Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP CTB-Locker


  • Please log in to reply
31 replies to this topic

#1 SimiRed

SimiRed

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 24 June 2015 - 07:02 AM

I would just really like to get the pictures off, they all have a file extension that won't allow the pictures to be opened at all.

 

I can not get rid of this, hopefully you can provide some help.

 

Thank you

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-06-2015 01
Ran by Lisa Powell (administrator) on LISA on 24-06-2015 07:58:05
Running from C:\Documents and Settings\Lisa Powell\Desktop
Loaded Profiles: Lisa Powell (Available Profiles: Lisa Powell & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(SigmaTel, Inc.) C:\WINDOWS\stsystra.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
() C:\Program Files\Dell\Media Experience\DMXLauncher.exe
(Sonic Solutions) C:\WINDOWS\system32\DLA\DLACTRLW.EXE
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(Verizon) C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
(Motive Communications, Inc.) C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
(Yahoo! Inc.) C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(Yahoo!, Inc.) C:\PROGRA~1\Yahoo!\browser\ycommon.exe
(Sony Corporation) C:\Program Files\Sony\PlayMemories Home\PMBVolumeWatcher.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files\Sony\PlayMemories Home\dfs.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehSched.exe
(SEIKO EPSON CORPORATION) C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
(BVRP Software) C:\Program Files\Digital Line Detect\DLG.exe
(Microsoft Corporation) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
() C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
(Microsoft Corporation) C:\WINDOWS\system32\ntvdm.exe
(Esaya, Inc.) C:\Program Files\TrueAssistant\TrueAssistant.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Sony Corporation) C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
(TightVNC Group) C:\Program Files\TightVNC\WinVNC.exe
(Microsoft Corporation) C:\WINDOWS\ehome\mcrdsvc.exe
(Canon Inc.) C:\Program Files\Canon\CAL\CALMAIN.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Symantec Corporation) C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\NSBU.exe
(Symantec Corporation) C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\NSBU.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jucheck.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ehTray] => C:\WINDOWS\ehome\ehtray.exe [67584 2005-09-29] (Microsoft Corporation)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] => C:\WINDOWS\stsystra.exe [282624 2006-07-24] (SigmaTel, Inc.)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [151552 2006-07-06] (Intel Corporation)
HKLM\...\Run: [DMXLauncher] => C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] ()
HKLM\...\Run: [DLA] => C:\WINDOWS\System32\DLA\DLACTRLW.EXE [122940 2005-09-08] (Sonic Solutions)
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-07-27] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2004-07-27] (InstallShield Software Corporation)
HKLM\...\Run: [Google Desktop Search] => C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-14] (Google)
HKLM\...\Run: [VerizonServicepoint.exe] => C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe [1880064 2006-02-01] (Verizon)
HKLM\...\Run: [Motive SmartBridge] => C:\Program Files\Verizon\SmartBridge\MotiveSB.exe [438359 2006-06-23] (Motive Communications, Inc.)
HKLM\...\Run: [YBrowser] => C:\Program Files\Yahoo!\browser\ybrwicon.exe [129536 2006-07-21] (Yahoo! Inc.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\Common Files\Real\Update_OB\realsched.exe [185632 2007-11-11] (RealNetworks, Inc.)
HKLM\...\Run: [WinVNC] => C:\Program Files\TightVNC\WinVNC.exe [585728 2009-03-05] (TightVNC Group)
HKLM\...\Run: [AppleSyncNotifier] => C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-06] (Apple Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM\...\Run: [PMBVolumeWatcher] => C:\Program Files\Sony\PlayMemories Home\PMBVolumeWatcher.exe [2548248 2014-04-23] (Sony Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Norton AntiVirus <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-03-11] (SUPERAntiSpyware.com)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2008-04-30] (Google Inc.)
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-13] (Microsoft Corporation)
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_16_0_0_305_ActiveX.exe [960688 2015-03-09] (Adobe Systems Incorporated)
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\MountPoints2: {1ed72728-cf84-11dd-8af9-444553544200} - I:\Autorun.exe /run
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\MountPoints2: {361ac05d-0e0d-11da-9aa9-806d6172696f} - E:\setup.exe
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\MountPoints2: {7f13093c-9dcb-11db-8ac6-0019d113fdb4} - I:\bus-cont.bat
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL => C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-08-25] (Google)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk [2006-12-31]
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HRBlockDirect.lnk [2014-04-14]
ShortcutTarget: HRBlockDirect.lnk -> C:\Program Files\HRBlockDirect\HRBlockDirect.exe (HR Block                            )
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk [2007-04-12]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk [2009-03-11]
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk [2007-01-09]
ShortcutTarget: ymetray.lnk -> C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe ()
Startup: C:\Documents and Settings\Lisa Powell\Start Menu\Programs\Startup\Event Reminder.lnk [2008-03-24]
ShortcutTarget: Event Reminder.lnk -> C:\pmw\PMREMIND.EXE ()
Startup: C:\Documents and Settings\Lisa Powell\Start Menu\Programs\Startup\scardsvr.lnk [2014-09-06]
ShortcutTarget: scardsvr.lnk -> C:\Documents and Settings\Lisa Powell\Application Data\Microsoft\Windows\IEUpdate\scardsvr.exe (No File)
Startup: C:\Documents and Settings\Lisa Powell\Start Menu\Programs\Startup\TrueAssistant.lnk [2007-01-09]
ShortcutTarget: TrueAssistant.lnk -> C:\Program Files\TrueAssistant\TrueAssistant.exe (Esaya, Inc.)
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\buShell.dll [2014-08-20] (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\buShell.dll [2014-08-20] (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\buShell.dll [2014-08-20] (Symantec Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061231
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061231
URLSearchHook: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm044^S02513^us&si=CKz6rLLRhrICFQjf4Aod2GEApA&ptb=F1019C1B-013F-40BF-B56E-CF5F784166E1&psa=&ind=2012082621&st=sb&n=77edf1bd&searchfor={searchTerms}
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=avOvYtneRZkAI9aqHdWkrI5A_k0?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm044^S02513^us&si=CKz6rLLRhrICFQjf4Aod2GEApA&ptb=F1019C1B-013F-40BF-B56E-CF5F784166E1&psa=&ind=2012082621&st=sb&n=77edf1bd&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NSBU&chn=retail&geo=US&ver=22&locale=en_US&gct=sb&qsrc=2869
SearchScopes: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> {E57002B7-5501-4E4C-835E-348368DD635F} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: Yahoo! Toolbar Helper -> {02478D38-C3F9-4EFB-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-29] (Yahoo! Inc.)
BHO: No Name -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31] (Safer Networking Limited)
BHO: Yahoo! IE Services Button -> {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31] (Yahoo! Inc.)
BHO: DriveLetterAccess -> {5CA3D70E-1895-11CF-8E15-001234567890} -> C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08] (Sonic Solutions)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\coIEPlg.dll [2014-12-05] (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll [2014-03-31] (Sun Microsystems, Inc.)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-09] (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll [2015-03-09] (Google Inc.)
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> C:\Program Files\BAE\BAE.dll [2006-11-17] (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2014-03-31] (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2014-03-31] (Sun Microsystems, Inc.)
BHO: SidebarAutoLaunch Class -> {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} -> C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03] (Yahoo! Inc.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-29] (Yahoo! Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-09] (Google Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\coIEPlg.dll [2014-12-05] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-09] (Google Inc.)
Toolbar: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\coIEPlg.dll [2014-12-05] (Symantec Corporation)
DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} https://ra.pseg.com/workplace/webifiers/wficat.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168113229980
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [77824 2008-05-13] (SuperAdBlocker.com)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 71.250.0.12 68.237.161.12 192.168.1.1

FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin: @canon.com/MycameraPlugin -> C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin: @java.com/DTPlugin,version=1.6.0_45 -> C:\WINDOWS\system32\npdeployJava1.dll [2014-03-31] (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll [2014-03-31] (Sun Microsystems, Inc.)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2006-10-26] (Yahoo! Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @pack.google.com/Google Updater;version=14 -> C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll [2011-09-13] (Google)
FF Plugin: @real.com/nppl3260;version=6.0.11.2888 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2007-11-11] (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.2.2946 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll [2007-11-11] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.11.2806 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll [2007-11-11] (RealNetworks, Inc.)
FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 -> C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll [2006-03-31] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-11] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-11] (Google Inc.)
FF Plugin: @yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1 -> C:\Program Files\Yahoo!\Shared\npYVerInfo.dll No File
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Yahoo!\Common\npyaxmpb.dll No File
FF Plugin HKU\S-1-5-21-1610986790-2146471656-1072785999-1006: @real.com/RhapsodyPlayerEngine -> C:\Documents and Settings\Lisa Powell\Application Data\nprhapengine.dll No File
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Program Files\Real\RealPlayer\browserrecord
FF Extension: RealPlayer Browser Record Plugin - C:\Program Files\Real\RealPlayer\browserrecord [2007-11-11]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-03-11]
FF HKLM\...\Firefox\Extensions: [64ffxtbr@TelevisionFanatic.com] - C:\Program Files\TelevisionFanatic\bar\1.bin
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2014-03-31]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.1.0.9\coFFPlgn
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.1.0.9\coFFPlgn [2015-06-24]

Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\gcswf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\gears.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (NPCIG.dll) - C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks Rhapsody Player Engine) - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Profile: C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Norton Security Toolbar) - C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2015-03-10]
CHR Extension: (Norton Identity Safe) - C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-03-10]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-10]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-22]
CHR HKLM\...\Chrome\Extension: [appomijjjeafjcojkfocepgpbdkenmec] - C:\Documents and Settings\All Users\Application Data\wxDfast\appomijjjeafjcojkfocepgpbdkenmec.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\Exts\Chrome.crx [2015-03-10]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96334 2009-09-08] (Canon Inc.) [File not signed]
R2 DeviceFinderService; C:\Program Files\Sony\PlayMemories Home\dfs.exe [149528 2014-04-23] ()
R2 EPSON_PM_RPCV4_01; C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE [102400 2006-04-18] (SEIKO EPSON CORPORATION)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-14] (Google)
S2 gupdate1c96bcece3f5d5; C:\Program Files\Google\Update\GoogleUpdate.exe [107912 2014-10-21] (Google Inc.)
R2 IAANTMON; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [90112 2006-07-06] (Intel Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [158128 2014-03-31] (Sun Microsystems, Inc.)
R2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S3 MHN; C:\WINDOWS\System32\mhn.dll [85504 2004-08-10] (Microsoft Corporation) [File not signed]
R2 MSSQL$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [9158656 2008-12-18] (Microsoft Corporation)
S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [73728 2005-05-03] (Microsoft Corporation) [File not signed]
R2 NSBU; C:\Program Files\Norton Security with Backup\Engine\22.1.0.9\NSBU.exe [282528 2014-12-10] (Symantec Corporation)
R2 PMBDeviceInfoProvider; C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [481816 2014-04-23] (Sony Corporation)
S3 SQLAgent$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE [323584 2005-05-03] (Microsoft Corporation) [File not signed]
R2 winvnc; C:\Program Files\TightVNC\WinVNC.exe [585728 2009-03-05] (TightVNC Group) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R3 Afc; C:\WINDOWS\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.) [File not signed]
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [604928 2006-10-12] (Broadcom Corporation)
R1 BHDrvx86; C:\Program Files\Norton Security with Backup\NortonData\22.1.0.9\Definitions\BASHDefs\20150602.001\BHDrvx86.sys [1172696 2015-06-02] (Symantec Corporation)
R1 ccSet_NSBU; C:\WINDOWS\system32\drivers\NSBU\1601000.009\ccSetx86.sys [128728 2014-09-09] (Symantec Corporation)
R2 DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions) [File not signed]
R1 DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions) [File not signed]
R2 DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions) [File not signed]
R1 DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions) [File not signed]
R2 DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions) [File not signed]
R0 DRVMCDB; C:\WINDOWS\System32\Drivers\DRVMCDB.SYS [89264 2005-09-12] (Sonic Solutions) [File not signed]
R2 DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions) [File not signed]
S3 DSproct; C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys [4864 2006-01-10] (GTek Technologies Ltd.) [File not signed]
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [380720 2015-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [113456 2015-06-11] (Symantec Corporation)
S3 hamachi_oem; C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [10664 2006-09-27] (Applied Networking Inc.) [File not signed]
R3 IDSxpx86; C:\Program Files\Norton Security with Backup\NortonData\22.1.0.9\Definitions\IPSDefs\20150611.001\IDSxpx86.sys [488088 2015-06-11] (Symantec Corporation)
S3 MHNDRV; C:\WINDOWS\System32\DRIVERS\mhndrv.sys [11008 2004-08-10] (Microsoft Corporation) [File not signed]
S3 MREMPR5; C:\Program Files\Common Files\Motive\MREMPR5.sys [19345 2006-07-05] (Motive, Inc.) [File not signed]
S3 MRENDIS5; C:\Program Files\Common Files\Motive\MRENDIS5.sys [18003 2006-07-05] (Motive, Inc.) [File not signed]
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [24064 2006-06-05] (Intel Corporation ) [File not signed]
R3 NAVENG; C:\Program Files\Norton Security with Backup\NortonData\22.1.0.9\Definitions\VirusDefs\20150611.024\NAVENG.SYS [95704 2015-06-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Security with Backup\NortonData\22.1.0.9\Definitions\VirusDefs\20150611.024\NAVEX15.SYS [1636696 2015-06-11] (Symantec Corporation)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [36528 2006-08-24] (Sonic Solutions) [File not signed]
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [8944 2008-09-03] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [File not signed]
S3 SASENUM; C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [7408 2008-09-03] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [File not signed]
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [55024 2008-09-03] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [File not signed]
R3 SRTSP; C:\WINDOWS\system32\drivers\NSBU\1601000.009\SRTSP.SYS [699608 2014-12-02] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NSBU\1601000.009\SRTSPX.SYS [36056 2014-12-02] (Symantec Corporation)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1156648 2006-07-24] (SigmaTel, Inc.)
R0 SymDS; C:\WINDOWS\System32\drivers\NSBU\1601000.009\SYMDS.SYS [364760 2014-09-09] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NSBU\1601000.009\SYMEFA.SYS [939224 2014-09-09] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [94424 2015-03-10] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NSBU\1601000.009\Ironx86.SYS [212696 2014-09-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\system32\drivers\NSBU\1601000.009\SYMTDI.SYS [388184 2014-09-09] (Symantec Corporation)
S3 bvrp_pci; No ImagePath
S3 IPSECSHM; system32\DRIVERS\ipsecw2k.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SymIM; system32\DRIVERS\SymIM.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-24 07:58 - 2015-06-24 07:59 - 00033877 _____ C:\Documents and Settings\Lisa Powell\Desktop\FRST.txt
2015-06-24 07:57 - 2015-06-24 07:57 - 01148928 _____ (Farbar) C:\Documents and Settings\Lisa Powell\Desktop\FRST.exe
2015-06-24 07:51 - 2015-06-24 07:58 - 00000000 ____D C:\FRST
2015-06-11 23:01 - 2015-06-11 23:01 - 00001853 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-24 07:59 - 2007-01-06 15:43 - 00000000 ____D C:\Documents and Settings\Lisa Powell\Local Settings\Temp
2015-06-24 07:44 - 2013-12-22 02:22 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-06-24 07:44 - 2009-06-30 22:19 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-24 07:35 - 2005-08-16 05:38 - 00000000 ____D C:\WINDOWS\Registration
2015-06-24 07:35 - 2005-08-16 05:18 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-06-24 07:34 - 2014-03-31 19:23 - 00000234 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-06-24 07:34 - 2009-06-30 22:19 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-24 07:34 - 2006-12-31 14:38 - 00039472 _____ C:\WINDOWS\system32\nvapps.xml
2015-06-24 07:34 - 2005-08-16 05:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-06-24 07:34 - 2005-08-16 05:35 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-06-24 07:34 - 2005-08-16 05:35 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-06-22 09:31 - 2007-01-06 15:43 - 00000278 ___SH C:\Documents and Settings\Lisa Powell\ntuser.ini
2015-06-22 09:31 - 2005-08-16 05:49 - 00032576 _____ C:\WINDOWS\SchedLgU.Txt
2015-06-22 09:31 - 2005-08-16 05:40 - 01249645 _____ C:\WINDOWS\WindowsUpdate.log
2015-06-22 09:30 - 2007-01-06 15:43 - 00000000 ____D C:\Documents and Settings\Lisa Powell
2015-06-12 10:29 - 2012-04-13 23:00 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-06-12 10:06 - 2009-03-24 09:00 - 00000868 _____ C:\WINDOWS\Tasks\Google Software Updater.job
2015-06-11 22:39 - 2007-07-14 21:20 - 00004076 ___SH C:\WINDOWS\system32\KGyGaAvL.sys
2015-06-11 22:39 - 2007-07-14 21:20 - 00000088 __RSH C:\WINDOWS\system32\81BDA38061.sys
2015-06-11 22:34 - 2014-03-31 19:23 - 00000228 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

