version: - )
Fast Track Pro (HKLM\...\{3E67F68D-3797-4B6A-B02C-27BC98DFEBDA}) (Version: 5.10.00.5119v2 - M-Audio)
Fast Track USB (HKLM\...\{07D4A7C5-C55C-45B5-9E86-D8068D25EF40}) (Version: 5.10.00.5093v2 - M-Audio)
FileZilla Client 3.3.3 (HKLM\...\FileZilla Client) (Version: 3.3.3 - )
FL Studio 7 (HKLM\...\FL Studio 7) (Version: - Image-Line bvba)
GIMP 2.6.3 (HKLM\...\WinGimp-2.0_is1) (Version: - )
GoldWave v5.23 (HKLM\...\GoldWave v5.23) (Version: - )
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
GoToAssist 8.0.0.514 (HKLM\...\GoToAssist) (Version: - )
Guitar Pro 5.2 (HKLM\...\Guitar Pro 5_is1) (Version: - Arobas Music)
Guitar Tracks Pro 3 (HKLM\...\Guitar Tracks Pro 3) (Version: - )
HammerHead Rhythm Station (HKLM\...\HammerHead Rhythm Station) (Version: - )
Hardware Scanner 2.0 (HKLM\...\Hardware Scanner DEMO_is1) (Version: - Classic Blue Software)
IL Download Manager (HKLM\...\IL Download Manager) (Version: - Image-Line bvba)
Intel® PRO Network Connections 12.1.11.0 (HKLM\...\PROSetDX) (Version: - Intel)
Interlok driver setup x32 (HKLM\...\{25613C10-27D2-410B-942B-D922D5C3A7BE}) (Version: 5.7.2.2923 - PACE Anti-Piracy)
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Malwarebytes' Anti-Malware (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: - Malwarebytes Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.0.285.6 - McAfee, Inc.)
microKORG SoundEditor (HKLM\...\{EB091860-8C2B-4E49-A543-666373C39E6F}) (Version: 1.00.0000 - KORG Inc.)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Works (HKLM\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
MIDI-OX (HKLM\...\{ABC52CF9-2D43-4278-A152-CB2CD3ED8FE9}) (Version: 7.00.365 - MIDIOX Computing)
Mozilla Firefox 36.0.4 (x86 en-US) (HKLM\...\Mozilla Firefox 36.0.4 (x86 en-US)) (Version: 36.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Multiquence v2.55 (HKLM\...\Multiquence v2.55) (Version: - )
Musicnotes Software Suite 1.0 (HKLM\...\Musicnotes Combined Installer_is1) (Version: 1.0 - Musicnotes Inc.)
Native Instruments Guitar Rig 3 (HKLM\...\Native Instruments Guitar Rig 3) (Version: - )
Native Instruments Service Center (HKLM\...\Native Instruments Service Center) (Version: - )
Netflix Movie Viewer (HKLM\...\{BCE72AED-3332-4863-9567-C5DCB9052CA2}) (Version: 1.2.211 - Netflix)
NetLimiter 3 (HKLM\...\NetLimiter 3 3.0.0.11) (Version: 3.0.0.11 - Locktime Software)
NetLimiter 3 (Version: 3.0.0.11 - Locktime Software) Hidden
PDF Combine (HKLM\...\PDF Combine_is1) (Version: - Softplicity, Inc.)
PDF Settings CS6 (Version: 11.0 - Adobe Systems Incorporated) Hidden
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.192.0 - Tracker Software Products Ltd)
PeaZip 2.3a (HKLM\...\{5A2BC38A-406C-4A5B-BF45-6991F9A05325}_is1) (Version: - Giorgio Tani)
PoiZone (HKLM\...\PoiZone) (Version: - Image-Line bvba)
Power Tab Editor 1.7 (HKLM\...\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}) (Version: 1.7.0 - Power Tab Software)
Project64 1.6 (HKLM\...\{9559F7CA-5E34-4237-A2D9-D856464AD727}) (Version: 1.6 - Project64)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5735 - Realtek Semiconductor Corp.)
Roxio Creator DE (HKLM\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.1 - Roxio)
Skype web features (HKLM\...\{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}) (Version: 1.0.3971 - Skype Technologies S.A.)
Sony Noise Reduction Plug-In 2.0h (HKLM\...\{06A1BE8A-4CA4-4A39-B9E4-E815AA8FE05C}) (Version: 2.0.451 - Sony)
Sound Blaster Audigy ADVANCED MB (HKLM\...\{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}) (Version: 1.0 - )
Sound Forge Pro 10.0 (HKLM\...\{9660B18F-EC12-11DF-B006-0013D3D69929}) (Version: 10.0.491 - Sony)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Spotify (HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Spotify) (Version: 0.9.6.81.gd359a796 - Spotify AB)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
STAR WARS® - X-Wing (1998) (HKLM\...\1207666393_is1) (Version: 2.0.0.5 - GOG.com)
Steinberg Sequel 2 Trial Content (HKLM\...\{DF584D4A-2619-41BE-9515-AAB18439D393}) (Version: 2.0.0.351 - Steinberg Media Technologies GmbH)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Syncrosoft License Control (HKLM\...\Syncrosoft License Control) (Version: - SIA Syncrosoft)
SyxLibEd (HKLM\...\ST5UNST #1) (Version: - )
TBS WMP Plug-in (HKLM\...\InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}) (Version: 1.00.676 - CNN)
TBS WMP Plug-in (Version: 1.00.676 - CNN) Hidden
Total Commander (Remove or Repair) (HKLM\...\Totalcmd) (Version: 8.50 - Ghisler Software GmbH)
TotalDocConverter (HKLM\...\Total Doc Converter_is1) (Version: - Softplicity, Inc.)
Toxic Biohazard (HKLM\...\Toxic Biohazard) (Version: - Image-Line bvba)
Translator Free 2.9 (2.9.118) (HKLM\...\Translator Free_is1) (Version: 2.9 - Chicken Systems, Inc.)
TunesKit for Windows 2.1.0.10 (HKLM\...\TunesKit for Windows_is1) (Version: - Leem Software, Inc.)
TweetDeck (HKLM\...\{C4ADB67B-C908-4D94-B85E-585D2F3F9118}) (Version: 3.3.7 - Twitter)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
Virtual Springfield (HKLM\...\Virtual Springfield) (Version: - )
VLC media player (HKLM\...\VLC media player) (Version: 2.2.0 - VideoLAN)
Winamp (HKLM\...\Winamp) (Version: 5.552 - Nullsoft, Inc)
Windows Installer Clean Up (HKLM\...\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}) (Version: 3.00.00.0000 - Microsoft Corporation)
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Xvid 1.2.2 final uninstall (HKLM\...\Xvid_is1) (Version: 1.2 - Xvid team (Koepi))

