Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cryptowall and spyhunter causing all kinds of issues


  • Please log in to reply
24 replies to this topic

#1 ginavg

ginavg

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 05 April 2015 - 12:33 PM

Hi I am an IT professional that is working on a friends computer and she installed spyhunter. I would like to remove the program and also figure out how to unencrypt the files on the pc. The data is important to preserve and right now no documents or pictures can be opened. I would be very grateful if someone could work with me to remove the offending programs and unencrypt the files. I have good knowledge of the computer and malware removal, but would feel more comfortable with someone guiding me through this.

 

Any help is appreciated.

 

Thanks for reading this.



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 06 April 2015 - 07:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If this is the infection - CryptoWall and HELP_DECRYPT Ransomware Information Guide
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Other than paying the ransom if it's not too late there is nothing we can do to restore your files.
I know one thing I would not trust them, your call.

If you want us to clean what has been left over the the infections please run these tools and submit the logs for my review.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 11 April 2015 - 08:38 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:48 PM

Posted 13 April 2015 - 08:16 PM

Reopened. 


sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat too! |


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 14 April 2015 - 08:03 AM

ginavg

I'm listening.

#6 ginavg

ginavg
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 14 April 2015 - 05:35 PM

Hello here are the requested files

 

# AdwCleaner v4.201 - Logfile created 13/04/2015 at 18:02:56
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [Server]
# Operating system : Windows 7 Home Premium  (x64)
# Username : Liz Blanco - LIZBLANCO-PC
# Running from : E:\Malware Removal Tools 02.06.15\adwcleaner_4.201.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Users\Liz Blanco\AppData\Local\PackageAware
Folder Found : C:\Users\Liz Blanco\AppData\LocalLow\HPAppData
Folder Found : C:\windows\SysWOW64\config\systemprofile\AppData\Local\PackageAware

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cafetututango.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Activities\Search\ask.com
Key Found : [x64] HKCU\Software\IM
Key Found : [x64] HKCU\Software\ImInstaller
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\MozillaPlugins\@ei.TotalRecipeSearch_14.com/Plugin
Key Found : HKLM\SOFTWARE\TotalRecipeSearch_14EI

***** [ Web browsers ] *****

-\\ Internet Explorer v9.0.8112.16476

-\\ Google Chrome v41.0.2272.118

[C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2233 bytes] - [13/04/2015 18:02:56]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2292 bytes] ##########

 

 

 

 

# AdwCleaner v4.201 - Logfile created 13/04/2015 at 18:06:14
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [Server]
# Operating system : Windows 7 Home Premium  (x64)
# Username : Liz Blanco - LIZBLANCO-PC
# Running from : E:\Malware Removal Tools 02.06.15\adwcleaner_4.201.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\windows\SysWOW64\config\systemprofile\AppData\Local\PackageAware
Folder Deleted : C:\Users\Liz Blanco\AppData\Local\PackageAware
Folder Deleted : C:\Users\Liz Blanco\AppData\LocalLow\HPAppData

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@ei.TotalRecipeSearch_14.com/Plugin
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Activities\Search\ask.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKLM\SOFTWARE\TotalRecipeSearch_14EI
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cafetututango.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v9.0.8112.16476

-\\ Google Chrome v41.0.2272.118

[C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2379 bytes] - [13/04/2015 18:02:56]
AdwCleaner[S0].txt - [2259 bytes] - [13/04/2015 18:06:14]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2318  bytes] ##########

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2015
Ran by Liz Blanco (administrator) on LIZBLANCO-PC on 13-04-2015 18:41:32
Running from E:\Malware Removal Tools 02.06.15\farbar recovery scan tool\64 bit
Loaded Profiles: Liz Blanco (Available profiles: Liz Blanco)
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
() C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\RegHunter\RegHunter.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDWare] => C:\Program Files\Elantech\ETDCtrl.exe [2598280 2010-06-23] (ELAN Microelectronics Corp.)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4462496 2010-04-12] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [7056800 2010-03-18] (Lenovo (Beijing) Limited)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35184 2008-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [UCam_Menu] => C:\Program Files (x86)\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [AppleSyncNotifier] => C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe"
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe" No File
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-07-24] (Google Inc.)
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Edltion] => C:\Users\Liz Blanco\AppData\Local\Edltion\30785530.exe
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Ubpzmedia] => C:\Windows\SysWOW64\regsvr32.exe "C:\Users\Liz Blanco\AppData\Local\Edltion\IcuDevDrm24.dll"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Agfsworks] => regsvr32.exe "C:\Users\Liz Blanco\AppData\Local\Agfsworks\kctlWIDlg16.dll" <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [bsimoxb] => rundll32 "C:\Users\Liz Blanco\AppData\Local\bsimoxb.dll",bsimoxb <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [IuyuHdes] => regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [FlashPlayerUpdate] => C:\Users\Liz Blanco\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [173056 2015-04-13] ()
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"ih8\..\mshtml,RunHTMLApplication ";eval("pece7<odv!@buhwdYNckdbu)#VRbshqu/R (the data entry has 27917 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.icepaytor.com/126s8YU

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-09-20] (Hewlett-Packard Co.)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll No File
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-09-20] (Hewlett-Packard Co.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll No File
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKU\S-1-5-21-2221435316-2506893427-2594210335-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: HKLM-x32 {2B497CAF-D938-4059-BA76-0DA5DB77EA0A} https://remote.americanlegion273.org/Remote/BuiltIns/FS/Wssg.Web.FileAccess.RichUpload.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 65.32.5.111 65.32.5.112
Tcpip\..\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0}: [NameServer] 65.32.5.111,65.32.5.112

