Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help to remove Cryptowall 3.0 please


  • Please log in to reply
11 replies to this topic

#1 beeej

beeej

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 11 May 2015 - 05:48 PM

Hello.  We were attacked by Cryptowall 3.0.  All of my files (doc xls pdf jpg etc.) were encrypted.  I did not find out about this until I found out that they were all unopenable.  Only because I investigated did I find the infection.  I never received a pop-up but there are txt files that explain their exploit that I found.

 

I was/am running Windows Defender.  Obviously that did not help.  I subsequently downloaded and ran Malwarebytes and that found and "quarantined" some things.  I found and followed a log on BleepingComputer to further remove the Trojan.  I don't remember what else I ran (sorry).

 

I am running Win 8.1 on a Lenovo laptop.

 

The attacks seem to have stopped but I am not sure if the trojan is actually gone.  I would like to move forward.  Could you please help to ensure we are clean?  And, I believe, Malwarebytes is the best choice to keep this bad boy out.  Do you agree?  Many, many thanks in advance.

 

 Here is a copy of my FRST.txt log.  I am attaching the addition.txt as you requested.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-05-2015
Ran by Bryan (administrator) on Y510 on 11-05-2015 18:30:57
Running from C:\Users\Bryan\Desktop
Loaded Profiles: UpdatusUser & Bryan (Available profiles: UpdatusUser & Bryan)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Condusiv Technologies) C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDIntelligent.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Eyeo GmbH) C:\Program Files\Adblock Plus for IE\AdblockPlusEngine.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Citrix Systems, Inc.) C:\Program Files\WindowsApps\D50536CD.CitrixReceiver_1.4.3.0_x86__hmf6bx7z76t54\Receiver.exe
(Microsoft Corporation) C:\Windows\System32\FileHistory.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Nvtmru] => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028896 2013-08-27] (NVIDIA Corporation)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13648600 2013-08-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2894664 2013-08-13] (ELAN Microelectronics Corp.)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17111056 2013-11-14] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [193008 2013-11-14] (Lenovo(beijing) Limited)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM-x32\...\Run: [Lenovo App Shop] => C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\ismagent.exe [156000 2013-07-18] (Intel Corporation)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-06] (CyberLink Corp.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [407904 2014-11-27] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153952 2014-11-27] (Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\...\MountPoints2: {0dc278ba-4d1a-11e3-824e-806e6f6e6963} - "E:\SETUP.EXE"
HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Bubbles.scr [786432 2013-08-22] (Microsoft Corporation)
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [184048 2013-12-26] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BootExecute: autocheck autochk * 

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4149707372-3375531583-2344423492-1002 -> {8A857E66-2578-4223-9699-0F850447D35E} URL =
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-04-20] (IvoSoft)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-02-25] (Eyeo GmbH)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO-x32: SMART Notebook Download Utility -> {67BCF957-85FC-4036-8DC4-D4D80E00A77B} -> C:\Program Files (x86)\SMART Technologies\Education Software\NotebookPlugin.dll [2013-11-27] (SMART Technologies ULC.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-02-25] (Eyeo GmbH)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-11-27] (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{C7A18AB6-D452-4453-ADB0-8BA52E9463E2}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{CCC8CD91-4261-4719-959A-152691EF9CEE}: [NameServer] 8.8.8.8,8.8.4.4

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_11_9_900_152.dll [2014-10-08] ()
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-22] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_152.dll [2014-10-08] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2014-11-27] (Citrix Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin HKU\S-1-5-21-4149707372-3375531583-2344423492-1002: intel.com/AppUp -> C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\npAppUp.dll [2013-07-18] (Intel)
FF Plugin HKU\S-1-5-21-4149707372-3375531583-2344423492-1002: intel.com/AppUpx64 -> C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\npAppUp_x64.dll [2013-07-18] (Intel)