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Will\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.99\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.57\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.69\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{29A96789-9595-4947-BEDB-0FCC776F7DB8}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.2.183.39\goopdate.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.79\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.165\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.65\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{F7117AE6-81F2-45B8-96EE-56F6FD357A48}\InprocServer32 -> C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}\gameux.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File

==================== Restore Points =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 05:23 - 2006-09-18 16:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0344B56E-F016-42A0-9090-D46059866DEA} - System32\Tasks\{3874176A-01DB-4383-BAE5-F5827DDC241F} => pcalua.exe -a C:\Users\Will\Desktop\GraalSetup.exe -d C:\Users\Will\Desktop
Task: {0DE34E22-3D5D-4535-A73B-A01148C28913} - System32\Tasks\{641E7A2C-56D6-42C8-BF9E-C32E7BDB8031} => pcalua.exe -a E:\setup.exe -d E:\
Task: {1D00E139-048D-46F8-B371-17DC3536369C} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {44FD7CCE-BFFC-43EB-AD89-0E4895913BA7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-03-21] (Adobe Systems Incorporated)
Task: {568FADDB-61AD-4354-8190-7B83352E6679} - System32\Tasks\{2037B6E4-6313-45D3-8734-CEBDFBADD597} => C:\Program Files\Skype\Phone\Skype.exe
Task: {5A662D81-EF82-4A33-914A-5BE0371AE585} - System32\Tasks\{978C92CE-C2B8-4F4B-ACF3-76B184CAB12F} => pcalua.exe -a C:\Users\Will\Desktop\noisereduction20h.exe -d "C:\Program Files\Mozilla Firefox"
Task: {72551F80-3D9D-4205-B670-5A3CE5093478} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)
Task: {7E24E100-47F2-45D5-B971-B81B4F9FD010} - System32\Tasks\{2ACEF597-933B-49E8-9FEE-573068A4EA21} => pcalua.exe -a C:\Users\Will\Desktop\APTunerInstall308.exe -d C:\Users\Will\Desktop
Task: {93BA7A82-0A73-41FA-9C48-6998FC6D2AFB} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Signature Update => c:\program files\windows defender\MpCmdRun.exe [2008-01-20] (Microsoft Corporation)
Task: {A29F77A5-1D76-4DE5-902F-BC9377B792A3} - System32\Tasks\{47297266-046E-4FFC-9E4B-4AD54CD0C61C} => pcalua.exe -a "C:\Users\Will\Desktop\New Folder\SETUP.EXE" -d "C:\Users\Will\Desktop\New Folder"
Task: {E95E060C-A370-497E-873A-A8AE1D4476AD} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2014-01-20 14:17 - 2014-01-20 14:17 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2011-03-21 17:14 - 2011-03-21 17:14 - 00061440 _____ () C:\Program Files\NetLimiter 3\nlsvcPS.dll
2010-06-13 16:54 - 2010-06-13 16:54 - 00094208 _____ () C:\Program Files\FileZilla FTP Client\fzshellext.dll
2011-02-13 01:20 - 2006-11-30 20:03 - 00434688 _____ () C:\Program Files\TotalDocConverter\axTotalConverter.dll
2008-09-17 01:08 - 2006-11-13 10:07 - 00066560 ____N () C:\Windows\system32\CmdRtr.dll
2008-09-17 01:08 - 2006-11-20 13:29 - 00101376 ____N () C:\Windows\system32\APOMngr.dll
2009-04-10 12:29 - 2009-04-10 12:29 - 00037888 _____ () C:\Program Files\Winamp\winampa.exe
2014-01-10 00:26 - 2014-01-10 00:26 - 01861968 _____ () C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2014-01-10 00:28 - 2014-01-10 00:28 - 00100688 _____ () C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
2015-03-29 22:55 - 2015-03-29 22:55 - 14622612 _____ () C:\Users\Will\AppData\Roaming\FrameworkUpdate\ChromeUpdate.exe
2015-03-21 11:56 - 2015-03-21 11:56 - 16858288 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_17_0_0_134.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Will\Cookies:BdPnyAO7YF1dsvV0niTuddR1

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)



HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Classes\exefile: <===== ATTENTION!

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Will\Pictures\alexrossarchie.jpg
HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\img24.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\Windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: avast => "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
MSCONFIG\startupreg: ConduitFloatingPlugin_fdkednngfjmpnljkolbapdednncafhen => "C:\Windows\system32\Rundll32.exe" "C:\Program Files\Conduit\CT3298566\plugins\TBVerifier.dll",RunConduitFloatingPlugin fdkednngfjmpnljkolbapdednncafhen
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: DigidesignMMERefresh => C:\Program Files\Digidesign\Drivers\MMERefresh.exe
MSCONFIG\startupreg: ECenter => C:\Dell\E-Center\EULALauncher.exe
MSCONFIG\startupreg: ehTray.exe => C:\Windows\ehome\ehTray.exe
MSCONFIG\startupreg: Google Desktop Search => "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
MSCONFIG\startupreg: Google Update => "C:\Users\Will\AppData\Local\Google\Update\GoogleUpdate.exe" /c
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: pccguide.exe => "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
MSCONFIG\startupreg: SearchProtect => C:\Users\Will\AppData\Roaming\SearchProtect\bin\cltmng.exe
MSCONFIG\startupreg: SearchProtectAll => C:\Program Files\SearchProtect\bin\cltmng.exe
MSCONFIG\startupreg: SearchSettings => "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"
MSCONFIG\startupreg: Sidebar => C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
MSCONFIG\startupreg: Spotify => "C:\Users\Will\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\Will\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: UpdReg => C:\Windows\UpdReg.EXE
MSCONFIG\startupreg: WMPNSCFG => C:\Program Files\Windows Media Player\WMPNSCFG.exe

==================== Accounts: =============================

Administrator (S-1-5-21-3201667610-412620177-4289885976-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-3201667610-412620177-4289885976-501 - Limited - Disabled)
Will (S-1-5-21-3201667610-412620177-4289885976-1000 - Administrator - Enabled) => C:\Users\Will