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @ei.MyFunCards_5m.com/Plugin -> C:\Program Files (x86)\MyFunCards_5mEI\Installr\1.bin\NP5mEISB.dll No File
FF Plugin-x32: @ei.RecipeHub_2j.com/Plugin -> C:\Program Files (x86)\RecipeHub_2jEI\Installr\1.bin\NP2jEISB.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-09-22] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-06-07]
FF HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR Profile: C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-05]
CHR Extension: (Windows Theme Manager 2 API) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2015-03-16]
CHR Extension: (Google Docs) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-05]
CHR Extension: (Google Drive) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-05]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-05]
CHR Extension: (YouTube) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-24]
CHR Extension: (Google Search) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-24]
CHR Extension: (Google Sheets) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-05]
CHR Extension: (Google Wallet) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (Gmail) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-24]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-09-20] (Hewlett-Packard Co.) [File not signed]
S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2008-12-03] (Hewlett-Packard) [File not signed]
R2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] () [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2008-12-03] (Hewlett-Packard) [File not signed]
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1026432 2015-03-23] (Enigma Software Group USA, LLC.)
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2015-03-23] (Enigma Software Group USA, LLC.)
R3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)
U3 BcmSqlStartupSvc; No ImagePath
U2 IviRegMgr; No ImagePath
U2 RichVideo; No ImagePath
U3 SQLWriter; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-13 18:38 - 2015-04-13 18:41 - 00000000 ____D () C:\FRST
2015-04-13 18:02 - 2015-04-13 18:06 - 00000000 ____D () C:\AdwCleaner
2015-04-11 19:15 - 2015-04-11 19:15 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Macromedia
2015-04-11 19:14 - 2015-04-11 19:14 - 00008598 _____ () C:\Users\Liz Blanco\Desktop\HELP_DECRYPT.HTML
2015-04-11 19:14 - 2015-04-11 19:14 - 00004242 _____ () C:\Users\Liz Blanco\Desktop\HELP_DECRYPT.TXT
2015-04-11 19:14 - 2015-04-11 19:14 - 00000280 _____ () C:\Users\Liz Blanco\Desktop\HELP_DECRYPT.URL
2015-04-04 17:36 - 2015-04-04 17:36 - 00001889 _____ () C:\Users\Liz Blanco\Desktop\ShadowExplorer.lnk
2015-04-04 17:36 - 2015-04-04 17:36 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\www.shadowexplorer.com
2015-04-04 17:36 - 2015-04-04 17:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2015-04-04 17:36 - 2015-04-04 17:36 - 00000000 ____D () C:\Program Files (x86)\ShadowExplorer
2015-04-04 14:54 - 2015-04-04 14:54 - 00009300 _____ () C:\Users\Liz Blanco\Documents\CryptoWall 3_0.htm
2015-04-04 14:51 - 2015-04-04 14:51 - 00008598 _____ () C:\HELP_DECRYPT.HTML
2015-04-04 14:51 - 2015-04-04 14:51 - 00004242 _____ () C:\HELP_DECRYPT.TXT
2015-04-04 14:51 - 2015-04-04 14:51 - 00000761 _____ () C:\windows\system32\Drivers\etc\hosts.txt
2015-04-04 14:51 - 2015-04-04 14:51 - 00000280 _____ () C:\HELP_DECRYPT.URL
2015-04-04 14:50 - 2015-04-04 14:50 - 00000000 ____D () C:\ProgramData\IuyuHdes
2015-04-04 13:50 - 2015-04-04 15:16 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-04 13:49 - 2015-04-04 13:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-04 13:49 - 2015-04-04 13:49 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-04-04 13:49 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-04-04 13:49 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-04-04 13:17 - 2015-04-04 13:18 - 00018944 ___SH () C:\Users\Liz Blanco\Thumbs.db
2015-04-04 12:59 - 2015-04-04 13:02 - 00011560 _____ () C:\Users\Liz Blanco\Desktop\Rkill.txt
2015-03-25 14:29 - 2015-03-25 14:29 - 00218467 _____ () C:\sh4_service.log
2015-03-25 07:46 - 2015-03-23 22:47 - 00025472 _____ () C:\windows\system32\sh4native.exe
2015-03-25 07:39 - 2015-04-04 14:51 - 00000000 __SHD () C:\found.000
2015-03-23 22:48 - 2015-03-23 22:48 - 00003354 _____ () C:\windows\System32\Tasks\SpyHunter4Startup
2015-03-23 22:48 - 2015-03-23 22:48 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Enigma Software Group
2015-03-23 22:48 - 2015-03-23 22:48 - 00000000 ____D () C:\sh4ldr
2015-03-23 22:19 - 2015-03-23 22:19 - 00008680 _____ () C:\Users\Liz Blanco\HELP_DECRYPT.HTML
2015-03-23 22:19 - 2015-03-23 22:19 - 00004280 _____ () C:\Users\Liz Blanco\HELP_DECRYPT.TXT
2015-03-23 22:19 - 2015-03-23 22:19 - 00000300 _____ () C:\Users\Liz Blanco\HELP_DECRYPT.URL
2015-03-23 17:44 - 2015-03-23 17:44 - 00008680 _____ () C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.HTML
2015-03-23 17:44 - 2015-03-23 17:44 - 00008680 _____ () C:\Users\Liz Blanco\Documents\HELP_DECRYPT.HTML
2015-03-23 17:44 - 2015-03-23 17:44 - 00004280 _____ () C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.TXT
2015-03-23 17:44 - 2015-03-23 17:44 - 00004280 _____ () C:\Users\Liz Blanco\Documents\HELP_DECRYPT.TXT
2015-03-23 17:44 - 2015-03-23 17:44 - 00000300 _____ () C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.URL
2015-03-23 17:44 - 2015-03-23 17:44 - 00000300 _____ () C:\Users\Liz Blanco\Documents\HELP_DECRYPT.URL
2015-03-23 17:18 - 2015-03-23 17:18 - 00008680 _____ () C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-23 17:18 - 2015-03-23 17:18 - 00008680 _____ () C:\Users\Liz Blanco\AppData\HELP_DECRYPT.HTML
2015-03-23 17:18 - 2015-03-23 17:18 - 00004280 _____ () C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-23 17:18 - 2015-03-23 17:18 - 00004280 _____ () C:\Users\Liz Blanco\AppData\HELP_DECRYPT.TXT
2015-03-23 17:18 - 2015-03-23 17:18 - 00000300 _____ () C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL
2015-03-23 17:18 - 2015-03-23 17:18 - 00000300 _____ () C:\Users\Liz Blanco\AppData\HELP_DECRYPT.URL
2015-03-23 17:16 - 2015-03-23 17:16 - 00008680 _____ () C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.HTML
2015-03-23 17:16 - 2015-03-23 17:16 - 00004280 _____ () C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.TXT
2015-03-23 17:16 - 2015-03-23 17:16 - 00000300 _____ () C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.URL
2015-03-23 17:15 - 2015-03-23 17:15 - 00008680 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-23 17:15 - 2015-03-23 17:15 - 00004280 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-23 17:15 - 2015-03-23 17:15 - 00000300 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-03-21 17:50 - 2015-04-11 19:14 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-03-21 07:26 - 2015-03-25 14:28 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\ejyxoj
2015-03-17 19:43 - 2015-03-17 19:43 - 00000000 __SHD () C:\$$PendingFiles
2015-03-16 20:58 - 2015-03-25 14:28 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Edltion
2015-03-16 20:58 - 2015-03-25 14:28 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Agfsworks
2015-03-15 20:43 - 2015-02-25 09:14 - 08477601 _____ () C:\Users\Liz Blanco\Desktop\02 Oye Mi Canto.m4a