Chrome:
=======
CHR Profile: C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-03]
CHR Extension: (Google Docs) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-03]
CHR Extension: (Google Drive) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-03]
CHR Extension: (YouTube) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-03]
CHR Extension: (Adblock Plus) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-04-03]
CHR Extension: (Google Search) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-03]
CHR Extension: (Google Sheets) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-03]
CHR Extension: (Bookmark Manager) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-05-03]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-03]
CHR Extension: (Gmail) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-03]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ETDService; C:\Program Files\Elantech\ETDService.exe [92160 2013-07-28] (ELAN Microelectronics Corp.)
R2 ExpressCache; C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe [107944 2013-01-08] (Condusiv Technologies)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-08-08] (Intel Corporation)
R2 Intel® Wireless Bluetooth® 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [155448 2013-09-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2013-08-23] ()
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3667696 2013-08-23] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [132920 2013-04-23] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1386296 2013-08-19] (Motorola Solutions, Inc.)
R3 ETDSMBus; C:\Windows\system32\DRIVERS\ETDSMBus.sys [22280 2013-08-04] (ELAN Microelectronic Corp.)
R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [26024 2013-01-08] (Condusiv Technologies)
R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [112552 2013-01-08] (Condusiv Technologies)
S3 GeneStor; C:\Windows\System32\drivers\GeneStor.sys [100072 2013-08-02] (GenesysLogic)
R1 GUBootStartup; C:\windows\System32\drivers\GUBootStartup.sys [20160 2014-10-11] (Glarysoft Ltd)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [118216 2013-09-23] (Intel Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [136408 2015-05-10] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-08-08] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-25] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
S3 RtlWlanu; C:\Windows\system32\DRIVERS\rtwlanu.sys [1975000 2013-07-31] (Realtek Semiconductor Corporation                           )
R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8247640 2013-07-19] (Realtek Semiconductor Corp.)
R3 SensorsAlsDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-31] (Microsoft Corporation)
R3 SensorsHIDClassDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-31] (Microsoft Corporation)
R3 SensorsServiceDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-31] (Microsoft Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-05-03] ()
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
S1 iqykkpbe; \??\C:\windows\system32\drivers\iqykkpbe.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-11 18:30 - 2015-05-11 18:31 - 00023087 _____ () C:\Users\Bryan\Desktop\FRST.txt
2015-05-11 18:30 - 2015-05-11 18:30 - 02102784 _____ (Farbar) C:\Users\Bryan\Desktop\FRST64.exe
2015-05-11 18:30 - 2015-05-11 18:30 - 00000000 ____D () C:\FRST
2015-05-10 12:41 - 2015-05-11 04:03 - 00003600 _____ () C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4149707372-3375531583-2344423492-1002
2015-05-10 10:32 - 2015-05-10 10:35 - 00000000 ____D () C:\Users\Bryan\Downloads\produkey-x64
2015-05-10 10:32 - 2015-05-10 10:32 - 00072216 _____ () C:\Users\Bryan\Downloads\produkey-x64.zip
2015-05-10 09:46 - 2015-05-10 09:46 - 00000597 _____ () C:\Users\Bryan\Desktop\JRT.txt
2015-05-10 09:40 - 2015-05-10 09:42 - 00000000 ____D () C:\AdwCleaner
2015-05-10 09:36 - 2015-05-10 09:36 - 21169248 _____ (Kroll Ontrack Inc. ) C:\Users\Bryan\Downloads\ER_WIN_PRO.exe
2015-05-10 09:36 - 2015-05-10 09:36 - 00000000 ____D () C:\Users\Bryan\licman
2015-05-10 09:36 - 2015-05-10 09:36 - 00000000 ____D () C:\Users\Bryan\ERPro64
2015-05-03 16:34 - 2015-05-03 16:36 - 00000000 ____D () C:\Program Files (x86)\SysTools Docx Repair
2015-05-03 16:34 - 2015-05-03 16:34 - 01736549 _____ (CoreDataTree Technology Pvt Ltd ) C:\Users\Bryan\Downloads\setup-docx-repair.exe
2015-05-03 16:34 - 2015-05-03 16:34 - 01736549 _____ (CoreDataTree Technology Pvt Ltd ) C:\Users\Bryan\Downloads\setup-docx-repair (1).exe
2015-05-03 16:17 - 2015-05-03 16:17 - 00995328 _____ () C:\Users\Bryan\Downloads\MicrosoftFixit50784.msi
2015-05-03 08:30 - 2015-05-03 08:30 - 02716306 _____ (Thisisu) C:\Users\Bryan\Desktop\JRT.exe
2015-05-03 08:06 - 2015-05-03 08:06 - 20594776 _____ () C:\Users\Bryan\Desktop\RogueKillerX64.exe
2015-05-02 13:56 - 2015-05-10 10:41 - 00000000 ____D () C:\windows\pss
2015-04-29 23:59 - 2015-04-30 00:00 - 00020556 _____ () C:\Users\Bryan\Downloads\Journal Reflection 31.docx.txt
2015-04-29 23:58 - 2015-04-29 23:58 - 00020556 _____ () C:\Users\Bryan\Downloads\Journal Reflection 31 (2014_09_04 05_14_45 UTC).docx.txt
2015-04-20 08:21 - 2015-04-20 08:21 - 00205741 _____ () C:\Users\Bryan\Downloads\advanced2_lessonplans_06 (1).zip
2015-04-20 08:07 - 2015-04-20 08:07 - 00205741 _____ () C:\Users\Bryan\Downloads\advanced2_lessonplans_06.zip
2015-04-20 02:30 - 2015-04-20 02:30 - 00000000 ____D () C:\ProgramData\FLEXnet