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/30/2015 11:46:30 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 11:46:24 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 11:22:05 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 11:22:05 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 10:30:10 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 10:30:09 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 09:57:09 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 09:56:37 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 08:45:27 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/30/2015 08:45:23 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (03/30/2015 04:44:38 AM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (03/30/2015 04:44:35 AM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (03/30/2015 04:44:32 AM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (03/30/2015 04:44:29 AM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (03/30/2015 02:10:13 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Microsoft .NET Framework NGEN v4.0.30319_X86

Error: (03/30/2015 02:09:04 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: adfs%%2

Error: (03/30/2015 02:03:44 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: spldr
Wanarpv6

Error: (03/30/2015 02:03:44 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Computer BrowserServer%%1068

Error: (03/30/2015 02:03:44 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (03/30/2015 02:03:23 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}


Microsoft Office Sessions:
=========================
Error: (03/30/2015 11:46:30 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE

Error: (03/30/2015 11:46:24 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP

Error: (03/30/2015 11:22:05 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE

Error: (03/30/2015 11:22:05 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP

Error: (03/30/2015 10:30:10 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE

Error: (03/30/2015 10:30:09 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP

Error: (03/30/2015 09:57:09 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE

Error: (03/30/2015 09:56:37 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP

Error: (03/30/2015 08:45:27 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-TO_DELETE

Error: (03/30/2015 08:45:23 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)
C:\USERS\WILL\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\A1IYDV5S.DEFAULT-1422117613929\SAFEBROWSING-BACKUP


CodeIntegrity Errors:
===================================
Date: 2015-03-30 12:48:16.365
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 12:48:15.539
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 12:48:14.679
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 12:48:13.757
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 12:41:34.124
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 09:30:43.462
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 06:32:58.748
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 02:08:25.777
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 01:35:10.016
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-03-30 01:35:09.252
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Pentium® Dual CPU E2180 @ 2.00GHz
Percentage of memory in use: 73%
Total physical RAM: 2036.45 MB
Available physical RAM: 543.43 MB
Total Pagefile: 4314.18 MB
Available Pagefile: 2074.32 MB
Total Virtual: 2047.88 MB
Available Virtual: 1898.91 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:222.78 GB) (Free:0.75 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.21 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 232.8 GB) (Disk ID: 30000000)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=222.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Attached Files


Edited by Oh My!, 30 March 2015 - 08:50 PM.
Posted Addition.txt


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 30 March 2015 - 08:55 PM

Greetings wbmcelroy and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Can you tell me if your files are encrypted? Do you recognize this?

APTunerInstall308.exe

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [e810ea3] => C:\e810ea39\e810ea39.exe [241725 2015-03-29] ()
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [e810ea39] => C:\Users\Will\AppData\Roaming\e810ea39.exe [241725 2015-03-29]
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\MountPoints2: {f3932003-02ca-11de-bfae-001d099ee848} - H:\Autorun.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {674658B3-D94C-4E34-A590-F49E219117A1} URL =
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {A175D078-DCB0-43C7-BEA6-0D0CA0251869} URL =
Toolbar: HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S4 adfs; No ImagePath
S4 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 mcdbus; system32\DRIVERS\mcdbus.sys [X]
S4 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S4 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S4 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S4 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 uti5mzy3; \??\C:\Windows\system32\Drivers\uti5mzy3.sys [X]
2015-03-30 02:31 - 2015-03-30 02:31 - 00008598 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-30 02:31 - 2015-03-30 02:31 - 00008598 _____ () C:\Users\Will\AppData\HELP_DECRYPT.HTML
2015-03-30 02:31 - 2015-03-30 02:31 - 00004242 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-30 02:31 - 2015-03-30 02:31 - 00004242 _____ () C:\Users\Will\AppData\HELP_DECRYPT.TXT
2015-03-30 02:31 - 2015-03-30 02:31 - 00000280 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.URL
2015-03-30 02:31 - 2015-03-30 02:31 - 00000280 _____ () C:\Users\Will\AppData\HELP_DECRYPT.URL
2015-03-30 02:25 - 2015-03-30 02:25 - 00008598 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.HTML
2015-03-30 02:25 - 2015-03-30 02:25 - 00004242 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.TXT
2015-03-30 02:25 - 2015-03-30 02:25 - 00000280 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.URL
2015-03-29 23:33 - 2015-03-29 23:33 - 00008598 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-29 23:33 - 2015-03-29 23:33 - 00004242 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-29 23:33 - 2015-03-29 23:33 - 00000280 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-03-29 22:56 - 2015-03-30 12:03 - 00000600 ____H () C:\ProgramData\@system.temp
2015-03-29 22:56 - 2015-03-30 12:03 - 00000336 ____H () C:\ProgramData\@system3.att
2015-03-29 22:55 - 2015-03-29 22:55 - 00000480 ____H () C:\Users\Will\AppData\Roaming\麽鎒駓覜
2011-06-27 17:38 - 2011-06-27 17:51 - 0011452 ___SH () C:\Users\Will\AppData\Local\7d23l3abdp2i5u1jej48
2015-03-30 02:25 - 2015-03-30 02:25 - 0045688 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.PNG
C:\Users\Administrator\AppData\Local\Temp\i4jdel0.exe
C:\Users\Will\AppData\Local\Temp\DivXSetup.exe
C:\Users\Will\AppData\Local\Temp\i4jdel0.exe
C:\Users\Will\AppData\Local\Temp\i4jdel1.exe
C:\Users\Will\AppData\Local\Temp\i4jdel2.exe
C:\Users\Will\AppData\Local\Temp\i4jdel3.exe
C:\Users\Will\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\Will\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Will\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.99\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.57\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.69\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{29A96789-9595-4947-BEDB-0FCC776F7DB8}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.2.183.39\goopdate.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.79\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.165\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.65\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{F7117AE6-81F2-45B8-96EE-56F6FD357A48}\InprocServer32 -> C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}\gameux.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File
AlternateDataStreams: C:\Users\Will\Cookies:BdPnyAO7YF1dsvV0niTuddR1
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Classes\exefile: <===== ATTENTION!
C:\e810ea39
C:\Users\Will\AppData\Roaming\e810ea39.exe
C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e810ea39.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 wbmcelroy

wbmcelroy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 30 March 2015 - 09:39 PM

Hello! Thanks very much for your attention and assistance! To answer your first few questions, yes, I recognize that APTuner program; it's just a guitar tuning application I've had on my computer for years. But more importantly, yes, I do have encrypted files, which I somehow only noticed about an hour before receiving your reply. Most but not all of my multimedia files (music, video, etc) have been encrypted with little ransom note files deposited in each folder, making it pretty easy to see I'd become a victim of this "Cryptowall 3.0"..thing. I know that much because it's right there in the ransom note, and after googling it the outlook doesn't look good for all my files. I do have most of my music library backed up on an external harddrive, but ironically not my more personal and irreplaceable audio files. I don't have any system restore points saved, and I've read about possibly restoring some files with "Shadow Explorer" but obviously I won't try that until you give me the go ahead. Hopefully the window for that kind of restoration isn't too brief, if it's possible at all.