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-13 18:17 - 2009-07-14 00:45 - 00013632 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-13 18:17 - 2009-07-14 00:45 - 00013632 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-13 18:16 - 2009-07-14 01:13 - 00004530 _____ () C:\windows\system32\PerfStringBackup.INI
2015-04-13 18:08 - 2013-07-24 08:58 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-13 18:08 - 2012-08-17 19:20 - 00063172 _____ () C:\windows\setupact.log
2015-04-13 18:08 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-04-13 18:07 - 2012-08-17 19:20 - 00043452 _____ () C:\windows\PFRO.log
2015-04-13 17:58 - 2013-07-24 08:58 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-13 17:58 - 2012-05-25 08:33 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-04-13 17:58 - 2011-02-16 19:44 - 01682594 _____ () C:\windows\WindowsUpdate.log
2015-04-13 17:44 - 2011-08-15 21:28 - 00003962 _____ () C:\windows\System32\Tasks\User_Feed_Synchronization-{ADED22FA-842C-4633-B870-4F2E51BFAC81}
2015-04-11 19:17 - 2013-12-19 17:48 - 03371520 ___SH () C:\Users\Liz Blanco\Desktop\Thumbs.db
2015-04-05 13:01 - 2013-07-24 08:59 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-04 15:39 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\Speech
2015-04-04 15:09 - 2014-09-17 15:13 - 00001131 _____ () C:\Users\Liz Blanco\Desktop\SpyHunter.lnk
2015-04-04 15:07 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\Globalization
2015-04-04 15:04 - 2011-05-31 21:12 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Adobe
2015-04-04 13:49 - 2012-08-16 14:02 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Malwarebytes
2015-04-04 13:49 - 2012-08-16 14:02 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-04 13:49 - 2012-08-16 14:02 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-04-04 13:17 - 2011-05-31 20:07 - 00000000 ____D () C:\Users\Liz Blanco
2015-03-26 16:33 - 2009-07-14 01:08 - 00032606 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2015-03-25 16:45 - 2011-05-31 20:10 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\LiZumba
2015-03-23 22:48 - 2014-09-17 15:13 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2015-03-23 17:43 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Website passwords
2015-03-23 17:42 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\RECIPES
2015-03-23 17:41 - 2014-04-24 11:32 - 00000000 ____D () C:\Users\Liz Blanco\Documents\MAKOS
2015-03-23 17:41 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\MySpaceIM Pics
2015-03-23 17:41 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\MadDog
2015-03-23 17:40 - 2014-11-29 00:08 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Las Vegas
2015-03-23 17:38 - 2012-10-08 10:11 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Flyer ideas
2015-03-23 17:38 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\GBG
2015-03-23 17:37 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Ferny's College Info
2015-03-23 17:36 - 2014-08-26 22:09 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Z-Convention 2014
2015-03-23 17:36 - 2014-05-18 17:41 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\pictures to sort out
2015-03-23 17:36 - 2013-12-19 18:31 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Walgreens pics
2015-03-23 17:36 - 2012-10-08 10:11 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Breast Cancer Fundraiser
2015-03-23 17:36 - 2011-06-06 19:22 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Amer Legion
2015-03-23 17:36 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\BOBBY
2015-03-23 17:35 - 2014-11-08 10:57 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Pics to sort out
2015-03-23 17:34 - 2015-03-11 16:44 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\MS event 2015
2015-03-23 17:34 - 2015-02-18 18:07 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Mad Beach
2015-03-23 17:18 - 2015-02-15 21:17 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Amer Heart Assoc event 2-13-15
2015-03-23 17:18 - 2014-11-02 20:50 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\BCF event pics 2014
2015-03-23 17:18 - 2014-11-02 20:47 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Halloween 2014
2015-03-23 17:18 - 2014-08-26 11:41 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Hopechest z-bash
2015-03-23 17:18 - 2013-09-19 12:29 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\CLASS FLYERS
2015-03-23 17:18 - 2012-05-26 22:51 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\ooVoo Details
2015-03-23 17:18 - 2012-05-26 22:37 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Skype
2015-03-23 17:17 - 2014-08-26 12:04 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Corel
2015-03-23 17:17 - 2011-06-07 21:16 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\HP
2015-03-23 17:17 - 2011-05-31 20:51 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Apple Computer
2015-03-23 17:17 - 2011-05-31 20:51 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Apple Computer
2015-03-23 17:16 - 2012-01-02 12:01 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Google
2015-03-23 17:16 - 2011-06-13 23:45 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\HP
2015-03-23 17:15 - 2011-05-31 21:12 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Adobe
2015-03-23 17:15 - 2011-02-16 20:31 - 00000000 ____D () C:\ProgramData\Lenovo
2015-03-17 19:34 - 2013-11-16 19:01 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2015-03-17 19:34 - 2011-05-31 20:07 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\uk-UA
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\tr-TR
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\th-TH
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\sr-Latn-CS
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\sl-SI
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\sk-SK
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\Setup
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\ro-RO
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\lv-LV
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\lt-LT
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\hr-HR
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\he-IL
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\et-EE
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\bg-BG
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\ar-SA
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\zh-HK
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\uk-UA
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\tr-TR
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\th-TH
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\sppui
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\sl-SI
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\sk-SK
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\Setup
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\ro-RO
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\lv-LV
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\lt-LT
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\ias
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\hr-HR
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\he-IL
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\et-EE
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\Dism
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\bg-BG
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\ar-SA
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\AdvancedInstallers
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\AppCompat
2015-03-17 19:34 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Services
2015-03-17 19:33 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\registration

==================== Files in the root of some directories =======

2015-03-20 18:39 - 2015-03-20 18:39 - 0023328 _____ () C:\Users\Liz Blanco\AppData\Roaming\00-the_black_keys-el_camino-2011-proof.jpg
2015-03-23 17:18 - 2015-03-23 17:18 - 0008680 _____ () C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-23 17:18 - 2015-03-23 17:18 - 0045851 _____ () C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-23 17:18 - 2015-03-23 17:18 - 0004280 _____ () C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-23 17:18 - 2015-03-23 17:18 - 0000300 _____ () C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL
2015-03-23 17:16 - 2015-03-23 17:16 - 0008680 _____ () C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.HTML
2015-03-23 17:16 - 2015-03-23 17:16 - 0045851 _____ () C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.PNG
2015-03-23 17:16 - 2015-03-23 17:16 - 0004280 _____ () C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.TXT
2015-03-23 17:16 - 2015-03-23 17:16 - 0000300 _____ () C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.URL
2015-03-23 17:15 - 2015-03-23 17:15 - 0008680 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-23 17:15 - 2015-03-23 17:15 - 0045851 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-03-23 17:15 - 2015-03-23 17:15 - 0004280 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-23 17:15 - 2015-03-23 17:15 - 0000300 _____ () C:\ProgramData\HELP_DECRYPT.URL
2011-06-07 20:49 - 2013-04-19 21:51 - 0003590 _____ () C:\ProgramData\hpzinstall.log
2011-02-16 20:23 - 2011-05-31 20:06 - 0000235 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc

Some content of TEMP:
====================
C:\Users\Liz Blanco\AppData\Local\Temp\Quarantine.exe
C:\Users\Liz Blanco\AppData\Local\Temp\RHSetup.exe
C:\Users\Liz Blanco\AppData\Local\Temp\SHSetup.exe
C:\Users\Liz Blanco\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