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-11 18:30 - 2014-10-11 11:25 - 02091541 _____ () C:\windows\WindowsUpdate.log
2015-05-11 18:10 - 2013-08-22 11:36 - 00000000 ____D () C:\windows\system32\sru
2015-05-11 03:55 - 2015-02-03 00:45 - 00000916 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-05-11 03:46 - 2014-10-08 21:10 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-05-11 03:05 - 2014-10-08 20:01 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Microsoft Help
2015-05-10 23:55 - 2015-02-03 00:45 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-05-10 13:40 - 2013-08-22 11:36 - 00000000 ____D () C:\windows\AppReadiness
2015-05-10 13:34 - 2013-08-28 04:36 - 00865408 _____ () C:\windows\system32\PerfStringBackup.INI
2015-05-10 13:32 - 2014-10-12 19:52 - 00005967 _____ () C:\windows\setupact.log
2015-05-10 13:29 - 2014-09-26 07:10 - 00000000 ____D () C:\Users\Bryan\AppData\Roaming\ClassicShell
2015-05-10 12:40 - 2014-10-11 19:29 - 00136408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-10 10:45 - 2014-10-11 11:09 - 00000342 _____ () C:\windows\Tasks\GlaryInitialize 5.job
2015-05-10 10:45 - 2014-09-26 06:52 - 00000000 ___DO () C:\Users\Bryan\SkyDrive
2015-05-10 10:44 - 2014-10-11 11:08 - 00000000 ____D () C:\Program Files (x86)\Glary Utilities 5
2015-05-10 10:42 - 2013-08-22 10:45 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-05-10 10:41 - 2013-08-22 09:25 - 00262144 ___SH () C:\windows\system32\config\BBI
2015-05-10 10:36 - 2015-04-03 14:31 - 00000000 ____D () C:\Users\Bryan\AppData\Local\CrashDumps
2015-05-10 09:46 - 2015-04-03 23:41 - 00000598 _____ () C:\Users\Bryan\Desktop\Malware Removal Training Program - Virus, Trojan, Spyware, and Malware Removal Logs.website
2015-05-10 09:36 - 2014-09-26 06:50 - 00000000 ____D () C:\Users\Bryan
2015-05-10 09:28 - 2014-10-08 20:01 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-05-06 20:40 - 2013-08-22 10:44 - 00508136 _____ () C:\windows\system32\FNTCACHE.DAT
2015-05-03 16:08 - 2015-04-03 14:02 - 00037624 _____ () C:\windows\system32\Drivers\TrueSight.sys
2015-05-03 08:01 - 2015-04-03 10:55 - 00000578 _____ () C:\Users\Bryan\Desktop\Can't remove sysWOW64 - Resolved HijackThis Logs - Malwarebytes Forum.website
2015-04-30 21:57 - 2015-02-03 00:45 - 00002214 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-28 18:23 - 2014-09-26 21:15 - 00000000 ____D () C:\Users\Bryan\AppData\Roaming\vlc
2015-04-26 23:46 - 2015-03-30 21:35 - 00001129 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-04-26 23:46 - 2014-10-11 19:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-26 23:46 - 2014-10-11 19:28 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-04-26 23:43 - 2015-03-25 16:27 - 00000000 ____D () C:\Users\Bryan\AppData\Local\puqy
2015-04-26 23:43 - 2015-03-01 03:08 - 00000000 ____D () C:\Users\Bryan\Documents\PDI Courses
2015-04-26 23:43 - 2015-02-15 08:24 - 00000000 ____D () C:\Users\Bryan\Documents\APPR 2015
2015-04-26 23:43 - 2014-09-26 21:02 - 00000000 ____D () C:\Users\Bryan\Documents\Yugioh Cards
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\TRAVELDRIVE
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\StarCraft II
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\Paradox Interactive
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\Overages
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\ON LINE COURSES
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\NOTARIO
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\My TI-Navigator
2015-04-26 23:43 - 2014-09-26 20:55 - 00000000 ____D () C:\Users\Bryan\Documents\My Smilebox Creations
2015-04-26 23:43 - 2014-09-26 20:49 - 00000000 ____D () C:\Users\Bryan\Documents\My Games
2015-04-26 23:43 - 2014-09-26 20:49 - 00000000 ____D () C:\Users\Bryan\Documents\ManiaPlanet
2015-04-26 23:43 - 2014-09-26 20:49 - 00000000 ____D () C:\Users\Bryan\Documents\Growth Marcia
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Fordham
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Firaxis ModBuddy
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Finley Middle School
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Examenes de 2010
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\CyberLink
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Canciones
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Brentwood
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Bluetooth Exchange Folder
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Andrew letters 2012
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\8th Grade Letters
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\4th Quarter Regents Results
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\4th Quarter Geometry Exams
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\3rd Quarter
2015-04-14 09:38 - 2014-10-11 19:28 - 00064216 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-04-14 09:37 - 2014-10-11 19:28 - 00107736 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-04-14 09:37 - 2014-10-11 19:28 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys

==================== Files in the root of some directories =======

2014-09-27 10:16 - 2015-01-20 01:11 - 0000093 _____ () C:\Users\Bryan\AppData\Roaming\ARCompanion.log
2015-03-25 16:44 - 2015-03-25 16:44 - 0045854 _____ () C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-25 16:44 - 2015-03-25 16:44 - 0004280 _____ () C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-25 16:44 - 2015-03-25 16:44 - 0000300 _____ () C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.URL
2015-03-25 16:44 - 2015-03-25 16:44 - 0045854 _____ () C:\Users\Bryan\AppData\Local\HELP_DECRYPT.PNG
2015-03-25 16:44 - 2015-03-25 16:44 - 0004280 _____ () C:\Users\Bryan\AppData\Local\HELP_DECRYPT.TXT
2015-03-25 16:44 - 2015-03-25 16:44 - 0000300 _____ () C:\Users\Bryan\AppData\Local\HELP_DECRYPT.URL
2013-11-14 07:06 - 2013-11-14 07:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some content of TEMP:
====================
C:\Users\Bryan\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Bryan\AppData\Local\Temp\Quarantine.exe
C:\Users\Bryan\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-04-28 15:41

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 AM

Posted 16 May 2015 - 05:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/575893 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:41 PM

Posted 17 May 2015 - 08:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is the infection - CryptoWall and HELP_DECRYPT Ransomware Information Guide
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Other than paying the ransom if it's not too late there is nothing we can do to restore your files.
I know one thing I would not trust them, your call.

If you have any difficulties with this computer please post run the Farbar tool and post a fresh FRST log for my review.

#4 beeej

beeej
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 17 May 2015 - 08:36 AM

Hello.  We were attacked by Cryptowall 3.0.  All of my files (doc xls pdf jpg etc.) were encrypted.  I did not find out about this until I found out that they were all unopenable.  Only because I investigated did I find the infection.  I never received a pop-up but there are txt files that explain their exploit that I found.

 

During this investigation, Widows Defender found Trojan Crowti.A but it kept coming back after it was removed.  I still have a lot of HELP_DECRYPT files. I also received warnings about a file in the syswow64 folder called explorer.exe.

 

I was/am running Windows Defender.  Obviously that did not help.  I subsequently downloaded and ran Malwarebytes and that found and "quarantined" some things.  I found and followed a log on BleepingComputer to further remove the Trojan.  I don't remember what else I ran (sorry).

 

I am running Win 8.1 on a Lenovo laptop.

 

The attacks seem to have stopped but I am not sure if the trojan is actually gone.  I would like to move forward.  Could you please help to ensure we are clean?  And, I believe, Malwarebytes is the best choice to keep this bad boy out going forward.  Do you agree?  Many, many thanks in advance.

 

I do not have my original Windows CD/DVD as Lenovo puts the Windows reinstall software in a separate partition.  I believe I can copy it to a USB drive but have not done that.

 

Thanks again.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-05-2015 02
Ran by Bryan (administrator) on Y510 on 17-05-2015 09:32:25
Running from C:\Users\Bryan\Desktop
Loaded Profiles: UpdatusUser & Bryan (Available profiles: UpdatusUser & Bryan)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Condusiv Technologies) C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDIntelligent.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Citrix Systems, Inc.) C:\Program Files\WindowsApps\D50536CD.CitrixReceiver_1.4.3.0_x86__hmf6bx7z76t54\Receiver.exe
(Microsoft Corporation) C:\Windows\System32\FileHistory.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
(Mozilla Corporation) C:\Users\Bryan\Desktop\Tor Browser\Browser\firefox.exe
() C:\Users\Bryan\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
(The Privoxy team - www.privoxy.org) C:\Program Files (x86)\Privoxy\privoxy.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Citrix Systems, Inc.) C:\Users\Bryan\AppData\Local\Temp\ARCompanionForSession1.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Eyeo GmbH) C:\Program Files\Adblock Plus for IE\AdblockPlusEngine.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20856_x64__8wekyb3d8bbwe\livecomm.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Nvtmru] => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028896 2013-08-27] (NVIDIA Corporation)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13648600 2013-08-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2894664 2013-08-13] (ELAN Microelectronics Corp.)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17111056 2013-11-14] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [193008 2013-11-14] (Lenovo(beijing) Limited)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM-x32\...\Run: [Lenovo App Shop] => C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\ismagent.exe [156000 2013-07-18] (Intel Corporation)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-06] (CyberLink Corp.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [407904 2015-04-08] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153952 2015-04-08] (Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\...\MountPoints2: {0dc278ba-4d1a-11e3-824e-806e6f6e6963} - "E:\SETUP.EXE"
HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Bubbles.scr [786432 2013-08-22] (Microsoft Corporation)
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [184048 2013-12-26] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BootExecute: autocheck autochk * 