 

Anyway, thanks again. My Summary zip is attached and here is my Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Will at 2015-03-30 21:10:31 Run:1
Running from C:\Users\Will\Desktop
Loaded Profiles: Will (Available profiles: Will & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [e810ea3] => C:\e810ea39\e810ea39.exe [241725 2015-03-29] ()
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\Run: [e810ea39] => C:\Users\Will\AppData\Roaming\e810ea39.exe [241725 2015-03-29]
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\...\MountPoints2: {f3932003-02ca-11de-bfae-001d099ee848} - H:\Autorun.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {674658B3-D94C-4E34-A590-F49E219117A1} URL =
SearchScopes: HKU\S-1-5-21-3201667610-412620177-4289885976-1000 -> {A175D078-DCB0-43C7-BEA6-0D0CA0251869} URL =
Toolbar: HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S4 adfs; No ImagePath
S4 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 mcdbus; system32\DRIVERS\mcdbus.sys [X]
S4 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S4 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S4 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S4 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 uti5mzy3; \??\C:\Windows\system32\Drivers\uti5mzy3.sys [X]
2015-03-30 02:31 - 2015-03-30 02:31 - 00008598 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-30 02:31 - 2015-03-30 02:31 - 00008598 _____ () C:\Users\Will\AppData\HELP_DECRYPT.HTML
2015-03-30 02:31 - 2015-03-30 02:31 - 00004242 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-30 02:31 - 2015-03-30 02:31 - 00004242 _____ () C:\Users\Will\AppData\HELP_DECRYPT.TXT
2015-03-30 02:31 - 2015-03-30 02:31 - 00000280 _____ () C:\Users\Will\AppData\Roaming\HELP_DECRYPT.URL
2015-03-30 02:31 - 2015-03-30 02:31 - 00000280 _____ () C:\Users\Will\AppData\HELP_DECRYPT.URL
2015-03-30 02:25 - 2015-03-30 02:25 - 00008598 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.HTML
2015-03-30 02:25 - 2015-03-30 02:25 - 00004242 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.TXT
2015-03-30 02:25 - 2015-03-30 02:25 - 00000280 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.URL
2015-03-29 23:33 - 2015-03-29 23:33 - 00008598 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-29 23:33 - 2015-03-29 23:33 - 00004242 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-29 23:33 - 2015-03-29 23:33 - 00000280 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-03-29 22:56 - 2015-03-30 12:03 - 00000600 ____H () C:\ProgramData\@system.temp
2015-03-29 22:56 - 2015-03-30 12:03 - 00000336 ____H () C:\ProgramData\@system3.att
2015-03-29 22:55 - 2015-03-29 22:55 - 00000480 ____H () C:\Users\Will\AppData\Roaming\????
2011-06-27 17:38 - 2011-06-27 17:51 - 0011452 ___SH () C:\Users\Will\AppData\Local\7d23l3abdp2i5u1jej48
2015-03-30 02:25 - 2015-03-30 02:25 - 0045688 _____ () C:\Users\Will\AppData\Local\HELP_DECRYPT.PNG
C:\Users\Administrator\AppData\Local\Temp\i4jdel0.exe
C:\Users\Will\AppData\Local\Temp\DivXSetup.exe
C:\Users\Will\AppData\Local\Temp\i4jdel0.exe
C:\Users\Will\AppData\Local\Temp\i4jdel1.exe
C:\Users\Will\AppData\Local\Temp\i4jdel2.exe
C:\Users\Will\AppData\Local\Temp\i4jdel3.exe
C:\Users\Will\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\Will\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Will\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.99\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.57\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.69\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{29A96789-9595-4947-BEDB-0FCC776F7DB8}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.2.183.39\goopdate.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.79\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.165\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.65\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{F7117AE6-81F2-45B8-96EE-56F6FD357A48}\InprocServer32 -> C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}\gameux.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Will\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File
AlternateDataStreams: C:\Users\Will\Cookies:BdPnyAO7YF1dsvV0niTuddR1
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Classes\exefile: <===== ATTENTION!
C:\e810ea39
C:\Users\Will\AppData\Roaming\e810ea39.exe
C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e810ea39.exe
*****************

HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Run\\e810ea3 => value deleted successfully.
HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Run\\e810ea39 => Value not found.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f3932003-02ca-11de-bfae-001d099ee848}" => Key deleted successfully.
HKCR\CLSID\{f3932003-02ca-11de-bfae-001d099ee848} => Key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}" => Key deleted successfully.
HKCR\CLSID\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} => Key not found.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{674658B3-D94C-4E34-A590-F49E219117A1}" => Key deleted successfully.
HKCR\CLSID\{674658B3-D94C-4E34-A590-F49E219117A1} => Key not found.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A175D078-DCB0-43C7-BEA6-0D0CA0251869}" => Key deleted successfully.
HKCR\CLSID\{A175D078-DCB0-43C7-BEA6-0D0CA0251869} => Key not found.
HKU\S-1-5-21-3201667610-412620177-4289885976-500-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-0\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\Toolbar: HKU\S-1-5-21-3201667610-412620177-4289885976-500-{{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value not found.
HKCR\CLSID\Toolbar: HKU\S-1-5-21-3201667610-412620177-4289885976-500-{{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
adfs => Service deleted successfully.
IpInIp => Service deleted successfully.
mcdbus => Service deleted successfully.
MREMP50a64 => Service deleted successfully.
MRESP50a64 => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.
uti5mzy3 => Service deleted successfully.
C:\Users\Will\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Will\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Will\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Will\AppData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Will\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Will\AppData\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Will\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Will\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Will\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.
C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.
C:\ProgramData\@system3.att => Moved successfully.