LastRegBack: 2015-04-04 17:54

==================== End Of Log ============================

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-04-2015
Ran by Liz Blanco at 2015-04-13 18:42:12
Running from E:\Malware Removal Tools 02.06.15\farbar recovery scan tool\64 bit
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 6.2.1 - Hewlett-Packard) Hidden
Acrobat.com (HKLM-x32\...\{77DCDCE3-2DED-62F3-8154-05E745472D07}) (Version: 1.1.377 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader 9.0.1 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A90100000001}) (Version: 9.0.1 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{447CDCE5-F555-429B-BFA6-642C3C6D684F}) (Version: 3.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{0DF7096B-715A-4233-8633-C7A16ED6D616}) (Version: 3.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{C4123106-B685-48E6-B9BD-E4F911841EB4}) (Version: 8.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom 802.11 Wireless Driver (HKLM-x32\...\{8991E763-21F5-4DEA-A938-5D9D77DCB488}) (Version: 1.0.0.0 - )
BufferChm (x32 Version: 130.0.331.000 - Hewlett-Packard) Hidden
C4400 (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.111.0.62 - Conexant)
Copy (x32 Version: 130.0.428.000 - Hewlett-Packard) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.0.2626 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Destinations (x32 Version: 130.0.0.0 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 130.0.465.000 - Hewlett-Packard) Hidden
DocProc (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden
Energy Management (HKLM-x32\...\{0CE226F3-EB27-4ECD-BBF5-F088716779FD}) (Version: 5.4.1.9 - Lenovo)
ETDWare PS/2-x64 7.0.4.18_WHQL (HKLM\...\Elantech) (Version: 7.0.4.18 - ELAN Microelectronics Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
GPBaseService2 (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HP Imaging Device Functions 13.0 (HKLM\...\HP Imaging Device Functions) (Version: 13.0 - HP)
HP Photosmart C4400 All-In-One Driver Software 13.0 Rel. 3 (HKLM\...\{8181C5B7-2FF5-4677-BA6A-8E2C3F5A7601}) (Version: 13.0 - HP)
HP Smart Web Printing 4.51 (HKLM\...\HP Smart Web Printing) (Version: 4.51 - HP)
HP Solution Center 13.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 13.0 - HP)
HP Update (HKLM-x32\...\{7059BDA7-E1DB-442C-B7A1-6144596720A4}) (Version: 4.000.011.006 - Hewlett-Packard)
HPPhotoGadget (x32 Version: 130.0.282.000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HPSSupply (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
iCloud (HKLM\...\{309768A4-A2BB-4930-A5A2-8169678C9B4C}) (Version: 4.0.6.28 - Apple Inc.)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2104 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
iTunes (HKLM\...\{D227565A-0033-40AD-89BA-653A205CDC11}) (Version: 12.1.1.4 - Apple Inc.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Lenovo DirectShare (HKLM-x32\...\InstallShield_{B2164CCB-C002-4B80-8550-7535D80DF237}) (Version: 1.0.1.38 - ArcSoft)
Lenovo DirectShare (x32 Version: 1.0.1.38 - ArcSoft) Hidden
Lenovo EasyCamera (HKLM-x32\...\{4BB1DCED-84D3-47F9-B718-5947E904593E}) (Version: 6.96.2018.21 - Lenovo EasyCamera)
Lenovo Games Console (HKLM-x32\...\Lenovo Games Console) (Version: 0.38.389.2 - Oberon Media Inc.)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.1230 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 7.0.1230 - CyberLink Corp.) Hidden
Lenovo ReadyComm 5 (HKLM-x32\...\{17542DBF-E17C-4562-BC4D-FA3EF3076C45}) (Version: 5.1.1.20 - Lenovo)
Lenovo ReadyComm 5.0 Service (HKLM-x32\...\{76C66170-C538-4E77-B54D-48E136B5B533}) (Version: 5.0.0.1 - Lenovo Group Limited)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MobileMe Control Panel (HKLM\...\{41BC9E31-0D39-462E-8E4C-767B21A3B1C3}) (Version: 3.1.8.0 - Apple Inc.)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Oasis2Service 1.0 (HKLM-x32\...\{E50FC5DB-7CBD-407D-A46E-0C13E45BC386}) (Version: 1.0.0 - DDNi)
OCR Software by I.R.I.S. 13.0 (HKLM\...\HPOCR) (Version: 13.0 - HP)
Onekey Theater (HKLM-x32\...\{DFB19121-0609-49C1-92B1-546E5A940FE8}) (Version: 2.0.1.8 - Lenovo)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.4809d4 - CyberLink Corp.)
PS_AIO_03_C4400_Software_Min (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.18.322.2010 - Realtek)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30116 - Realtek Semiconductor Corp.)
RegHunter (HKLM\...\{F94A63D7-9A61-403B-8F6F-90B1BF77211A}) (Version: 1.3.3.1613 - Enigma Software Group USA, LLC)
Scan (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden
ShadowExplorer 0.9 (HKLM-x32\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 13.0 - HP)
Skype™ 6.11 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
SmartWebPrinting (x32 Version: 130.0.457.000 - Hewlett-Packard) Hidden
SolutionCenter (x32 Version: 130.0.373.000 - Hewlett-Packard) Hidden
SpyHunter 4 (HKLM-x32\...\SpyHunter) (Version: 4.19.13.4482 - Enigma Software Group, LLC)
Status (x32 Version: 130.0.469.000 - Hewlett-Packard) Hidden
Toolbox (x32 Version: 130.0.648.000 - Hewlett-Packard) Hidden
TrayApp (x32 Version: 130.0.422.000 - Hewlett-Packard) Hidden
UnloadSupport (x32 Version: 11.0.0 - Hewlett-Packard) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
WebReg (x32 Version: 130.0.132.017 - Hewlett-Packard) Hidden
Windows Driver Package - Lenovo (ACPIVPC) System  (10/19/2009 5.4.0.1) (HKLM\...\0A4175B489A1B4A6E07E11B063A6263480C51D71) (Version: 10/19/2009 5.4.0.1 - Lenovo)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2221435316-2506893427-2594210335-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"ih8\..\mshtml,RunHTMLApplication ";eval("pece7<odv!@buhwdYNckdbu)#VRbshqu/R (the data entry has 27925 more characters). <==== Poweliks?

==================== Restore Points  =========================

04-04-2015 15:26:01 Windows Backup
10-04-2015 20:36:14 Windows Backup

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2015-04-04 17:18 - 00000824 ____N C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2F733667-BBBE-4F7F-A62C-08FB20844725} - System32\Tasks\{74DB1317-B8FE-4485-AA18-A886C1B82E39} => Iexplore.exe http://www.skype.com/go/downloading?source=lightinstaller&amp;ver=5.9.0.115&amp;LastError=12002
Task: {436C11F1-5A22-4DAA-AE8C-FF16A345479A} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-05] (Adobe Systems Incorporated)
Task: {4BA5F4A0-11C2-4D33-A77B-76871E2FBCE3} - System32\Tasks\Microsoft\Windows Defender\Mp Scheduled Scan => C:\Program Files\Windows Defender\MpCmdRun.exe [2009-07-13] ()
Task: {53156FA7-9D6F-4F04-A87E-C6B290DC3B20} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {60C4819F-8338-40E1-85FC-108550E99147} - System32\Tasks\Apple Diagnostics => C:\Program Files (x86)\Common Files\Apple\Internet Services\EReporter.exe [2014-12-01] (Apple Inc.)
Task: {7B2DED29-AC55-4FEF-A57F-F4734605DA09} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-24] (Google Inc.)
Task: {86D4CB98-B2E7-435D-8497-E42C476F37A7} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe [2015-03-23] (Enigma Software Group USA, LLC.)
Task: {97AC68C3-071A-41F9-A65E-94591D174696} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-24] (Google Inc.)
Task: {AFE0E9C2-8E4A-414E-9F72-9C534820C547} - System32\Tasks\{89985164-7F52-4409-8A46-15E2886CB993} => pcalua.exe -a F:\setup.exe -d F:\
Task: {D39BE50D-B5DD-46E6-BA0C-CADA17D8C5D1} - System32\Tasks\RegHunterStartup => C:\Program Files\Enigma Software Group\RegHunter\RegHunter.exe [2013-08-13] (Enigma Software Group USA, LLC.)
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2015-02-13 05:20 - 2015-02-13 05:20 - 00085832 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-02-13 05:20 - 2015-02-13 05:20 - 01346344 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2010-06-23 05:39 - 2010-06-23 05:39 - 00046080 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
2011-02-16 20:38 - 2009-07-15 11:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2011-02-16 20:38 - 2009-07-15 11:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2010-06-23 05:39 - 2010-06-23 05:39 - 00049152 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\DdniCore.dll
2010-06-23 05:39 - 2010-06-23 05:39 - 00033280 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\AspUpdate.dll
2015-02-13 05:20 - 2015-02-13 05:20 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-01-09 17:20 - 2013-01-09 17:20 - 00170496 _____ () C:\windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\d89f0252d910d617de1de783a812f840\IsdiInterop.ni.dll
2011-02-16 19:51 - 2010-03-03 16:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 65.32.5.111 - 65.32.5.112