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-4149707372-3375531583-2344423492-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4149707372-3375531583-2344423492-1002 -> {8A857E66-2578-4223-9699-0F850447D35E} URL =
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-04-20] (IvoSoft)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-02-25] (Eyeo GmbH)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO-x32: SMART Notebook Download Utility -> {67BCF957-85FC-4036-8DC4-D4D80E00A77B} -> C:\Program Files (x86)\SMART Technologies\Education Software\NotebookPlugin.dll [2013-11-27] (SMART Technologies ULC.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-02-25] (Eyeo GmbH)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{C7A18AB6-D452-4453-ADB0-8BA52E9463E2}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{CCC8CD91-4261-4719-959A-152691EF9CEE}: [NameServer] 8.8.8.8,8.8.4.4

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_11_9_900_152.dll [2014-10-08] ()
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-22] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_152.dll [2014-10-08] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2015-04-08] (Citrix Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin HKU\S-1-5-21-4149707372-3375531583-2344423492-1002: intel.com/AppUp -> C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\npAppUp.dll [2013-07-18] (Intel)
FF Plugin HKU\S-1-5-21-4149707372-3375531583-2344423492-1002: intel.com/AppUpx64 -> C:\Program Files (x86)\Lenovo\LenovoAppShop\bin\npAppUp_x64.dll [2013-07-18] (Intel)

Chrome:
=======
CHR Profile: C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-03]
CHR Extension: (Google Docs) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-03]
CHR Extension: (Google Drive) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-03]
CHR Extension: (YouTube) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-03]
CHR Extension: (Adblock Plus) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-04-03]
CHR Extension: (Google Search) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-03]
CHR Extension: (Google Sheets) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-03]
CHR Extension: (Bookmark Manager) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-05-03]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-03]
CHR Extension: (Gmail) - C:\Users\Bryan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-03]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ETDService; C:\Program Files\Elantech\ETDService.exe [92160 2013-07-28] (ELAN Microelectronics Corp.)
R2 ExpressCache; C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe [107944 2013-01-08] (Condusiv Technologies)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-08-08] (Intel Corporation)
R2 Intel® Wireless Bluetooth® 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [155448 2013-09-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2013-08-23] ()
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3667696 2013-08-23] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [132920 2013-04-23] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1386296 2013-08-19] (Motorola Solutions, Inc.)
R3 ETDSMBus; C:\Windows\system32\DRIVERS\ETDSMBus.sys [22280 2013-08-04] (ELAN Microelectronic Corp.)
R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [26024 2013-01-08] (Condusiv Technologies)
R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [112552 2013-01-08] (Condusiv Technologies)
S3 GeneStor; C:\Windows\System32\drivers\GeneStor.sys [100072 2013-08-02] (GenesysLogic)
R1 GUBootStartup; C:\windows\System32\drivers\GUBootStartup.sys [20160 2014-10-11] (Glarysoft Ltd)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [118216 2013-09-23] (Intel Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [136408 2015-05-10] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-08-08] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-25] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
S3 RtlWlanu; C:\Windows\system32\DRIVERS\rtwlanu.sys [1975000 2013-07-31] (Realtek Semiconductor Corporation                           )
R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8247640 2013-07-19] (Realtek Semiconductor Corp.)
R3 SensorsAlsDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-31] (Microsoft Corporation)
R3 SensorsHIDClassDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-31] (Microsoft Corporation)
R3 SensorsServiceDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-31] (Microsoft Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-05-03] ()
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
S1 iqykkpbe; \??\C:\windows\system32\drivers\iqykkpbe.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-17 00:14 - 2015-05-17 00:14 - 02107392 _____ (Farbar) C:\Users\Bryan\Desktop\FRST64.exe
2015-05-11 23:47 - 2015-05-11 23:47 - 00271894 _____ () C:\Users\Bryan\Downloads\advanced2_lessonplans_07.zip
2015-05-11 21:02 - 2015-05-11 21:02 - 00509008 _____ () C:\Users\Bryan\Downloads\privoxy_setup_3_0_23.exe
2015-05-11 21:02 - 2015-05-11 21:02 - 00000000 ____D () C:\Program Files (x86)\Privoxy
2015-05-11 18:52 - 2015-05-11 18:52 - 00000814 _____ () C:\Users\Bryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2015-05-11 18:52 - 2015-05-11 18:52 - 00000766 _____ () C:\Users\Bryan\Desktop\Start Tor Browser.lnk
2015-05-11 18:51 - 2015-05-17 00:10 - 00000000 ____D () C:\Users\Bryan\Desktop\Tor Browser
2015-05-11 18:50 - 2015-05-11 18:50 - 35844968 _____ () C:\Users\Bryan\Downloads\torbrowser-install-4.5_en-US.exe
2015-05-11 18:31 - 2015-05-11 18:31 - 00032577 _____ () C:\Users\Bryan\Desktop\Addition.txt
2015-05-11 18:30 - 2015-05-17 09:32 - 00023238 _____ () C:\Users\Bryan\Desktop\FRST.txt
2015-05-11 18:30 - 2015-05-17 09:32 - 00000000 ____D () C:\FRST
2015-05-10 12:41 - 2015-05-16 19:22 - 00003600 _____ () C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4149707372-3375531583-2344423492-1002
2015-05-10 10:32 - 2015-05-10 10:35 - 00000000 ____D () C:\Users\Bryan\Downloads\produkey-x64
2015-05-10 10:32 - 2015-05-10 10:32 - 00072216 _____ () C:\Users\Bryan\Downloads\produkey-x64.zip
2015-05-10 09:46 - 2015-05-10 09:46 - 00000597 _____ () C:\Users\Bryan\Desktop\JRT.txt
2015-05-10 09:40 - 2015-05-10 09:42 - 00000000 ____D () C:\AdwCleaner
2015-05-10 09:36 - 2015-05-10 09:36 - 21169248 _____ (Kroll Ontrack Inc. ) C:\Users\Bryan\Downloads\ER_WIN_PRO.exe
2015-05-10 09:36 - 2015-05-10 09:36 - 00000000 ____D () C:\Users\Bryan\licman
2015-05-10 09:36 - 2015-05-10 09:36 - 00000000 ____D () C:\Users\Bryan\ERPro64
2015-05-03 16:34 - 2015-05-03 16:36 - 00000000 ____D () C:\Program Files (x86)\SysTools Docx Repair
2015-05-03 16:34 - 2015-05-03 16:34 - 01736549 _____ (CoreDataTree Technology Pvt Ltd ) C:\Users\Bryan\Downloads\setup-docx-repair.exe
2015-05-03 16:34 - 2015-05-03 16:34 - 01736549 _____ (CoreDataTree Technology Pvt Ltd ) C:\Users\Bryan\Downloads\setup-docx-repair (1).exe
2015-05-03 16:17 - 2015-05-03 16:17 - 00995328 _____ () C:\Users\Bryan\Downloads\MicrosoftFixit50784.msi
2015-05-03 08:30 - 2015-05-03 08:30 - 02716306 _____ (Thisisu) C:\Users\Bryan\Desktop\JRT.exe
2015-05-03 08:06 - 2015-05-03 08:06 - 20594776 _____ () C:\Users\Bryan\Desktop\RogueKillerX64.exe
2015-05-02 13:56 - 2015-05-10 10:41 - 00000000 ____D () C:\windows\pss
2015-04-29 23:59 - 2015-04-30 00:00 - 00020556 _____ () C:\Users\Bryan\Downloads\Journal Reflection 31.docx.txt
2015-04-29 23:58 - 2015-04-29 23:58 - 00020556 _____ () C:\Users\Bryan\Downloads\Journal Reflection 31 (2014_09_04 05_14_45 UTC).docx.txt
2015-04-20 08:21 - 2015-04-20 08:21 - 00205741 _____ () C:\Users\Bryan\Downloads\advanced2_lessonplans_06 (1).zip
2015-04-20 08:07 - 2015-04-20 08:07 - 00205741 _____ () C:\Users\Bryan\Downloads\advanced2_lessonplans_06.zip
2015-04-20 02:30 - 2015-04-20 02:30 - 00000000 ____D () C:\ProgramData\FLEXnet