"C:\Users\Will\AppData\Roaming\????" directory move:

Could not move "C:\Users\Will\AppData\Roaming\????" directory. => Scheduled to move on reboot.

C:\Users\Will\AppData\Local\7d23l3abdp2i5u1jej48 => Moved successfully.
C:\Users\Will\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\i4jdel0.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\DivXSetup.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\i4jdel0.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\i4jdel1.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\i4jdel2.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\i4jdel3.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe => Moved successfully.
C:\Users\Will\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe => Moved successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{29A96789-9595-4947-BEDB-0FCC776F7DB8}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{F7117AE6-81F2-45B8-96EE-56F6FD357A48}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}" => Key deleted successfully.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.
"C:\Users\Will\Cookies" => ":BdPnyAO7YF1dsvV0niTuddR1" ADS not found.
"HKU\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Classes\exefile" => Key deleted successfully.
C:\e810ea39 => Moved successfully.
C:\Users\Will\AppData\Roaming\e810ea39.exe => Moved successfully.
C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e810ea39.exe => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-03-30 21:14:03)<=

"C:\Users\Will\AppData\Roaming\????" => Directory could not move.

==== End of Fixlog 21:14:03 ====

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 30 March 2015 - 10:13 PM

Greetings,

Unfortunately there is no way for us to decrypt your files. However we will otherwise try to clean your machine.

Please do this next.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Windows 8/7/Vista users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • RogueKiller log
  • MiniToolBox log
  • Update on your computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 30 March 2015 - 10:48 PM

Wanted to let you know I am ending for the evening but will be back early in the morning.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 wbmcelroy

wbmcelroy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 30 March 2015 - 11:19 PM

Hello, thanks again for your generosity and dilligence. :) As for my computer's performance, I can't say I've experienced anything suspicious since running those programs as instructed, and Task Manager doesn't show Internet Explorer running in the background as it had been. So, things are looking good on that front. Meanwhile, here are my Combofix, RogueKiller and MiniToolBox logs, respectively:

 

 

ComboFix 15-03-29.01 - Will 03/30/2015  22:32:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2036.936 [GMT -5:00]
Running from: c:\users\Will\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Will\AppData\Local\Slick Savings
c:\users\Will\AppData\Local\Slick Savings\coupons.crx
.
.
(((((((((((((((((((((((((   Files Created from 2015-02-28 to 2015-03-31  )))))))))))))))))))))))))))))))
.
.
2015-03-31 03:44 . 2015-03-31 03:45    --------    d-----w-    c:\users\Will\AppData\Local\temp
2015-03-31 03:44 . 2015-03-31 03:44    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-03-31 03:44 . 2015-03-31 03:44    --------    d-----w-    c:\users\Administrator\AppData\Local\temp
2015-03-31 02:06 . 2015-03-31 02:10    --------    d-----w-    c:\users\Will\AppData\Local\CrashDumps
2015-03-31 01:06 . 2015-03-31 01:20    35064    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2015-03-31 01:06 . 2015-03-31 01:16    --------    d-----w-    c:\programdata\RogueKiller
2015-03-30 17:38 . 2015-03-31 02:14    --------    d-----w-    C:\FRST
2015-03-30 05:02 . 2014-11-21 11:14    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-03-30 05:02 . 2014-11-21 11:14    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-03-30 05:02 . 2015-03-30 05:03    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2015-03-30 03:55 . 2015-03-30 03:55    --------    d-----w-    c:\users\Will\AppData\Roaming\FrameworkUpdate
2015-03-30 03:41 . 2015-03-30 05:50    --------    d--h--w-    c:\programdata\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}
2015-03-27 06:53 . 2015-03-27 06:53    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D647FE3E-7D66-4ED1-8025-84963C49898C}\offreg.dll
2015-03-27 06:25 . 2015-03-14 10:06    9119072    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D647FE3E-7D66-4ED1-8025-84963C49898C}\mpengine.dll
2015-03-10 20:33 . 2015-01-29 01:35    369664    ----a-w-    c:\windows\system32\WMPhoto.dll
2015-03-10 20:33 . 2015-01-29 01:35    975360    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2015-03-10 20:33 . 2015-02-26 00:18    2064384    ----a-w-    c:\windows\system32\win32k.sys
2015-03-10 20:23 . 2015-02-20 02:03    34304    ----a-w-    c:\windows\system32\atmlib.dll
2015-03-10 20:23 . 2015-02-20 00:28    296960    ----a-w-    c:\windows\system32\atmfd.dll
2015-03-10 20:23 . 2015-02-26 02:01    3604408    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2015-03-10 20:23 . 2015-01-09 02:04    49152    ----a-w-    c:\windows\system32\csrsrv.dll
2015-03-10 20:23 . 2015-01-09 00:18    64000    ----a-w-    c:\windows\system32\smss.exe
2015-03-10 20:23 . 2015-02-26 02:01    3552184    ----a-w-    c:\windows\system32\ntoskrnl.exe
2015-03-10 20:22 . 2015-01-21 02:02    807936    ----a-w-    c:\windows\system32\msctf.dll
2015-03-10 20:22 . 2015-03-06 04:01    279040    ----a-w-    c:\windows\system32\schannel.dll
2015-03-10 20:21 . 2014-10-13 01:12    2264064    ----a-w-    c:\windows\system32\msi.dll
2015-03-10 18:48 . 2015-02-21 17:20    768512    ----a-w-    c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-31 02:13 . 2011-03-21 18:24    114904    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2015-03-21 16:56 . 2012-04-12 18:36    778928    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-03-21 16:56 . 2011-05-26 06:56    142512    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2015-02-24 09:23 . 2009-10-02 17:57    246920    ------w-    c:\windows\system32\MpSigStub.exe
2015-01-16 18:05 . 2015-01-16 18:05    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2015-01-15 04:13 . 2015-02-12 09:04    440760    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02    94208    ----a-w-    c:\users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02    94208    ----a-w-    c:\users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02    94208    ----a-w-    c:\users\Will\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetLimiter"="c:\program files\NetLimiter 3\NLClientApp.exe" [2013-10-11 1844864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-11-12 6687264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2014-02-28 558496]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2014-05-28 455512]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2014-01-10 1861968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-10-02 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-17 06:22    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=Digi32.dll
"MIDI1"=diomidi.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2014-10-11 18:05    60712    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConduitFloatingPlugin_fdkednngfjmpnljkolbapdednncafhen]
1617-11-28 21:56    287008    ----a-w-    c:\program files\Conduit\CT3298566\plugins\TBVerifier.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-11-02 09:45    8704    ----a-w-    c:\windows\System32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2007-10-31 05:35    77824    ----a-w-    c:\program files\Digidesign\Drivers\MMERefresh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 04:18    17920    ----a-w-    c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25    125952    ----a-w-    c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2014-10-15 10:42    157480    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28    1233920    ----a-w-    c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2014-09-01 22:53    5951488    ----a-w-    c:\users\Will\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2014-09-01 22:53    1168896    ----a-w-    c:\users\Will\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00    90112    ------w-    c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2015-01-24 02:12    1677904    ----a-w-    c:\users\Will\AppData\Roaming\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25    202240    ----a-w-    c:\program files\Windows Media Player\wmpnscfg.exe
.
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2008-09-25 81920]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2015-03-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 16:56]
.
2015-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 07:21]
.
2015-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 07:21]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\a1iydv5s.default-1422117613929\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Google Update - c:\users\Will\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 14\pccguide.exe
MSConfigStartUp-SearchProtect - c:\users\Will\AppData\Roaming\SearchProtect\bin\cltmng.exe
MSConfigStartUp-SearchProtectAll - c:\program files\SearchProtect\bin\cltmng.exe
MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-clrmamepro - c:\users\Will\Desktop\mame\clrmamepro\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-03-30 22:45
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2015-03-30  22:48:46
ComboFix-quarantined-files.txt  2015-03-31 03:48
.
Pre-Run: 3,257,851,904 bytes free
Post-Run: 5,690,712,064 bytes free
.
- - End Of File - - 8CD2B0F4A50C2277EE1D070E6BA39655
5C616939100B85E558DA92B899A0FC36
 