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: cAudioFilterAgent => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: OnekeyStudio => C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
MSCONFIG\startupreg: YouCam Mirror Tray icon => "C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe" /s

==================== Accounts: =============================

Administrator (S-1-5-21-2221435316-2506893427-2594210335-500 - Administrator - Disabled)
Guest (S-1-5-21-2221435316-2506893427-2594210335-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2221435316-2506893427-2594210335-1003 - Limited - Enabled)
Liz Blanco (S-1-5-21-2221435316-2506893427-2594210335-1000 - Administrator - Enabled) => C:\Users\Liz Blanco

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (04/13/2015 06:15:58 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (04/13/2015 06:15:58 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (04/13/2015 06:01:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: 8F0D.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Faulting module name: 8F0D.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Exception code: 0xc0000005
Fault offset: 0x00006e3c
Faulting process id: 0x1ad4
Faulting application start time: 0x8F0D.tmp0
Faulting application path: 8F0D.tmp1
Faulting module path: 8F0D.tmp2
Report Id: 8F0D.tmp3

Error: (04/13/2015 06:01:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: 6187.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Faulting module name: 6187.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Exception code: 0xc0000005
Fault offset: 0x00006e3c
Faulting process id: 0x1bc8
Faulting application start time: 0x6187.tmp0
Faulting application path: 6187.tmp1
Faulting module path: 6187.tmp2
Report Id: 6187.tmp3

Error: (04/13/2015 06:01:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: 41D6.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Faulting module name: 41D6.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Exception code: 0xc0000005
Fault offset: 0x00006e3c
Faulting process id: 0x11c4
Faulting application start time: 0x41D6.tmp0
Faulting application path: 41D6.tmp1
Faulting module path: 41D6.tmp2
Report Id: 41D6.tmp3

Error: (04/13/2015 06:01:33 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16476, time stamp: 0x5126e7ac
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x032970ea
Faulting process id: 0xe34
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (04/13/2015 06:01:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: 87D7.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Faulting module name: 87D7.tmp, version: 0.0.0.0, time stamp: 0x551dacf6
Exception code: 0xc0000005
Fault offset: 0x0000708a
Faulting process id: 0x163c
Faulting application start time: 0x87D7.tmp0
Faulting application path: 87D7.tmp1
Faulting module path: 87D7.tmp2
Report Id: 87D7.tmp3

Error: (04/13/2015 05:44:16 PM) (Source: SideBySide) (EventID: 63) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (04/11/2015 07:14:36 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (04/10/2015 08:39:39 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

System errors:
=============
Error: (04/13/2015 06:12:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ReadyComm.DirectRouter service failed to start due to the following error:
%%2

Error: (04/13/2015 06:12:13 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (04/13/2015 06:10:51 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (04/13/2015 06:10:13 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HP CUE DeviceDiscovery Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (04/13/2015 06:09:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Live ID Sign-in Assistant service failed to start due to the following error:
%%1053

Error: (04/13/2015 06:09:20 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

Error: (04/13/2015 06:08:17 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

Error: (04/13/2015 06:08:16 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

Error: (04/13/2015 06:08:14 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (04/13/2015 06:06:47 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1069

Microsoft Office Sessions:
=========================
Error: (03/04/2013 11:35:15 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2493 seconds with 1380 seconds of active time.  This session ended with a crash.

Error: (02/19/2012 05:20:43 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6654.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 564 seconds with 540 seconds of active time.  This session ended with a crash.

==================== Memory info ===========================

Processor: Intel® Core™ i3 CPU M 380 @ 2.53GHz
Percentage of memory in use: 38%
Total physical RAM: 3894.85 MB
Available physical RAM: 2376.59 MB
Total Pagefile: 7787.84 MB
Available Pagefile: 5687.38 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:254.14 GB) (Free:149.4 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:27.83 GB) NTFS
Drive e: (My Passport) (Fixed) (Total:931.48 GB) (Free:544.49 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 827D7D9D)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=254.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=14.8 GB) - (Type=12)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 00023F15)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

 

 

Thanks for looking at this, currently I also need to remove spy hunter from the machine. I am also going to be out of pocket on and off. I may need to travel for a funeral.

 

thanks

gina



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 15 April 2015 - 07:48 AM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM-x32\...\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe"
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM\...\Policies\Explorer\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe" No File
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Edltion] => C:\Users\Liz Blanco\AppData\Local\Edltion\30785530.exe
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Ubpzmedia] => C:\Windows\SysWOW64\regsvr32.exe "C:\Users\Liz Blanco\AppData\Local\Edltion\IcuDevDrm24.dll"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Agfsworks] => regsvr32.exe "C:\Users\Liz Blanco\AppData\Local\Agfsworks\kctlWIDlg16.dll" <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [bsimoxb] => rundll32 "C:\Users\Liz Blanco\AppData\Local\bsimoxb.dll",bsimoxb <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [IuyuHdes] => regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"ih8\..\mshtml,RunHTMLApplication ";eval("pece7<odv!@buhwdYNckdbu)#VRbshqu/R (the data entry has 27917 more characters). <==== Poweliks!
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.icepaytor.com/126s8YU
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll No File
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKU\S-1-5-21-2221435316-2506893427-2594210335-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @ei.MyFunCards_5m.com/Plugin -> C:\Program Files (x86)\MyFunCards_5mEI\Installr\1.bin\NP5mEISB.dll No File
FF Plugin-x32: @ei.RecipeHub_2j.com/Plugin -> C:\Program Files (x86)\RecipeHub_2jEI\Installr\1.bin\NP2jEISB.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
U3 BcmSqlStartupSvc; No ImagePath
U2 IviRegMgr; No ImagePath
U2 RichVideo; No ImagePath
U3 SQLWriter; No ImagePath
C:\Users\Liz Blanco\AppData\Local\Temp\RHSetup.exe
C:\Users\Liz Blanco\AppData\Local\Temp\SHSetup.exe
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.PNG
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.PNG
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.URL
C:\ProgramData\HELP_DECRYPT.HTML
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.TXT
C:\ProgramData\HELP_DECRYPT.URL
C:\Users\Liz Blanco\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\HELP_DECRYPT.URL
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.HTML
 C:\Users\Liz Blanco\Documents\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\Documents\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.URL
C:\Users\Liz Blanco\Documents\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\Local\ejyxoj
C:\Users\Liz Blanco\AppData\Local\Edltion
C:\Users\Liz Blanco\AppData\Local\Agfsworks
C:\ProgramData\IuyuHdes

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

How is the computer running now?