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-17 09:29 - 2014-10-11 11:25 - 01313672 _____ () C:\windows\WindowsUpdate.log
2015-05-17 09:29 - 2013-08-22 11:36 - 00000000 ____D () C:\windows\AppReadiness
2015-05-17 09:21 - 2013-08-22 11:36 - 00000000 ____D () C:\windows\system32\sru
2015-05-17 09:20 - 2014-09-26 07:10 - 00000000 ____D () C:\Users\Bryan\AppData\Roaming\ClassicShell
2015-05-16 18:55 - 2015-02-03 00:45 - 00000916 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-05-16 14:51 - 2014-09-26 06:52 - 00000000 ___DO () C:\Users\Bryan\SkyDrive
2015-05-16 14:46 - 2014-10-08 21:10 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-05-15 02:56 - 2015-02-03 00:45 - 00002214 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-05-13 00:34 - 2014-09-27 10:30 - 00001535 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix Receiver.lnk
2015-05-13 00:34 - 2014-09-27 10:16 - 00000093 _____ () C:\Users\Bryan\AppData\Roaming\ARCompanion.log
2015-05-13 00:34 - 2014-09-27 10:03 - 00000000 ____D () C:\Program Files (x86)\Citrix
2015-05-11 23:55 - 2015-02-03 00:45 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-05-11 20:58 - 2015-04-03 14:31 - 00000000 ____D () C:\Users\Bryan\AppData\Local\CrashDumps
2015-05-11 03:05 - 2014-10-08 20:01 - 00000000 ____D () C:\Users\Bryan\AppData\Local\Microsoft Help
2015-05-10 13:34 - 2013-08-28 04:36 - 00865408 _____ () C:\windows\system32\PerfStringBackup.INI
2015-05-10 13:32 - 2014-10-12 19:52 - 00005967 _____ () C:\windows\setupact.log
2015-05-10 12:40 - 2014-10-11 19:29 - 00136408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-10 10:45 - 2014-10-11 11:09 - 00000342 _____ () C:\windows\Tasks\GlaryInitialize 5.job
2015-05-10 10:44 - 2014-10-11 11:08 - 00000000 ____D () C:\Program Files (x86)\Glary Utilities 5
2015-05-10 10:42 - 2013-08-22 10:45 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-05-10 10:41 - 2013-08-22 09:25 - 00262144 ___SH () C:\windows\system32\config\BBI
2015-05-10 09:46 - 2015-04-03 23:41 - 00000598 _____ () C:\Users\Bryan\Desktop\Malware Removal Training Program - Virus, Trojan, Spyware, and Malware Removal Logs.website
2015-05-10 09:36 - 2014-09-26 06:50 - 00000000 ____D () C:\Users\Bryan
2015-05-10 09:28 - 2014-10-08 20:01 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-05-06 20:40 - 2013-08-22 10:44 - 00508136 _____ () C:\windows\system32\FNTCACHE.DAT
2015-05-03 16:08 - 2015-04-03 14:02 - 00037624 _____ () C:\windows\system32\Drivers\TrueSight.sys
2015-05-03 08:01 - 2015-04-03 10:55 - 00000578 _____ () C:\Users\Bryan\Desktop\Can't remove sysWOW64 - Resolved HijackThis Logs - Malwarebytes Forum.website
2015-04-28 18:23 - 2014-09-26 21:15 - 00000000 ____D () C:\Users\Bryan\AppData\Roaming\vlc
2015-04-26 23:46 - 2015-03-30 21:35 - 00001129 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-04-26 23:46 - 2014-10-11 19:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-26 23:46 - 2014-10-11 19:28 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-04-26 23:43 - 2015-03-25 16:27 - 00000000 ____D () C:\Users\Bryan\AppData\Local\puqy
2015-04-26 23:43 - 2015-03-01 03:08 - 00000000 ____D () C:\Users\Bryan\Documents\PDI Courses
2015-04-26 23:43 - 2015-02-15 08:24 - 00000000 ____D () C:\Users\Bryan\Documents\APPR 2015
2015-04-26 23:43 - 2014-09-26 21:02 - 00000000 ____D () C:\Users\Bryan\Documents\Yugioh Cards
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\TRAVELDRIVE
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\StarCraft II
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\Paradox Interactive
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\Overages
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\ON LINE COURSES
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\NOTARIO
2015-04-26 23:43 - 2014-09-26 20:56 - 00000000 ____D () C:\Users\Bryan\Documents\My TI-Navigator
2015-04-26 23:43 - 2014-09-26 20:55 - 00000000 ____D () C:\Users\Bryan\Documents\My Smilebox Creations
2015-04-26 23:43 - 2014-09-26 20:49 - 00000000 ____D () C:\Users\Bryan\Documents\My Games
2015-04-26 23:43 - 2014-09-26 20:49 - 00000000 ____D () C:\Users\Bryan\Documents\ManiaPlanet
2015-04-26 23:43 - 2014-09-26 20:49 - 00000000 ____D () C:\Users\Bryan\Documents\Growth Marcia
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Fordham
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Firaxis ModBuddy
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Finley Middle School
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Examenes de 2010
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\CyberLink
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Canciones
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Brentwood
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Bluetooth Exchange Folder
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\Andrew letters 2012
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\8th Grade Letters
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\4th Quarter Regents Results
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\4th Quarter Geometry Exams
2015-04-26 23:43 - 2014-09-26 20:48 - 00000000 ____D () C:\Users\Bryan\Documents\3rd Quarter