 

RogueKiller V10.5.8.0 [Mar 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Will [Administrator]
Started from : C:\Users\Will\Desktop\RogueKiller.exe
Mode : Scan -- Date : 03/30/2015  23:00:35

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\Will\AppData\Local\Temp\catchme.sys) -> Found
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr (\??\C:\ComboFix\mbr.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\Will\AppData\Local\Temp\catchme.sys) -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : actsvr.comcastonline.com:8100  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_3B25\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_3B25\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 8 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CREATE[0] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_POWER[22] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_PNP[27] : Unknown @ 0x852081f8
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\system32\DRIVERS\fdc.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500AAJS-75B4A0 ATA Device +++++
--- User ---
[MBR] 03b531728b05dd75d9e786b1dd1ac1d3
[BSP] bdf99326810b3ea5b3c85f61013cb3ba : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 112640 | Size: 10240 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21084160 | Size: 228122 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_03302015_201454.log - RKreport_DEL_03302015_201613.log - RKreport_DEL_03302015_202449.log - RKreport_DEL_03302015_202454.log
RKreport_DEL_03302015_203429.log - RKreport_SCN_03302015_201403.log - RKreport_SCN_03302015_202416.log

 

 

MiniToolBox by Farbar  Version: 09-03-2015
Ran by Will (administrator) on 30-03-2015 at 23:06:38
Running from "C:\Users\Will\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Model: Inspiron 530 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: actsvr.comcastonline.com:8100

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

Broadcom 802.11g Network Adapter = Wireless Network Connection (Connected)
Intel® 82562V-2 10/100 Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add address name="Local Area Connection" address=0.0.0.0


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Will-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter
   Physical Address. . . . . . . . . : 00-22-15-F5-C1-2D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::24d9:4a7d:1bed:8676%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 30, 2015 9:12:15 PM
   Lease Expires . . . . . . . . . . : Monday, April 06, 2015 10:47:15 PM
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 201335317
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-62-1C-2D-00-1D-09-9E-E8-48
   DNS Servers . . . . . . . . . . . : 75.75.75.75
                                       75.75.76.76
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel® 82562V-2 10/100 Network Connection
   Physical Address. . . . . . . . . : 00-1D-09-9E-E8-48
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{442BE672-A289-4FCA-BC6F-F6F289B3FF3E}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:8d2:2ef9:f5ff:fffc(Preferred)
   Link-local IPv6 Address . . . . . : fe80::8d2:2ef9:f5ff:fffc%10(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{9B5A7FE8-CE58-4191-86E0-F553EF3A779B}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  cdns01.comcast.net
Address:  75.75.75.75

Name:    google.com
Addresses:  2607:f8b0:400f:803::200e
      216.58.217.46



Pinging google.com [173.194.115.35] with 32 bytes of data:

Reply from 173.194.115.35: bytes=32 time=17ms TTL=55

Reply from 173.194.115.35: bytes=32 time=18ms TTL=55



Ping statistics for 173.194.115.35:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 17ms, Maximum = 18ms, Average = 17ms

Server:  cdns01.comcast.net
Address:  75.75.75.75

Name:    yahoo.com
Addresses:  98.139.183.24
      98.138.253.109
      206.190.36.45



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:

Reply from 98.139.183.24: bytes=32 time=60ms TTL=49

Reply from 98.139.183.24: bytes=32 time=59ms TTL=49



Ping statistics for 98.139.183.24:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 59ms, Maximum = 60ms, Average = 59ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 12 ...00 22 15 f5 c1 2d ...... Broadcom 802.11g Network Adapter
 11 ...00 1d 09 9e e8 48 ...... Intel® 82562V-2 10/100 Network Connection
  1 ........................... Software Loopback Interface 1
 13 ...00 00 00 00 00 00 00 e0  isatap.{442BE672-A289-4FCA-BC6F-F6F289B3FF3E}
 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 19 ...00 00 00 00 00 00 00 e0  isatap.{9B5A7FE8-CE58-4191-86E0-F553EF3A779B}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1         10.0.0.3     31
         10.0.0.0    255.255.255.0         On-link          10.0.0.3    286
         10.0.0.3  255.255.255.255         On-link          10.0.0.3    286
       10.0.0.255  255.255.255.255         On-link          10.0.0.3    286
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.0.0.3    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.0.0.3    286
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10     18 ::/0                     On-link
  1    306 ::1/128                  On-link
 10     18 2001::/32                On-link
 10    266 2001:0:9d38:6abd:8d2:2ef9:f5ff:fffc/128
                                    On-link
 12    286 fe80::/64                On-link
 10    266 fe80::/64                On-link
 10    266 fe80::8d2:2ef9:f5ff:fffc/128
                                    On-link
 12    286 fe80::24d9:4a7d:1bed:8676/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    266 ff00::/8                 On-link
 12    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48640] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

**** End of log ****
 

 

 



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 31 March 2015 - 09:06 AM

Great, I would like to clean up a few entries and follow up on some information in one of the reports. Please do this.