#8 ginavg

ginavg
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 April 2015 - 01:45 PM

the computer is running the same....ie is slow to respond....says the security settings won't allow me to download anything. spy hunter keeps popping up ever 3 seconds saying that my dns setting have changed (which they haven't)

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-04-2015 04
Ran by Liz Blanco at 2015-04-16 13:58:49 Run:1
Running from E:\Malware Removal Tools 02.06.15\farbar recovery scan tool\64 bit
Loaded Profiles: Liz Blanco (Available profiles: Liz Blanco)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM-x32\...\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe"
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM\...\Policies\Explorer\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe" No File
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [ejyxoj] => "C:\Users\Liz Blanco\AppData\Local\ejyxoj\ejyxoj.exe"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Edltion] => C:\Users\Liz Blanco\AppData\Local\Edltion\30785530.exe
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Ubpzmedia] => C:\Windows\SysWOW64\regsvr32.exe "C:\Users\Liz Blanco\AppData\Local\Edltion\IcuDevDrm24.dll"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [Agfsworks] => regsvr32.exe "C:\Users\Liz Blanco\AppData\Local\Agfsworks\kctlWIDlg16.dll" <===== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [bsimoxb] => rundll32 "C:\Users\Liz Blanco\AppData\Local\bsimoxb.dll",bsimoxb== ATTENTION
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [IuyuHdes] => regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero"
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"ih8\..\mshtml,RunHTMLApplication ";eval("pece7<odv!@buhwdYNckdbu)#VRbshqu/R (the data entry has 27917 more characters). <==== Poweliks!
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.icepaytor.com/126s8YU
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll No File
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
Toolbar: HKU\S-1-5-21-2221435316-2506893427-2594210335-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @ei.MyFunCards_5m.com/Plugin -> C:\Program Files (x86)\MyFunCards_5mEI\Installr\1.bin\NP5mEISB.dll No File
FF Plugin-x32: @ei.RecipeHub_2j.com/Plugin -> C:\Program Files (x86)\RecipeHub_2jEI\Installr\1.bin\NP2jEISB.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
U3 BcmSqlStartupSvc; No ImagePath
U2 IviRegMgr; No ImagePath
U2 RichVideo; No ImagePath
U3 SQLWriter; No ImagePath
C:\Users\Liz Blanco\AppData\Local\Temp\RHSetup.exe
C:\Users\Liz Blanco\AppData\Local\Temp\SHSetup.exe
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.PNG
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.PNG
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.URL
C:\ProgramData\HELP_DECRYPT.HTML
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.TXT
C:\ProgramData\HELP_DECRYPT.URL
C:\Users\Liz Blanco\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\HELP_DECRYPT.URL
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.HTML
 C:\Users\Liz Blanco\Documents\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\Documents\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.URL
C:\Users\Liz Blanco\Documents\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.HTML
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.TXT
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.URL
C:\Users\Liz Blanco\AppData\Local\ejyxoj
C:\Users\Liz Blanco\AppData\Local\Edltion
C:\Users\Liz Blanco\AppData\Local\Agfsworks
C:\ProgramData\IuyuHdes

End
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ejyxoj => value deleted successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\ejyxoj => value deleted successfully.
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ejyxoj => value deleted successfully.
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Edltion => value deleted successfully.
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ubpzmedia => value deleted successfully.
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Agfsworks => value deleted successfully.
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run\\bsimoxb => value deleted successfully.
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run\\IuyuHdes => value deleted successfully.
"HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}" => Key deleted successfully.
"HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}" => Key deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@ei.MyFunCards_5m.com/Plugin" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@ei.RecipeHub_2j.com/Plugin" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
McMPFSvc => Service deleted successfully.
BcmSqlStartupSvc => Service deleted successfully.
IviRegMgr => Service deleted successfully.
RichVideo => Service deleted successfully.
SQLWriter => Service deleted successfully.
C:\Users\Liz Blanco\AppData\Local\Temp\RHSetup.exe => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\Temp\SHSetup.exe => Moved successfully.
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.
C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Liz Blanco\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Liz Blanco\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Liz Blanco\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Liz Blanco\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Liz Blanco\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Liz Blanco\Downloads\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Liz Blanco\Documents\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.HTML => Moved successfully.
"C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.TXT => Moved successfully.
"C:\Users\Liz Blanco\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
C:\Users\Liz Blanco\AppData\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\ejyxoj => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\Edltion => Moved successfully.
C:\Users\Liz Blanco\AppData\Local\Agfsworks => Moved successfully.
C:\ProgramData\IuyuHdes => Moved successfully.

The system needed a reboot.

==== End of Fixlog 13:58:50 ====

 

 

 

 

 

RogueKiller V10.5.10.0 (x64) [Apr 14 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Liz Blanco [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 04/16/2015  14:21:19

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 20 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | FlashPlayerUpdate : C:\Users\Liz Blanco\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [-] -> Deleted
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | IuyuHdes : regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero" [7][-] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | FlashPlayerUpdate : C:\Users\Liz Blanco\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe  -> ERROR [2]
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | IuyuHdes : regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero"  -> ERROR [2]
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo.msn.com  -> Not selected
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo.msn.com  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{88F1070F-6912-4E35-8E73-2E19CEB3BC4D} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0} | NameServer : 65.32.5.111,65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{88F1070F-6912-4E35-8E73-2E19CEB3BC4D} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0} | NameServer : 65.32.5.111,65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{88F1070F-6912-4E35-8E73-2E19CEB3BC4D} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0} | NameServer : 65.32.5.111,65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 13 ¤¤¤
[ZeroAccess][Junction] en-US -- C:\Program Files\Windows Defender\en-US [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpAsDesc.dll -- C:\Program Files\Windows Defender\MpAsDesc.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpClient.dll -- C:\Program Files\Windows Defender\MpClient.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpCmdRun.exe -- C:\Program Files\Windows Defender\MpCmdRun.exe [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpCommu.dll -- C:\Program Files\Windows Defender\MpCommu.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpEvMsg.dll -- C:\Program Files\Windows Defender\MpEvMsg.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpOAV.dll -- C:\Program Files\Windows Defender\MpOAV.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpRTP.dll -- C:\Program Files\Windows Defender\MpRTP.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MpSvc.dll -- C:\Program Files\Windows Defender\MpSvc.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MSASCui.exe -- C:\Program Files\Windows Defender\MSASCui.exe [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MsMpCom.dll -- C:\Program Files\Windows Defender\MsMpCom.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MsMpLics.dll -- C:\Program Files\Windows Defender\MsMpLics.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted
[ZeroAccess][Junction] MsMpRes.dll -- C:\Program Files\Windows Defender\MsMpRes.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> Junction Deleted

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 4 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHLWAPI.dll - PathAppendW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHLWAPI.dll - PathAppendW :  @ 0x0 ()

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3265GSX +++++
--- User ---
[MBR] 98add4a4523c56d574670d14cb74bdea
[BSP] 3a06a5e275c571325bec692c7a49fb88 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 260243 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 533389312 | Size: 29692 MB
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 594198528 | Size: 15109 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_04162015_142019.log



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 17 April 2015 - 07:33 AM



I suggest you run the RogueKiller tool and fix this line if you wish your RESTORE POINT TO BE ON.

[PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> Not selected
===

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
==

Please run the Farbar Recovery Scan Tool normally and post a fresh FRST log for my review.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 22 April 2015 - 08:31 AM

Are you still with me?

#11 ginavg

ginavg
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 22 April 2015 - 09:18 AM

Yes....just got back from being out of town. Please look for my answer tonight after I am in front of the machine. Thanks for your patience.!!



#12 ginavg

ginavg
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 22 April 2015 - 05:56 PM

I ran the roque program but cannot find the line that you mentioned for the restore point. Also it didn't have everything selected so I just deleted the defaults.

Here is the log.