==================== Files in the root of some directories =======

2010-05-16 02:35 - 2013-09-10 02:52 - 0003584 _____ () C:\Documents and Settings\Lisa Powell\Application Data\dvd.bmk
2015-01-20 12:44 - 2015-01-20 12:44 - 0008516 _____ () C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.HTML
2015-01-20 12:44 - 2015-01-20 12:44 - 0045628 _____ () C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.PNG
2015-01-20 12:44 - 2015-01-20 12:44 - 0004198 _____ () C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.TXT
2015-01-20 12:44 - 2015-01-20 12:44 - 0000268 _____ () C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.URL
2015-03-10 02:06 - 2015-03-10 02:06 - 0000664 _____ () C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\d3d9caps.tmp
2007-01-06 16:46 - 2010-12-04 07:57 - 0010240 _____ () C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2007-01-06 15:43 - 2007-04-04 23:16 - 0000134 _____ () C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\fusioncache.dat
2015-01-20 12:52 - 2015-01-20 12:52 - 0008516 _____ () C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-20 12:52 - 2015-01-20 12:52 - 0045628 _____ () C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-01-20 12:52 - 2015-01-20 12:52 - 0004198 _____ () C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-01-20 12:52 - 2015-01-20 12:52 - 0000268 _____ () C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-20 12:39 - 2015-01-20 12:39 - 0008516 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-01-20 12:39 - 2015-01-20 12:39 - 0045628 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-01-20 12:39 - 2015-01-20 12:39 - 0004198 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-01-20 12:39 - 2015-01-20 12:39 - 0000268 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21-06-2015 01
Ran by Lisa Powell at 2015-06-24 07:59:33
Running from C:\Documents and Settings\Lisa Powell\Desktop
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1610986790-2146471656-1072785999-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-1610986790-2146471656-1072785999-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1610986790-2146471656-1072785999-1005 - Limited - Disabled)
Lisa Powell (S-1-5-21-1610986790-2146471656-1072785999-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Lisa Powell
SUPPORT_388945a0 (S-1-5-21-1610986790-2146471656-1072785999-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