===================================================

RogueKiller Selecting Deletions

--------------------
  • Close any open programs
  • Please disconnect any USB or external drives from the computer before you run the scan
  • For Vista/7 users right click on the RogueKiller icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • Allow the Prescan to finish
  • Click Scan
  • When the Status box shows Scan Finished place a checkmark in the following and select Delete

[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\Will\AppData\Local\Temp\catchme.sys) -> Found
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr (\??\C:\ComboFix\mbr.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\Will\AppData\Local\Temp\catchme.sys) -> Found

  • Click Report
  • Copy and paste the contents of the report in your reply
===================================================

Malwarebytes Anti-Rootkit - Scan Only

--------------------
  • Download Malwarebytes Anti-Rootkit (mbar) and save it to your desktop
  • Unzip the folder to your desktop
  • Double click the mbar icon and select Run
  • Click OK to install it on your desktop
  • If you receive a User Account Control prompt allow it to run
  • If you receive a notification regarding Probable rootkit activity detected please write down the information, include it in your reply and click No
  • If you receive the following screen select Yes and your computer will be restarted

dda-driver-warning.png

  • Click Next on the following screen

start-screen.png

  • On the Update Database: screen click Update to download the latest definition updates then click Next

database-update.png

  • On the Scan System: screen place checkmarks in the Drivers, Sectors, and System boxes (should be checked by default) then click Scan. Please be patient and allow the process to complete

scan-system.png

  • Click the Exit button not Cleanup
  • A system-log report will be created in the mbar folder, please copy and paste the contents in your reply
===================================================

aswMBR

--------------------
  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

aswMBR1.png

  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

aswMBR2.png

  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • RogueKiller log
  • MBAR report
  • aswMBR report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 wbmcelroy

wbmcelroy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 31 March 2015 - 09:19 PM

Hello! Sorry for the delay in these reports; the last scan didn't finish while I was still at home. I've got the three you asked for now though, if you'd like to take a look whenever is convenient for you. :) Thanks!

 

RogueKiller V10.5.8.0 [Mar 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Will [Administrator]
Started from : C:\Users\Will\Desktop\RogueKiller.exe
Mode : Delete -- Date : 03/31/2015  14:10:46

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> Deleted
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> Deleted
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3201667610-412620177-4289885976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_CBD0\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_CBD0\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 8 (Driver: Loaded) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CREATE[0] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_POWER[22] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x852081f8
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_PNP[27] : Unknown @ 0x852081f8
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\system32\DRIVERS\fdc.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500AAJS-75B4A0 ATA Device +++++
--- User ---
[MBR] 03b531728b05dd75d9e786b1dd1ac1d3
[BSP] bdf99326810b3ea5b3c85f61013cb3ba : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 112640 | Size: 10240 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21084160 | Size: 228122 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_03302015_201454.log - RKreport_DEL_03302015_201613.log - RKreport_DEL_03302015_202449.log - RKreport_DEL_03302015_202454.log
RKreport_DEL_03302015_203429.log - RKreport_SCN_03302015_201403.log - RKreport_SCN_03302015_202416.log - RKreport_SCN_03302015_230035.log
RKreport_SCN_03312015_140626.log

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 2135375872, free: 433852416

Downloaded database version: v2015.03.31.07
Downloaded database version: v2015.03.31.01
Downloaded database version: v2015.03.09.01
Initializing...
======================
This version of Malwarebytes Anti-Rootkit requires you to completely exit the Malwarebytes Anti-Malware application to continue.
Initializing...
======================
------------ Kernel report ------------
     03/31/2015 14:16:06
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\spkc.sys
\SystemRoot\System32\Drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\intelide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\TPkd.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\e1e6032.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl6.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\nlndis.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\smb.sys
\??\C:\Program Files\NetLimiter 3\nltdi.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\diginet.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\aspi32.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\Drivers\PROCEXP113.SYS
\??\C:\Users\Will\AppData\Local\Temp\catchme.sys
\SystemRoot\system32\DRIVERS\mausb.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
IRP handler 0 of \Driver\atapi points to an unknown module
Unhooking enabled.

Scan started
Database versions:
  main:    v2015.03.31.07
  rootkit: v2015.03.31.01

<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85a7aac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85255528
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85a7aac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85977150, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85a7aac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff852a08c8, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85255528, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xffffffff88de7428, 0xffffffff85a7aac8, 0xffffffff8550fac8
Lower DeviceData: 0xffffffffbdb4a330, 0xffffffff85255528, 0xffffffff87b4ec20
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 30000000

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 112392

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 112640  Numsec = 20971520

    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 21084160  Numsec = 467193856
    Partition file system is NTFS
    Partition is bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250000000000 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-21084160-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-03-31 14:49:58
-----------------------------
14:49:58.077    OS Version: Windows 6.0.6002 Service Pack 2
14:49:58.079    Number of processors: 2 586 0xF0D
14:49:58.080    ComputerName: WILL-PC  UserName: Will
14:50:02.394    Initialize success
14:50:02.427    VM: initialized successfully
14:50:02.429    VM: Intel CPU virtualization not supported
14:52:16.471    AVAST engine defs: 15033101
14:52:29.354    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:52:29.358    Disk 0 Vendor: WDC_WD2500AAJS-75B4A0 01.03A01 Size: 238418MB BusType: 3
14:52:29.373    Disk 0 MBR read successfully
14:52:29.377    Disk 0 MBR scan
14:52:29.448    Disk 0 Windows VISTA default MBR code
14:52:29.453    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       54 MB offset 63
14:52:29.475    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10240 MB offset 112640
14:52:29.492    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS       228122 MB offset 21084160
14:52:29.503    Disk 0 scanning sectors +488278016
14:52:29.620    Disk 0 scanning C:\Windows\system32\drivers
14:52:47.135    Service scanning
14:53:11.230    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
14:53:19.106    Modules scanning
14:53:19.116    Disk 0 trace - called modules:
14:53:19.144    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x852081f8]<<
14:53:19.153    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a7aac8]
14:53:19.161    3 CLASSPNP.SYS[8859d8b3] -> nt!IofCallDriver -> [0x852a08c8]
14:53:19.170    5 acpi.sys[805bd6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85255528]
14:53:19.178    \Driver\atapi[0x8524f7f8] -> IRP_MJ_CREATE -> 0x852081f8
14:53:20.737    AVAST engine scan C:\Windows
14:53:35.758    AVAST engine scan C:\Windows\system32
14:59:18.120    AVAST engine scan C:\Windows\system32\drivers
14:59:33.801    AVAST engine scan C:\Users\Will
16:37:54.296    File: C:\Users\Will\Documents\The SHE'S\XvidSetup.exe  **INFECTED** Win32:Adware-gen [Adw]
17:02:49.927    AVAST engine scan C:\ProgramData
17:36:07.354    File: C:\ProgramData\RogueKiller\Quarantine\CF81AAE2D036A7D9.vir  **INFECTED** Win32:Malware-gen
17:37:56.009    Disk 0 statistics 4511808/0/0 @ 0.26 MB/s
17:37:56.010    Scan finished successfully
21:12:40.304    Disk 0 MBR has been saved successfully to "C:\Users\Will\Desktop\MBR.dat"
21:12:40.312    The log file has been saved successfully to "C:\Users\Will\Desktop\aswMBR.txt"