RogueKiller V10.5.10.0 (x64) [Apr 14 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Liz Blanco [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 04/22/2015  18:22:54

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 20 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | FlashPlayerUpdate : C:\Users\Liz Blanco\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [-] -> Deleted
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | IuyuHdes : regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero" [7][-] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | FlashPlayerUpdate : C:\Users\Liz Blanco\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe  -> ERROR [2]
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Windows\CurrentVersion\Run | IuyuHdes : regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero"  -> ERROR [2]
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo.msn.com  -> Not selected
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo.msn.com  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{88F1070F-6912-4E35-8E73-2E19CEB3BC4D} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0} | NameServer : 65.32.5.111,65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{88F1070F-6912-4E35-8E73-2E19CEB3BC4D} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0} | NameServer : 65.32.5.111,65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{88F1070F-6912-4E35-8E73-2E19CEB3BC4D} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0} | NameServer : 65.32.5.111,65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Not selected
[PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 24 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHLWAPI.dll - PathAppendW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetCloseHandle :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetSetOptionA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetQueryOptionA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpQueryInfoA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetSetOptionW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetQueryOptionW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetQueryDataAvailable :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetReadFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestExW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetWriteFile :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpEndRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) ADVAPI32.dll - CreateProcessAsUserW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpSendRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - HttpOpenRequestA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) WININET.dll - InternetConnectA :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW :  @ 0x0 ()
[IAT:Inl(Hook.IEAT)] (iexplore.exe) SHLWAPI.dll - PathAppendW :  @ 0x0 ()

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3265GSX +++++
--- User ---
[MBR] 98add4a4523c56d574670d14cb74bdea
[BSP] 3a06a5e275c571325bec692c7a49fb88 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 260243 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 533389312 | Size: 29692 MB
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 594198528 | Size: 15109 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_04162015_142019.log - RKreport_DEL_04162015_142119.log - RKreport_SCN_04222015_182142.log

 

I will post the farbar log in a moment



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 23 April 2015 - 07:30 AM

Your System retore is disable.
[PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> Not selected

Run the RogueKiller tool and fix the line.
===

Waiting for the Farbar log.

#14 ginavg

ginavg
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 23 April 2015 - 04:58 PM

ok I reran the scan and found the reg entery and selected it and deleted it. Hopefully that is what I was supposed to do. Here is the farbar scan:

 

Farbar Service Scanner Version: 17-01-2015
Ran by Liz Blanco (administrator) on 22-04-2015 at 19:25:07
Running from "C:\Users\Liz Blanco\Desktop\New folder"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.

System Restore:
============

System Restore Policy:
========================

Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

 

 

 

 

 

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-04-2015 01
Ran by Liz Blanco (administrator) on LIZBLANCO-PC on 22-04-2015 19:32:27
Running from E:\Malware Removal Tools 02.06.15\farbar recovery scan tool\64 bit
Loaded Profiles: Liz Blanco (Available profiles: Liz Blanco)
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
() C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\RegHunter\RegHunter.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Farbar) C:\Users\Liz Blanco\Desktop\New folder\FSS.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDWare] => C:\Program Files\Elantech\ETDCtrl.exe [2598280 2010-06-23] (ELAN Microelectronics Corp.)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4462496 2010-04-12] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [7056800 2010-03-18] (Lenovo (Beijing) Limited)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35184 2008-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [UCam_Menu] => C:\Program Files (x86)\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [AppleSyncNotifier] => C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-07-24] (Google Inc.)
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [FlashPlayerUpdate] => C:\Users\Liz Blanco\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [173056 2015-04-22] ()
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Run: [IuyuHdes] => regsvr32.exe "C:\ProgramData\IuyuHdes\PoylEhxu.ero"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2011-06-07]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2013-11-16]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-09-20] (Hewlett-Packard Co.)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-09-20] (Hewlett-Packard Co.)
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: HKLM-x32 {2B497CAF-D938-4059-BA76-0DA5DB77EA0A} https://remote.americanlegion273.org/Remote/BuiltIns/FS/Wssg.Web.FileAccess.RichUpload.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 65.32.5.111 65.32.5.112
Tcpip\..\Interfaces\{E859EBDE-727D-4667-8EEE-C39BB6596FE0}: [NameServer] 65.32.5.111,65.32.5.112

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-09-22] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-06-07]
FF HKU\S-1-5-21-2221435316-2506893427-2594210335-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR Profile: C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-05]
CHR Extension: (Windows Theme Manager 2 API) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2015-03-16]
CHR Extension: (Google Docs) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-05]
CHR Extension: (Google Drive) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-05]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-05]
CHR Extension: (YouTube) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-24]
CHR Extension: (Google Search) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-24]
CHR Extension: (Google Sheets) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-05]
CHR Extension: (Google Wallet) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (Gmail) - C:\Users\Liz Blanco\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-24]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
S2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-09-20] (Hewlett-Packard Co.) [File not signed]
S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2008-12-03] (Hewlett-Packard) [File not signed]
R2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] () [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2008-12-03] (Hewlett-Packard) [File not signed]
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1026432 2015-03-23] (Enigma Software Group USA, LLC.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2015-03-23] (Enigma Software Group USA, LLC.)
R3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-22 19:07 - 2015-04-22 19:25 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\New folder
2015-04-16 14:15 - 2015-04-16 14:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2015-04-16 14:14 - 2015-04-16 14:15 - 00000000 ____D () C:\Program Files\RogueKiller
2015-04-16 14:08 - 2015-04-22 19:16 - 00037624 _____ () C:\windows\system32\Drivers\TrueSight.sys
2015-04-16 14:08 - 2015-04-16 14:10 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-04-16 14:07 - 2015-04-16 14:07 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\rougekiller
2015-04-16 13:58 - 2015-04-16 13:58 - 00000000 ____D () C:\ProgramData\IuyuHdes
2015-04-13 18:38 - 2015-04-22 19:32 - 00000000 ____D () C:\FRST
2015-04-13 18:02 - 2015-04-13 18:06 - 00000000 ____D () C:\AdwCleaner
2015-04-11 19:15 - 2015-04-11 19:15 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Macromedia
2015-04-11 19:14 - 2015-04-11 19:14 - 00008598 _____ () C:\Users\Liz Blanco\Desktop\HELP_DECRYPT.HTML
2015-04-11 19:14 - 2015-04-11 19:14 - 00004242 _____ () C:\Users\Liz Blanco\Desktop\HELP_DECRYPT.TXT
2015-04-11 19:14 - 2015-04-11 19:14 - 00000280 _____ () C:\Users\Liz Blanco\Desktop\HELP_DECRYPT.URL
2015-04-04 17:36 - 2015-04-04 17:36 - 00001889 _____ () C:\Users\Liz Blanco\Desktop\ShadowExplorer.lnk
2015-04-04 17:36 - 2015-04-04 17:36 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\www.shadowexplorer.com
2015-04-04 17:36 - 2015-04-04 17:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2015-04-04 17:36 - 2015-04-04 17:36 - 00000000 ____D () C:\Program Files (x86)\ShadowExplorer
2015-04-04 14:54 - 2015-04-04 14:54 - 00009300 _____ () C:\Users\Liz Blanco\Documents\CryptoWall 3_0.htm
2015-04-04 14:51 - 2015-04-04 14:51 - 00008598 _____ () C:\HELP_DECRYPT.HTML
2015-04-04 14:51 - 2015-04-04 14:51 - 00004242 _____ () C:\HELP_DECRYPT.TXT
2015-04-04 14:51 - 2015-04-04 14:51 - 00000761 _____ () C:\windows\system32\Drivers\etc\hosts.txt
2015-04-04 14:51 - 2015-04-04 14:51 - 00000280 _____ () C:\HELP_DECRYPT.URL
2015-04-04 13:50 - 2015-04-04 15:16 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-04 13:49 - 2015-04-04 13:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-04 13:49 - 2015-04-04 13:49 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-04-04 13:49 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-04-04 13:49 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-04-04 13:17 - 2015-04-04 13:18 - 00018944 ___SH () C:\Users\Liz Blanco\Thumbs.db
2015-04-04 12:59 - 2015-04-04 13:02 - 00011560 _____ () C:\Users\Liz Blanco\Desktop\Rkill.txt
2015-03-25 14:29 - 2015-03-25 14:29 - 00218467 _____ () C:\sh4_service.log
2015-03-25 07:46 - 2015-03-23 22:47 - 00025472 _____ () C:\windows\system32\sh4native.exe
2015-03-25 07:39 - 2015-04-04 14:51 - 00000000 __SHD () C:\found.000
2015-03-23 22:48 - 2015-03-23 22:48 - 00003354 _____ () C:\windows\System32\Tasks\SpyHunter4Startup
2015-03-23 22:48 - 2015-03-23 22:48 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Enigma Software Group
2015-03-23 22:48 - 2015-03-23 22:48 - 00000000 ____D () C:\sh4ldr