==================== Files in the root of some directories =======

2014-09-27 10:16 - 2015-05-13 00:34 - 0000093 _____ () C:\Users\Bryan\AppData\Roaming\ARCompanion.log
2015-03-25 16:44 - 2015-03-25 16:44 - 0045854 _____ () C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-25 16:44 - 2015-03-25 16:44 - 0004280 _____ () C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-25 16:44 - 2015-03-25 16:44 - 0000300 _____ () C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.URL
2015-03-25 16:44 - 2015-03-25 16:44 - 0045854 _____ () C:\Users\Bryan\AppData\Local\HELP_DECRYPT.PNG
2015-03-25 16:44 - 2015-03-25 16:44 - 0004280 _____ () C:\Users\Bryan\AppData\Local\HELP_DECRYPT.TXT
2015-03-25 16:44 - 2015-03-25 16:44 - 0000300 _____ () C:\Users\Bryan\AppData\Local\HELP_DECRYPT.URL
2013-11-14 07:06 - 2013-11-14 07:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some content of TEMP:
====================
C:\Users\Bryan\AppData\Local\Temp\ARCompanionForSession1.exe
C:\Users\Bryan\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Bryan\AppData\Local\Temp\Quarantine.exe
C:\Users\Bryan\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-05-13 00:38

==================== End Of Log ============================



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:41 PM

Posted 18 May 2015 - 06:55 AM

No malware or infection was found on your logs.