 

 



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 31 March 2015 - 09:29 PM

Thanks I got my answer and it is legit. A couple more scans please.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click Run ESET Online Scanner.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Click Enable detection of potentially unwanted applications
  • Accept any security warnings from your browser.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Check Uninstall application on close and Delete quarantined files
  • Click the Finish button.
  • Close the ESET window and reboot your computer
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 wbmcelroy

wbmcelroy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 01 April 2015 - 04:31 AM

OK, well, the ESET scanner got to 99% before it seemingly dead-ended at one file. This file was called "WSDApi.mof," but I wasn't able to see the whole file path. It was stuck on it for about an hour so I feel fairly confident that it wouldn't have gotten around it had I not pulled the plug, but I can always try again. Meanwhile, before it got stuck on that one file, it identified nearly 5000 files as potential threats. This is because the Cryptowall malware deposited its ransom instructions into every single folder in which it encrypted files, and ESET flagged each one. I hope this isn't a problem but I've gone ahead and excised a good chunk of the results, as my music folder contained a subfolder for each of 1400+ albums and I didn't feel eager to display my whole collection, not to mention that the redundancy of the list is more than apparent in the first 100 lines or so. The only thing I've noticed that wasn't the same ransom note is the last line. Let me know if you'd prefer to see the rest though, and perhaps I can DM it to you! Anyway, I'll get to the two results... thanks again for your time! Oh, and as for my PC's performance, I still haven't noticed any further problems in the last 24 hours! :)

 

[EDIT: now that I've tried to post it, the ESET threat list was still longer than the forum would allow so I zipped and attached it. I hope that's ok!]

 

 

 Results of screen317's Security Check version 0.99.99  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 JavaFX 2.1.1    
 Java 7 Update 71  
 Java version 32-bit out of Date!
 Adobe Flash Player     17.0.0.134  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (36.0.4)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 59 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


 

Attached Files



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 01 April 2015 - 09:12 AM

It is not unheard of for scanners to get hung up on that file. It is not malicious.

It does not appear you have a Solid State Drive so you should take head of the defrag notification in the Security Check report.

There are a few things we can still clean up. Please do these things.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
C:\Program Files\Conduit
C:\Program Files\Vuze
C:\Users\Will\Documents\The SHE'S\XvidSetup.exe
emptytemp:
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern. Here is some excellent information and a video which explains the importance of minimizing the risk of infection through compromised PDF files.
  • Please visit Adobe Reader
  • Uncheck the McAfee optional offer
  • Click Install now
  • Save the file to your desktop
  • Double click the installation icon
  • Select Run
  • When completed click Finish
  • Press the Windows key + R at the same time
  • Type appwiz.cpl, press Enter, and allow the Programs list to populate
  • Uninstall every Adobe Reader program except the one just downloaded and installed
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Did Adobe Reader update properly?
  • Are there any remaining issues?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 wbmcelroy

wbmcelroy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 01 April 2015 - 01:39 PM

FRST crashed before completing, but it seemed like it was well into the process of deleting temp files. Should I try to run it again, or first amend the fixlist?

 

The update of Adobe Reader seemed fine, and afterwards I didn't see any older versions listed.

 

I'll try to defrag my hard drive soon as suggested... let me know if there are any further steps I should take or if I should be "in the clear" to the best of your knowledge. Thanks so much for all your help - there's been a huge improvement!

 

Here's the Fixlog from the crashed FRST fix:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Will at 2015-04-01 12:28:46 Run:2
Running from C:\Users\Will\Desktop
Loaded Profiles: Will (Available profiles: Will & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
C:\Program Files\Conduit
C:\Program Files\Vuze
C:\Users\Will\Documents\The SHE'S\XvidSetup.exe
emptytemp:
*****************

C:\Program Files\Conduit => Moved successfully.
C:\Program Files\Vuze => Moved successfully.
C:\Users\Will\Documents\The SHE'S\XvidSetup.exe => Moved successfully.
 



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 01 April 2015 - 01:56 PM

Greetings. It crashed because it couldn't handle the emptytemp command. Amend the Fixlist to only list the following and run it in Safe Mode.

emptytemp:
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 wbmcelroy

wbmcelroy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 01 April 2015 - 03:54 PM

I'm attempting to run FRST in safe mode with the amended fix list, but each time the program freezes almost immediately after beginning the fix, and appears as "not responding" in the task manager. Is it possible that it's still working even though the GUI isn't responding? For what it's worth though, I don't see a discernible difference in my computer's memory and CPU usage when FRST appears frozen vs. when I'm not running anything. Strange...

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:46 PM

Posted 01 April 2015 - 04:01 PM

FRST is having difficulty handling the request, probably because of a large amount of Temp files. Let's do it this way.

===================================================

Temporary File Cleaner (TFC)

--------------------
  • Download TFC by OldTimer to your desktop.
  • Close any open windows
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run
  • Click the Start button to begin the process
  • Allow TFC to run uninterrupted
  • If the Program will not run properly run it in Safe Mode
  • Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean
NOTE: It's normal for the computer to boot more slowly the first time after running TFC

TFC will clear out all temporary folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. TFC only cleans temporary folders and will not clean URL history, prefetch, or cookies


===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • TFC results

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users