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-22 19:26 - 2014-08-26 22:07 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\CrashDumps
2015-04-22 19:12 - 2009-07-14 01:13 - 00004530 _____ () C:\windows\system32\PerfStringBackup.INI
2015-04-22 19:11 - 2011-08-15 21:28 - 00003962 _____ () C:\windows\System32\Tasks\User_Feed_Synchronization-{ADED22FA-842C-4633-B870-4F2E51BFAC81}
2015-04-22 19:10 - 2009-07-14 00:45 - 00013632 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-22 19:10 - 2009-07-14 00:45 - 00013632 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-22 19:03 - 2013-07-24 08:58 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-22 19:02 - 2012-08-17 19:20 - 00063284 _____ () C:\windows\setupact.log
2015-04-22 19:02 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-04-22 18:58 - 2012-05-25 08:33 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-04-22 18:49 - 2013-07-24 08:58 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-22 18:15 - 2013-07-24 08:59 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-16 13:58 - 2011-05-31 20:07 - 00000000 ____D () C:\Users\Liz Blanco
2015-04-14 18:28 - 2012-05-25 08:33 - 00778416 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-04-14 18:28 - 2012-05-25 08:33 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2015-04-14 18:28 - 2012-01-02 12:01 - 00142512 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-13 18:07 - 2012-08-17 19:20 - 00043452 _____ () C:\windows\PFRO.log
2015-04-13 17:58 - 2011-02-16 19:44 - 01682594 _____ () C:\windows\WindowsUpdate.log
2015-04-11 19:17 - 2013-12-19 17:48 - 03371520 ___SH () C:\Users\Liz Blanco\Desktop\Thumbs.db
2015-04-11 19:14 - 2015-03-21 17:50 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-04-04 15:39 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\Speech
2015-04-04 15:09 - 2014-09-17 15:13 - 00001131 _____ () C:\Users\Liz Blanco\Desktop\SpyHunter.lnk
2015-04-04 15:07 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\Globalization
2015-04-04 15:04 - 2011-05-31 21:12 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Adobe
2015-04-04 13:49 - 2012-08-16 14:02 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Malwarebytes
2015-04-04 13:49 - 2012-08-16 14:02 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-04-04 13:49 - 2012-08-16 14:02 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-03-26 16:33 - 2009-07-14 01:08 - 00032606 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2015-03-25 16:45 - 2011-05-31 20:10 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\LiZumba
2015-03-23 22:48 - 2014-09-17 15:13 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2015-03-23 17:43 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Website passwords
2015-03-23 17:42 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\RECIPES
2015-03-23 17:41 - 2014-04-24 11:32 - 00000000 ____D () C:\Users\Liz Blanco\Documents\MAKOS
2015-03-23 17:41 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\MySpaceIM Pics
2015-03-23 17:41 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\MadDog
2015-03-23 17:40 - 2014-11-29 00:08 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Las Vegas
2015-03-23 17:38 - 2012-10-08 10:11 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Flyer ideas
2015-03-23 17:38 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\GBG
2015-03-23 17:37 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Ferny's College Info
2015-03-23 17:36 - 2014-08-26 22:09 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Z-Convention 2014
2015-03-23 17:36 - 2014-05-18 17:41 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\pictures to sort out
2015-03-23 17:36 - 2013-12-19 18:31 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Walgreens pics
2015-03-23 17:36 - 2012-10-08 10:11 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Breast Cancer Fundraiser
2015-03-23 17:36 - 2011-06-06 19:22 - 00000000 ____D () C:\Users\Liz Blanco\Documents\Amer Legion
2015-03-23 17:36 - 2011-05-31 20:12 - 00000000 ____D () C:\Users\Liz Blanco\Documents\BOBBY
2015-03-23 17:35 - 2014-11-08 10:57 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Pics to sort out
2015-03-23 17:34 - 2015-03-11 16:44 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\MS event 2015
2015-03-23 17:34 - 2015-02-18 18:07 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Mad Beach
2015-03-23 17:18 - 2015-02-15 21:17 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Amer Heart Assoc event 2-13-15
2015-03-23 17:18 - 2014-11-02 20:50 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\BCF event pics 2014
2015-03-23 17:18 - 2014-11-02 20:47 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Halloween 2014
2015-03-23 17:18 - 2014-08-26 11:41 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\Hopechest z-bash
2015-03-23 17:18 - 2013-09-19 12:29 - 00000000 ____D () C:\Users\Liz Blanco\Desktop\CLASS FLYERS
2015-03-23 17:18 - 2012-05-26 22:51 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\ooVoo Details
2015-03-23 17:18 - 2012-05-26 22:37 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Skype
2015-03-23 17:17 - 2014-08-26 12:04 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Corel
2015-03-23 17:17 - 2011-06-07 21:16 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\HP
2015-03-23 17:17 - 2011-05-31 20:51 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Roaming\Apple Computer
2015-03-23 17:17 - 2011-05-31 20:51 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Apple Computer
2015-03-23 17:16 - 2012-01-02 12:01 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Google
2015-03-23 17:16 - 2011-06-13 23:45 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\HP
2015-03-23 17:15 - 2011-05-31 21:12 - 00000000 ____D () C:\Users\Liz Blanco\AppData\Local\Adobe
2015-03-23 17:15 - 2011-02-16 20:31 - 00000000 ____D () C:\ProgramData\Lenovo

==================== Files in the root of some directories =======

2015-03-20 18:39 - 2015-03-20 18:39 - 0023328 _____ () C:\Users\Liz Blanco\AppData\Roaming\00-the_black_keys-el_camino-2011-proof.jpg
2011-06-07 20:49 - 2013-04-19 21:51 - 0003590 _____ () C:\ProgramData\hpzinstall.log
2011-02-16 20:23 - 2011-05-31 20:06 - 0000235 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc

Some content of TEMP:
====================
C:\Users\Liz Blanco\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Liz Blanco\AppData\Local\Temp\Quarantine.exe
C:\Users\Liz Blanco\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-04-16 15:16

==================== End Of Log ============================



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 24 April 2015 - 08:58 AM

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    07 - Repair Internet Explorer
    08 - Repair MDAC/MS Jet
    10 - Remove Policies Set By Infections
    13 - Repair Winsock & DNS Cache
    14 - Removed Temp Files
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.


  • p.s.
    Make sure you do the Step 5 it's important.
    ===

    Please run the Farbar Service Scanner Version and post a fresh Fss log for my review.

    Let me know what problem persists.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users