==

On may 11 you Windows Defender is showing as disable in you Addition.txt log.
If not already updated follow the instructions on this page.
http://www.thewindowsclub.com/update-windows-defender-manually-windows-8

===
 

I also received warnings about a file in the syswow64 folder called explorer.exe.


C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed

The file looks fine but it may have been compromised. We can check it out later.
 

And, I believe, Malwarebytes is the best choice to keep this bad boy out going forward


CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will instead infect your computer with the CryptoWall infection and install malware files.
Once you open that document you are infected and nothing will stop it from infecting your computer.
By opening the document you gave access to your computer. Never open a document you are not expecting.

As you said there are many encrypted files and folder to be removed.

I only see the following from you logs

C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.PNG
C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\Bryan\AppData\Roaming\HELP_DECRYPT.URL
C:\Users\Bryan\AppData\Local\HELP_DECRYPT.PNG
C:\Users\Bryan\AppData\Local\HELP_DECRYPT.TXT
C:\Users\Bryan\AppData\Local\HELP_DECRYPT.URL


I'm sure there are more.

BleepingComputer.com has created a tool called ListCwall that automates the finding and exporting the list of encrypted files from an infected computer.
ListCwall can be downloaded from this URL: http://www.bleepingcomputer.com/download/listcwall/

To use the tool, simply double-click on the and let the program run. ListCwall will search for the registry key that contains the encrypted files and then export them to the ListCwall.txt file on your desktop.

Attach the ListCwall.txt to your next reply.
I may be able to create a fix to remove them.
Source: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information


If you decide to restore you computer to the Factory lever here you will find the instructions to do so.
http://www.tomsguide.com/faq/id-2330507/factory-reset-lenovo-windows-laptop.html
Read the instructions before proceeding.

Keep in mind that you will have to install all your 3rd party programs and do a Windows updates with Microsoft.

If you decide to continue with me then attache the ListCwall.txt to your next reply and will take it from there.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:41 PM

Posted 23 May 2015 - 08:13 AM

Are you still with me?

#7 beeej

beeej
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 24 May 2015 - 12:32 AM

Yes but I got stuck away from home. Sort of having a family crisis.  A few days please.  Thank you.



#8 beeej

beeej
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 01 June 2015 - 05:18 PM

Hi.  I'm back.  Thanks for your patience.  I will follow your instructions...



#9 beeej

beeej
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 01 June 2015 - 05:25 PM

Attached File  ListCWall.txt   2.7MB   1 downloads

 

Here is the ListCWall.txt file.  Thanks again for your patience and support.

 

B-



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:41 PM

Posted 02 June 2015 - 07:24 AM



First empy your Recycle bin.

===


This will seve as a tutorial to delete all our damaged files on your computer.

To delete the files all you have to do is to copy and past the following lines in the fixlist.txt file you will create.


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start


CloseProcesses:

from 
C:\Users\Bryan\AppData\Local\Citrix\AuthManager\Logs\AuthManLog.txt

to and including 
F:\DCIM\102CANON\smallIMG_3755.jpg

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If you need additional information before proceeding please ask.

p.s.
I have never deleted that many files at one time.
It may take some time, let if finish.

After the Restart I suggest you defrag you hard disk.
It the disk is a Solid State Disk DO NOT execute it.

#11 beeej

beeej
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 06 June 2015 - 10:01 AM

Hi,

 

Thank you for following my case.  Since our last messages, I found a program called testdisk 7.0 that scans the unnamed portions of a hard disk and it attempts to recover any files that may have been left there after they are "deleted".

 

I am finding a lot (thousands?) of files, many of which are photos and word docs that I thought to be lost to this crypto nastiness. 

 

However, the program takes days to run.  I don't want to delete anything or mess anything until I recover whatever I can.  I ran it for two days and it went through about 10% of the disk.  Do you mind if I let it run its course and get back to you when it is done?  I have the machine offline so as to reduce the risk of further infections.

 

I would really like to try to recover what I can.

 

Do you see any risk in this?

 

Thanks for your patience and your support.

 

B-



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:41 PM

Posted 06 June 2015 - 12:58 PM

No problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users