FW: Norton AntiVirus (Disabled) {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Amazon MP3 Downloader 1.0.3 (HKLM\...\Amazon MP3 Downloader) (Version:  - )
Apple Application Support (HKLM\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{C0CC75CD-F5B7-46AD-B016-17C0F5171718}) (Version: 8.0.0.23 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft PhotoImpression 5 (HKLM\...\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}) (Version:  - ArcSoft)
Aventail Access Manager (HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\{72552C46-944B-4E16-BBC8-0D85F31C1800}) (Version: 10.63.241 - SonicWALL Inc)
Aventail Access Manager (Version: 10.63.241 - SonicWALL Inc) Hidden
Aventail Web Proxy Agent (HKLM\...\{9B0B46B3-10DF-4ADA-9501-0129D784563D}) (Version: 10.63.210 - SonicWALL Inc)
Aventail Webifiers (HKLM\...\{54D44AD1-A083-48B9-BD6F-AFD517B7C775}) (Version: 10.63.210 - SonicWALL Inc)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Camera Support Core Library (Version: 7.3.0.4 - Canon) Hidden
Camera Window DS (Version: 5.2 - Canon) Hidden
Camera Window DVC (Version: 5.4 - Canon) Hidden
Camera Window MC (Version: 5.4 - Canon) Hidden
Canon Camera Access Library (HKLM\...\CAL) (Version: 8.5.0.2 - Canon Inc.)
Canon Camera Support Core Library (HKLM\...\InstallShield_{A1D0D14A-B776-4907-BC00-5149F2298086}) (Version: 7.3.0.4 - Canon)
Canon Camera Window DC_DV 5 for ZoomBrowser EX (HKLM\...\InstallShield_{001AB29C-5468-4972-8D24-2EBDB2B12133}) (Version: 5.4 - Canon)
Canon Camera Window DS for ZoomBrowser EX (HKLM\...\InstallShield_{6B8BDABA-6737-4998-AEE4-E218EDE5FC7A}) (Version: 5.2 - Canon)
Canon Camera Window MC 5 for ZoomBrowser EX (HKLM\...\InstallShield_{89EB3ED7-225A-412E-B048-623D502C000F}) (Version: 5.4 - Canon)
Canon DIGITAL CAMERA Solution Disk Software Guide (HKLM\...\Software Guide) (Version: 1.2.0.1 - Canon Inc.)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (HKLM\...\CANON iMAGE GATEWAY Task) (Version: 1.7.2.11 - Canon Inc.)
Canon Internet Library for ZoomBrowser EX (HKLM\...\Canon Internet Library for ZoomBrowser EX) (Version: 1.6.3.9 - Canon Inc.)
Canon MOV Decoder (HKLM\...\Canon MOV Decoder) (Version: 1.6.0.1 - Canon Inc.)
Canon MOV Encoder (HKLM\...\Canon MOV Encoder) (Version: 1.4.0.1 - Canon Inc.)
Canon MovieEdit Task for ZoomBrowser EX (HKLM\...\MovieEditTask) (Version: 3.5.0.8 - Canon Inc.)
Canon Personal Printing Guide (HKLM\...\Personal Printing Guide) (Version: 1.1.0.2 - Canon Inc.)
Canon PhotoRecord (HKLM\...\{6693BD7C-CB4E-43AC-A0D6-10D1A1B88DCF}) (Version: 02.02.02000 - Cisra)
Canon PowerShot SD4000 IS_IXUS 300 HS Camera User Guide (HKLM\...\CameraUserGuide-PSSD4000IS_IXUS300HS) (Version: 1.0.0.2 - Canon Inc.)
Canon RAW Image Task for ZoomBrowser EX (HKLM\...\InstallShield_{001EB665-D9EC-415E-9E13-AD2125B2B992}) (Version: 2.1 - Canon)
Canon Utilities CameraWindow (HKLM\...\CameraWindowLauncher) (Version: 7.4.0.7 - Canon Inc.)
Canon Utilities CameraWindow DC 8 (HKLM\...\CameraWindowDC8) (Version: 8.2.0.4 - Canon Inc.)
Canon Utilities Movie Uploader for YouTube (HKLM\...\MovieUploaderForYouTube) (Version: 1.0.0.11 - Canon Inc.)
Canon Utilities MyCamera (HKLM\...\MyCamera) (Version: 7.3.0.5 - Canon Inc.)
Canon Utilities PhotoStitch (HKLM\...\PhotoStitch) (Version: 3.1.22.46 - Canon Inc.)
Canon Utilities ZoomBrowser EX (HKLM\...\ZoomBrowser EX) (Version: 6.5.2.22 - Canon Inc.)
Canon ZoomBrowser EX Memory Card Utility (HKLM\...\ZoomBrowser EX Memory Card Utility) (Version: 1.3.1.6 - Canon Inc.)
CCleaner (remove only) (HKLM\...\CCleaner) (Version:  - )
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant D850 56K V.9x DFVc Modem (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1) (Version:  - )
Corel Snapfire Plus (HKLM\...\{7ADE3A47-B425-45E9-8FF6-11BE2B775645}) (Version: 1.00.0000 - Corel)
Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows4.0) (Version: 4.0 - Coupons, Inc.) <==== ATTENTION
Critical Update for Windows Media Player 11 (KB959772) (HKLM\...\KB959772_WM11) (Version:  - Microsoft Corporation)
Dell CinePlayer (HKLM\...\{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}) (Version: 3.0 - Dell)
Dell Driver Reset Tool (HKLM\...\{5905F42D-3F5F-4916-ADA6-94A3646AEE76}) (Version: 1.02.0000 - Dell Inc.)
Dell Support 3.2.1 (HKLM\...\{CEE2252C-4035-4B27-8EC6-0B085DD3A413}) (Version: 5.5.2087 - Dell)
Dell System Restore (HKLM\...\{74F7662C-B1DB-489E-A8AC-07A06B24978B}) (Version: 2.00.0000 - Dell Inc.)
Digital Content Portal (HKLM\...\{B702CCCE-3176-4DBF-B932-D1B8F402F330}) (Version: 1.00.0000 - Dell)
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.10 - BVRP Software, Inc)
EPSON Print CD (HKLM\...\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}) (Version: 1.50.000 - )
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - )
EPSON Stylus Photo RX580 Scanner Driver Update (HKLM\...\{1CA2E5E4-F4FE-44B4-95E9-77523FB95838}) (Version:  - )
EPSON Stylus Photo RX580 User's Guide (HKLM\...\Silent Package Run-Time Sample) (Version:  - )
ESPNMotion (HKLM\...\ESPNMotion) (Version: 2.1.6.0011 - ESPN Internet Ventures)
GemMaster Mystic (HKLM\...\12133444-BF36-4d4e-B7FB-A3424C645DE4) (Version:  - )
Google Chrome (HKLM\...\Google Chrome) (Version: 43.0.2357.130 - Google Inc.)
Google Desktop (HKLM\...\Google Desktop) (Version: 5.9.1005.12335 - Google)
Google Earth (HKLM\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
Google Updater (HKLM\...\Google Updater) (Version: 2.4.2432.1652 - Google Inc.)
H&R Block Deluxe + Efile + State 2009 (HKLM\...\{53A19323-917A-4822-B27E-A57D1EF6E9FC}) (Version: 09.04.7101 - HRB Technology, LLC.)
H&R Block Deluxe + Efile + State 2010 (HKLM\...\{10964A8F-21C1-45EA-BC2D-F84B505C3848}) (Version: 10.04.6402 - HRB Technology, LLC.)
H&R Block Deluxe + Efile + State 2012 (HKLM\...\{89D20029-0578-4D8D-979A-695C8D868868}) (Version: 12.05.7803 - HRB Technology, LLC.)
H&R Block Deluxe + Efile + State 2013 (HKLM\...\{EDE796DE-0A72-464D-9D21-F04BC41A092B}) (Version: 13.05.6502 - HRB Technology, LLC.)
H&R Block New Jersey 2009 (HKLM\...\{5122DF4B-3740-4F0B-B423-48C46BA5834C}) (Version: 1.09.3301 - HRB Technology, LLC.)
H&R Block New Jersey 2010 (HKLM\...\{0E243038-5F19-457F-A5A1-287477354D75}) (Version: 1.10.3001 - HRB Technology, LLC.)
H&R Block New Jersey 2012 (HKLM\...\{D523F5FE-5E53-429A-B5F9-8AC375B201FD}) (Version: 1.12.6301 - HRB Technology, LLC.)
H&R Block New Jersey 2013 (HKLM\...\{5DCF256D-FC23-4893-B027-0F9166CF3191}) (Version: 1.13.4001 - HRB Technology, LLC.)
High Definition Audio Driver Package - KB835221 (HKLM\...\KB835221WXP) (Version: 20040219.000000 - Microsoft Corporation)
Hotfix 2050 for SQL Server 2000 ENU (KB948110) (HKLM\...\KB948110(ENU)) (Version: 1 - Microsoft Corporation)
Hotfix 2055 for SQL Server 2000 ENU (KB960082) (HKLM\...\KB960082(ENU)) (Version: 1 - Microsoft Corporation)
HRBlockDirect version 1.1.2.0 (HKLM\...\{631EFC00-5A7A-4A90-9578-039EDA92DE0F}_is1) (Version: 1.1.2.0 - HRBlock)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - )
Intel® PRO Network Connections (HKLM\...\{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}) (Version:  - Dell)
iTunes (HKLM\...\{F32DC846-4457-40A8-BECA-BCC0E960BC53}) (Version: 11.4.0.18 - Apple Inc.)
J2SE Runtime Environment 5.0 Update 6 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0150060}) (Version: 1.5.0.60 - Sun Microsystems, Inc.)
Java™ 6 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216045FF}) (Version: 6.0.450 - Oracle)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
MetaFrame Presentation Server Web Client for Win32 (HKLM\...\Citrix ICA Web Client) (Version:  - )
Microsoft .NET Framework 1.0 Hotfix (KB2572066) (HKLM\...\KB2572066) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Hotfix (KB2604042) (HKLM\...\KB2604042) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Hotfix (KB2656378) (HKLM\...\KB2656378) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Hotfix (KB953295) (HKLM\...\KB953295) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Hotfix (KB979904) (HKLM\...\KB979904) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Security Update (KB2698035) (HKLM\...\KB2698035) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Security Update (KB2742607) (HKLM\...\KB2742607) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Security Update (KB2833951) (HKLM\...\KB2833951) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.0 Security Update (KB2904878) (HKLM\...\KB2904878) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office 2000 Premium (HKLM\...\{00000409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office Basic Edition 2003 (HKLM\...\{91130409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Office Small Business Accounting 2006 (HKLM\...\{F413D795-B077-4A96-AE75-810BBA673A0E}) (Version: 1.0.5330.0 - Microsoft Corporation)
Microsoft Plus! Digital Media Edition Installer (HKLM\...\{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}) (Version: 1.1.0.3514 - Microsoft Corporation)
Microsoft Plus! Photo Story 2 LE (HKLM\...\{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}) (Version: 1.1.0.3463 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) (HKLM\...\{E09B48B5-E141-427A-AB0C-D3605127224A}) (Version: 8.00.2039 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
MobileMe Control Panel (HKLM\...\{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}) (Version: 3.1.8.0 - Apple Inc.)
Modem Helper (HKLM\...\{7F142D56-3326-11D5-B229-002078017FBF}) (Version: 2.40 - BVRP Software)
Move Networks Media Player for Internet Explorer (HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\Move Networks Player - IE) (Version:  - )
MSXML 4.0 SP2 (KB925672) (HKLM\...\{A9CF9052-F4A0-475D-A00F-A8388C62DD63}) (Version: 4.20.9839.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB954459) (HKLM\...\{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}) (Version: 6.20.1099.0 - Microsoft Corporation)
NetWaiting (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 2.5.12 - BVRP Software, Inc)
Norton Security with Backup (HKLM\...\NSBU) (Version: 22.1.0.9 - Symantec Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
Otto (HKLM\...\B3EE3001-DC24-4cd1-8743-5692C716659F) (Version:  - )
Pdf995 (installed by TaxCut) (HKLM\...\Pdf995) (Version:  - )
PdfEdit995 (installed by TaxCut) (HKLM\...\PdfEdit995) (Version:  - )
PlayLinc (HKLM\...\{9CCE527D-356F-41A8-9718-77A68AC065FB}) (Version: 2.0.8 - SCI)
PlayMemories Home (HKLM\...\{7EA1A4E8-A5CE-4626-87DC-6DEF99BAE931}) (Version: 3.1.11.04230 - Sony Corporation)
PrintMaster Platinum 4.00 (HKLM\...\PrintMaster Platinum 4.00) (Version:  - )
Qualxserve Service Agreement (HKLM\...\{0F756CD9-4A1E-409B-B101-601DDC4C03AA}) (Version: 1.11.0000 - Dell)
QuickTime 7 (HKLM\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
RAW Image Task 2.1 (Version: 2.1 - Canon) Hidden
RealPlayer (HKLM\...\RealPlayer 6.0) (Version:  - RealNetworks)
Rhapsody Player Engine (HKLM\...\{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}) (Version: 1.0.604 - RealNetworks)
Roxio DLA (HKLM\...\{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}) (Version: 5.2.0 - Roxio)
Roxio MyDVD LE (HKLM\...\{21657574-BD54-48A2-9450-EB03B2C7FC29}) (Version: 6.1.6 - Roxio)
Roxio RecordNow Audio (HKLM\...\{AB708C9B-97C8-4AC9-899B-DBF226AC9382}) (Version: 2.0.4 - Roxio)
Roxio RecordNow Copy (HKLM\...\{B12665F4-4E93-4AB4-B7FC-37053B524629}) (Version: 2.0.4 - Roxio)
Roxio RecordNow Data (HKLM\...\{075473F5-846A-448B-BCB3-104AA1760205}) (Version: 2.0.4 - Roxio)
Safari (HKLM\...\{FA4C2D53-205F-4245-9717-F3761154824D}) (Version: 5.34.57.2 - Apple Inc.)
SBA (HKLM\...\{20F51690-133A-453C-B616-1C15AB2C0EF0}) (Version: 1.00.0000 - Dell)
SearchAssist (HKLM\...\SearchAssist) (Version:  - )
Smilebox (HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\...\Smilebox) (Version:  - )
Sonic Activation Module (Version: 1.0 - Sonic Solutions) Hidden
Sonic Encoders (HKLM\...\{9941F0AA-B903-4AF4-A055-83A9815CC011}) (Version: 1.00 - Sonic Solutions)
Sonic Update Manager (HKLM\...\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}) (Version: 3.0.0 - Sonic Solutions)
Spybot - Search & Destroy 1.4 (HKLM\...\Spybot - Search & Destroy_is1) (Version: 1.4 - Safer Networking Limited)
Super Winspy v3.21 (HKLM\...\Super Winspy_is1) (Version:  - Acesoft)
SUPERAntiSpyware Free Edition (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 4.21.0.1004 - SUPERAntiSpyware.com)
TaxCut New Jersey 2007 (HKLM\...\{0FE55E01-5D5A-4823-A71E-F4F5E8BB473D}) (Version: 1.07.3701 - H&R Block Digital Tax Solutions LLC.)
TaxCut New Jersey 2008 (HKLM\...\{C6141748-CA45-4F24-A519-2401F2CCA01D}) (Version: 1.08.2901 - H&R Block Digital Tax Solutions LLC.)
TaxCut Premium + State + Efile 2007 (HKLM\...\{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}) (Version: 07.05.0000 - H & R Block)
TaxCut Premium + State + Efile 2008 (HKLM\...\{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}) (Version: 08.07.7101 - H & R Block)
TaxCut Premium 2006 (HKLM\...\TaxCut Premium 2006) (Version:  - )
TightVNC 1.3.10 (HKLM\...\TightVNC_is1) (Version: 1.3.10 - TightVNC Group)
TrueSwitch Wizard Verizon Yahoo (HKLM\...\TrueSwitch Wizard Verizon Yahoo) (Version:  - )
TurboTax 2011 (HKLM\...\TurboTax 2011) (Version:  - Intuit, Inc)
Update Rollup 2 for Windows XP Media Center Edition 2005 (HKLM\...\KB900325) (Version:  - Microsoft Corporation)
URL Assistant (HKLM\...\{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}) (Version:  - )
Verizon Online Help and Support (HKLM\...\Verizon Online Help and Support) (Version:  - )
Verizon Servicepoint 1.3.21 (HKLM\...\RadialpointClientGateway_is1) (Version: 1.3.21 - Verizon)
Verizon Yahoo! Applications (HKLM\...\Verizon Yahoo! Applications) (Version:  - )
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.7.0018.5 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Installer 3.1 (KB893803) (HKLM\...\KB893803v2) (Version:  - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM\...\{9422C8EA-B0C6-4197-B8FC-DC797658CA00}) (Version: 5.000.818.6 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information] (HKLM\...\EmeraldQFE2) (Version:  - Microsoft Corporation)
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows Rights Management Client Backwards Compatibility SP2 (HKLM\...\{EC905264-BCFE-423B-9C42-C3A106266790}) (Version: 5.2.70 - Microsoft)
Windows Rights Management Client with Service Pack 2 (HKLM\...\{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}) (Version: 5.2.70 - Microsoft)
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
Windows XP Media Center Edition 2005 KB2502898 (HKLM\...\KB2502898) (Version:  - Microsoft Corporation)
Windows XP Media Center Edition 2005 KB2619340 (HKLM\...\KB2619340) (Version:  - Microsoft Corporation)
Windows XP Media Center Edition 2005 KB2628259 (HKLM\...\KB2628259) (Version:  - Microsoft Corporation)
Windows XP Media Center Edition 2005 KB908246 (HKLM\...\KB908246) (Version:  - Microsoft Corporation)
Windows XP Media Center Edition 2005 KB925766 (HKLM\...\KB925766) (Version:  - Microsoft Corporation)
Windows XP Media Center Edition 2005 KB973768 (HKLM\...\KB973768) (Version:  - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WxDFast Updater (HKLM\...\WxDFast) (Version:  - )
Yahoo! Toolbar (HKLM\...\Yahoo! Toolbar) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{0696f815-a3a9-490a-bb14-9ec3350b1276}\InprocServer32 -> C:\Program Files\TelevisionFanatic\bar\1.bin\64SrcAs.dll No File
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{1383A31C-26AC-4d88-91F1-EEAD77D81FA6}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\MP3Writer.dll ()
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{17D165A2-DD58-4CD9-A155-6F22590BCB5C}\localserver32 -> C:\Documents and Settings\Lisa Powell\Application Data\Aventail\EWPCA\ewpca.exe (Aventail Corporation)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{2A1BE1E7-C550-4D67-A553-7F2D3A39233D}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Aventail\epi\epi.dll (Aventail Corporation)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\MP4Splitter.ax (Gabest)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\CoreAAC.ax ()
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{51DBAF4C-E1BF-40DC-B229-0963EB3D4729}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Aventail\webifier\CitrixWrapper.dll (Aventail Corporation)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\MP4Splitter.ax (Gabest)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\CoreAAC.ax ()
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{919AB5F1-1C34-47a2-9C02-17128222C7CF}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\MP3Encoder.dll ()
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{94508EF1-415F-4642-9797-5125BF3F4F16}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Aventail\webifier\avrdpwrap.dll (Aventail Corporation)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{A7BC4157-A8EC-488F-9808-C63E2ACB0996}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Aventail\epi\epi.dll (Aventail Corporation)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\CoreAAC.ax ()
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{D3D9D58B-45B5-48AB-B199-B8C40560AEC7}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\MP4Splitter.ax (Gabest)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Smilebox\MP4Splitter.ax (Gabest)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{e3e02f12-2adb-478c-8742-5f0819f9f0f4}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Move Networks\ie_bin\qsp2ie071101000055.dll (Move Networks)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{e473a65c-8087-49a3-affd-c5bc4a10669b}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Move Networks\ie_bin\qsp2ie071101000055.dll (Move Networks)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{EA6BFE87-292F-47C3-8259-14BEB8673239}\InprocServer32 -> C:\Documents and Settings\All Users\Application Data\{FDA705EE-680D-4D48-9403-72F886E29389}\brdgcfg. (the data entry has 11 more characters).
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{fc345d4c-b8f4-4674-bff7-3c37d2e535ee}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Move Networks\ie_bin\qsp2ie071101000055.dll (Move Networks)
CustomCLSID: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006_Classes\CLSID\{fd6484ed-ebe3-4c3d-938a-8238003b41b7}\InprocServer32 -> C:\Documents and Settings\Lisa Powell\Application Data\Move Networks\ie_bin\qsp2ie071101000055.dll (Move Networks)

==================== Restore Points =========================

12-06-2015 05:57:11 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2005-08-16 05:18 - 2004-08-10 06:00 - 00000734 ____N C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\Google Software Updater.job => C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (Whitelisted) ==============

2007-04-01 21:39 - 2008-03-01 11:25 - 00051716 _____ () C:\WINDOWS\system32\pdf995mon.dll
2005-10-05 04:12 - 2005-10-05 04:12 - 00094208 _____ () C:\Program Files\Dell\Media Experience\DMXLauncher.exe
2006-12-31 15:03 - 2010-08-25 19:53 - 00034816 _____ () C:\Program Files\Google\Google Desktop Search\gzlib.dll
2007-01-09 22:16 - 2006-02-23 18:13 - 00038912 _____ () C:\Program Files\Yahoo!\browser\YCommonPS.dll
2005-08-16 05:18 - 2008-04-13 20:11 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2005-08-16 05:18 - 2008-04-13 20:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2014-07-31 12:16 - 2014-07-31 12:16 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-31 12:16 - 2014-07-31 12:16 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-04-23 17:36 - 2014-04-23 17:36 - 00149528 _____ () C:\Program Files\Sony\PlayMemories Home\dfs.exe
2005-08-16 05:18 - 2011-02-04 18:48 - 00291840 _____ () C:\WINDOWS\system32\sbe.dll
2005-08-16 05:18 - 2013-01-02 02:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll
2006-10-03 14:04 - 2006-10-03 14:04 - 00054776 _____ () C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
2006-10-03 14:12 - 2006-10-03 14:12 - 00061440 _____ () C:\Program Files\Yahoo!\Yahoo! Music Jukebox\Lang\vzn-en-us\ymetray-vzn-en-us.dll
2007-03-20 01:08 - 2005-06-28 13:59 - 00053248 _____ () C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1-extreme.biz -> www.1-extreme.biz
IE restricted site: HKU\.DEFAULT\...\100.83 -> {undo}66.197.100.83
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001-search.info -> www.1001-search.info
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\107.100 -> {undo}66.250.107.100
IE restricted site: HKU\.DEFAULT\...\107.101 -> {undo}66.250.107.101
IE restricted site: HKU\.DEFAULT\...\107.99 -> {undo}66.250.107.99
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com

There are 5534 more restricted sites.

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Lisa Powell\My Documents\Decrypt All Files omaswzg.bmp
DNS Servers: 71.250.0.12 - 68.237.161.12

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Enabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YServer.exe] => Enabled:Yahoo! FT Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Messenger\msmsgs.exe] => Enabled:Windows Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\TightVNC\WinVNC.exe] => Enabled:TightVNC Win32 Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Nortel Networks\Extranet.exe] => Enabled:Contivity VPN Client
StandardProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe] => :LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Lisa Powell\Application Data\Microsoft\Windows\IEUpdate\scardsvr.exe] => Enabled:Smart Card Resource Management Server
StandardProfile\AuthorizedApplications: [C:\Program Files\iTunes\iTunes.exe] => Enabled:iTunes
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002

==================== Faulty Device Manager Devices =============

Name: PlayLinc Adapter
Description: PlayLinc Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Super Computer Inc.
Service: hamachi_oem
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/24/2015 07:51:03 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.

Error: (06/24/2015 07:50:44 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.

Error: (06/24/2015 07:42:27 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.

Error: (06/24/2015 07:38:57 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.

Error: (03/10/2015 11:38:46 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

Error: (03/10/2015 11:38:30 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

Error: (03/10/2015 02:07:55 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.

Error: (03/10/2015 02:05:13 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/10/2015 02:05:13 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/10/2015 01:53:55 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.

System errors:
=============
Error: (06/24/2015 07:43:08 AM) (Source: DCOM) (EventID: 10005) (User: LISA)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (06/24/2015 07:43:08 AM) (Source: DCOM) (EventID: 10005) (User: LISA)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (06/24/2015 07:35:45 AM) (Source: DCOM) (EventID: 10005) (User: LISA)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (06/24/2015 07:34:20 AM) (Source: DCOM) (EventID: 10005) (User: LISA)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (06/24/2015 07:34:18 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (06/22/2015 09:29:07 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (06/22/2015 09:29:07 AM) (Source: W32Time) (EventID: 17) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (06/22/2015 09:28:44 AM) (Source: Dhcp) (EventID: 1000) (User: )
Description: Your computer has lost the lease to its IP address 192.168.0.196 on the
Network Card with network address 0019D113FDB4.

Error: (06/11/2015 10:52:54 PM) (Source: DCOM) (EventID: 10005) (User: LISA)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (06/11/2015 10:52:54 PM) (Source: DCOM) (EventID: 10005) (User: LISA)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Microsoft Office:
=========================
Error: (06/24/2015 07:51:03 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (06/24/2015 07:50:44 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (06/24/2015 07:42:27 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (06/24/2015 07:38:57 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (03/10/2015 11:38:46 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp448007043C

Error: (03/10/2015 11:38:30 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp448007043C

Error: (03/10/2015 02:07:55 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (03/10/2015 02:05:13 AM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/10/2015 02:05:13 AM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/10/2015 01:53:55 AM) (Source: MsiInstaller) (EventID: 11706) (User: LISA)
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium.  The Windows installer cannot continue.(NULL)(NULL)(NULL)

==================== Memory info ===========================

Processor: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of memory in use: 45%
Total physical RAM: 2045.85 MB
Available physical RAM: 1105.82 MB
Total Pagefile: 3936.88 MB
Available Pagefile: 2880.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1907.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:228.13 GB) (Free:111.8 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.8 GB) (Disk ID: E686F016)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Active) - (Size=228.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=4.6 GB) - (Type=DB)

==================== End of log ============================



BC AdBot (Login to Remove)

 


#2 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 26 June 2015 - 10:43 AM

Advice?



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:48 AM

Posted 27 June 2015 - 09:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This is a very nasty infection. Read about it.
http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#restore

As you will see the only way to restore your file is if you have good backups.

===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Norton AntiVirus <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
Startup: C:\Documents and Settings\Lisa Powell\Start Menu\Programs\Startup\scardsvr.lnk [2014-09-06]
ShortcutTarget: scardsvr.lnk -> C:\Documents and Settings\Lisa Powell\Application Data\Microsoft\Windows\IEUpdate\scardsvr.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm044^S02513^us&si=CKz6rLLRhrICFQjf4Aod2GEApA&ptb=F1019C1B-013F-40BF-B56E-CF5F784166E1&psa=&ind=2012082621&st=sb&n=77edf1bd&searchfor={searchTerms}
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm044^S02513^us&si=CKz6rLLRhrICFQjf4Aod2GEApA&ptb=F1019C1B-013F-40BF-B56E-CF5F784166E1&psa=&ind=2012082621&st=sb&n=77edf1bd&searchfor={searchTerms}
BHO: Yahoo! Toolbar Helper -> {02478D38-C3F9-4EFB-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-29] (Yahoo! Inc.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-29] (Yahoo! Inc.)
FF Plugin: @yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1 -> C:\Program Files\Yahoo!\Shared\npYVerInfo.dll No File
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Yahoo!\Common\npyaxmpb.dll No File
FF Plugin HKU\S-1-5-21-1610986790-2146471656-1072785999-1006: @real.com/RhapsodyPlayerEngine -> C:\Documents and Settings\Lisa Powell\Application Data\nprhapengine.dll No File
FF HKLM\...\Firefox\Extensions: [64ffxtbr@TelevisionFanatic.com] - C:\Program Files\TelevisionFanatic\bar\1.bin
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\gcswf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\gears.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR HKLM\...\Chrome\Extension: [appomijjjeafjcojkfocepgpbdkenmec] - C:\Documents and Settings\All Users\Application Data\wxDfast\appomijjjeafjcojkfocepgpbdkenmec.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
S3 bvrp_pci; No ImagePath
S3 IPSECSHM; system32\DRIVERS\ipsecw2k.sys [X]
S3 SymIM; system32\DRIVERS\SymIM.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]
U1 WS2IFSL; No ImagePath
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
C:\Documents and Settings\All Users\HELP_DECRYPT.URL

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#4 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 27 June 2015 - 03:41 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 24-06-2015
Ran by Lisa Powell at 2015-06-27 15:57:07 Run:1
Running from C:\Documents and Settings\Lisa Powell\Desktop
Loaded Profiles: Lisa Powell (Available Profiles: Lisa Powell & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Norton AntiVirus <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
Startup: C:\Documents and Settings\Lisa Powell\Start Menu\Programs\Startup\scardsvr.lnk [2014-09-06]
ShortcutTarget: scardsvr.lnk -> C:\Documents and Settings\Lisa Powell\Application Data\Microsoft\Windows\IEUpdate\scardsvr.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm044^S02513^us&si=CKz6rLLRhrICFQjf4Aod2GEApA&ptb=F1019C1B-013F-40BF-B56E-CF5F784166E1&psa=&ind=2012082621&st=sb&n=77edf1bd&searchfor={searchTerms}
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-1610986790-2146471656-1072785999-1006 -> {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm044^S02513^us&si=CKz6rLLRhrICFQjf4Aod2GEApA&ptb=F1019C1B-013F-40BF-B56E-CF5F784166E1&psa=&ind=2012082621&st=sb&n=77edf1bd&searchfor={searchTerms}
BHO: Yahoo! Toolbar Helper -> {02478D38-C3F9-4EFB-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-29] (Yahoo! Inc.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-29] (Yahoo! Inc.)
FF Plugin: @yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1 -> C:\Program Files\Yahoo!\Shared\npYVerInfo.dll No File
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Yahoo!\Common\npyaxmpb.dll No File
FF Plugin HKU\S-1-5-21-1610986790-2146471656-1072785999-1006: @real.com/RhapsodyPlayerEngine -> C:\Documents and Settings\Lisa Powell\Application Data\nprhapengine.dll No File
FF HKLM\...\Firefox\Extensions: [64ffxtbr@TelevisionFanatic.com] - C:\Program Files\TelevisionFanatic\bar\1.bin
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\gcswf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files\Google\Chrome\Application\41.0.2272.76\gears.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR HKLM\...\Chrome\Extension: [appomijjjeafjcojkfocepgpbdkenmec] - C:\Documents and Settings\All Users\Application Data\wxDfast\appomijjjeafjcojkfocepgpbdkenmec.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
S3 bvrp_pci; No ImagePath
S3 IPSECSHM; system32\DRIVERS\ipsecw2k.sys [X]
S3 SymIM; system32\DRIVERS\SymIM.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]
U1 WS2IFSL; No ImagePath
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.PNG
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
C:\Documents and Settings\All Users\HELP_DECRYPT.URL

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM => Group Policy Restriction on software restored successfully
HKLM => Group Policy Restriction on software restored successfully
HKLM => Group Policy Restriction on software restored successfully
HKLM => Group Policy Restriction on software restored successfully
HKLM => Group Policy Restriction on software restored successfully
HKLM => Group Policy Restriction on software restored successfully
C:\Documents and Settings\Lisa Powell\Start Menu\Programs\Startup\scardsvr.lnk => moved successfully.
C:\Documents and Settings\Lisa Powell\Application Data\Microsoft\Windows\IEUpdate\scardsvr.exe not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => value removed successfully.
"HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}" => key removed successfully.
HKCR\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => key not found.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
"HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}" => key removed successfully.
HKCR\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" => key removed successfully.
"HKCR\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => value removed successfully.
HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => key not found.
"HKLM\Software\MozillaPlugins\@yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1" => key removed successfully.
"HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1" => key removed successfully.
"HKU\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine" => key removed successfully.
C:\Documents and Settings\Lisa Powell\Application Data\nprhapengine.dll not found.
HKLM\Software\Mozilla\Firefox\Extensions\\64ffxtbr@TelevisionFanatic.com => value removed successfully.
C:\Program Files\Google\Chrome\Application\41.0.2272.76\gcswf32.dll not found.
C:\Program Files\QuickTime\plugins\npqtplugin6.dll not found.
C:\Program Files\QuickTime\plugins\npqtplugin7.dll not found.
c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll not found.
C:\Program Files\Google\Chrome\Application\41.0.2272.76\pdf.dll not found.
C:\Program Files\Google\Chrome\Application\41.0.2272.76\gears.dll not found.
C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll not found.
C:\Program Files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll not found.
C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\appomijjjeafjcojkfocepgpbdkenmec" => key removed successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully.
bvrp_pci => Service removed successfully.
IPSECSHM => Service removed successfully.
SymIM => Service removed successfully.
SymIMMP => Service removed successfully.
WS2IFSL => Service removed successfully.
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.HTML => moved successfully.
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.PNG => moved successfully.
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.TXT => moved successfully.
C:\Documents and Settings\Lisa Powell\Application Data\HELP_DECRYPT.URL => moved successfully.
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.HTML => moved successfully.
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.PNG => moved successfully.
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.TXT => moved successfully.
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\HELP_DECRYPT.URL => moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML => moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.PNG => moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT => moved successfully.
C:\Documents and Settings\All Users\HELP_DECRYPT.URL => moved successfully.
EmptyTemp: => 1.2 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 16:19:24 ====



#5 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 27 June 2015 - 04:02 PM

I still have the desktop background as CTB blocker and my pictures are all listed as "IMG_009.jpg.omaswzg"  They all have that extension and won't open.

 

Here is the cleaner log:

 

# AdwCleaner v4.207 - Logfile created 27/06/2015 at 16:52:43
# Updated 21/06/2015 by Xplode
# Database : 2015-06-23.1 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Lisa Powell - LISA
# Running from : C:\Documents and Settings\Lisa Powell\Local Settings\Temporary Internet Files\Content.IE5\0EPX30ZD\adwcleaner_4.207[1].exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
Folder Deleted : C:\Program Files\Coupons
Folder Deleted : C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\iac
Folder Deleted : C:\Documents and Settings\Lisa Powell\Application Data\Babylon
File Deleted : C:\HELP_DECRYPT.HTML
File Deleted : C:\HELP_DECRYPT.PNG
File Deleted : C:\HELP_DECRYPT.TXT
File Deleted : C:\HELP_DECRYPT.URL
File Deleted : C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
File Deleted : C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.PNG
File Deleted : C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
File Deleted : C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
File Deleted : C:\Documents and Settings\All Users\Documents\HELP_DECRYPT.HTML
File Deleted : C:\Documents and Settings\All Users\Documents\HELP_DECRYPT.PNG
File Deleted : C:\Documents and Settings\All Users\Documents\HELP_DECRYPT.TXT
File Deleted : C:\Documents and Settings\All Users\Documents\HELP_DECRYPT.URL
File Deleted : C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML
File Deleted : C:\Documents and Settings\Administrator\HELP_DECRYPT.PNG
File Deleted : C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT
File Deleted : C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
File Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
File Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.PNG
File Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
File Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
File Deleted : C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
File Deleted : C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.PNG
File Deleted : C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
File Deleted : C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
File Deleted : C:\Documents and Settings\Lisa Powell\HELP_DECRYPT.HTML
File Deleted : C:\Documents and Settings\Lisa Powell\HELP_DECRYPT.PNG
File Deleted : C:\Documents and Settings\Lisa Powell\HELP_DECRYPT.TXT
File Deleted : C:\Documents and Settings\Lisa Powell\HELP_DECRYPT.URL
File Deleted : C:\Documents and Settings\Lisa Powell\My Documents\HELP_DECRYPT.HTML
File Deleted : C:\Documents and Settings\Lisa Powell\My Documents\HELP_DECRYPT.PNG
File Deleted : C:\Documents and Settings\Lisa Powell\My Documents\HELP_DECRYPT.TXT
File Deleted : C:\Documents and Settings\Lisa Powell\My Documents\HELP_DECRYPT.URL

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B8445FED-900C-4137-AD15-DDD2F6306B62}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89CC5A31-B592-4BB3-82F5-BD8ACA3E0BF0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{22714877-95E3-480E-A313-4EC440965E4F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4E7F49ED-8C94-4AAA-A407-3010D099B11A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows4.0
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WxDFast
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows4.0
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WxDFast
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Google Chrome v43.0.2357.130

[C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [7248 bytes] - [27/06/2015 16:45:57]
AdwCleaner[S0].txt - [7196 bytes] - [27/06/2015 16:52:43]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7255  bytes] ##########



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:48 AM

Posted 28 June 2015 - 07:23 AM

As previously mentionned.

This is a very nasty infection. Read about it.
http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#restore

As you will see the only way to restore your file is if you have good backups.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#7 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 28 June 2015 - 02:56 PM

The Zoek results are on the C: drive  However, I can not get RunScript screen to close.  It has been running for 7 hours and everytime I click the "x" to close, it tells me it is not done.  It won't go away.  The computer even shut down it's taking so long.

 

Zoek.exe is running now.
Do not start any browser windows, they may get closed automatically.
Please wait! This window will close when finished.
A logfile will open afterwards and can also be found on your systemdrive as zoek-results.log

 

The last script on the screen is " --- Del by CLSID  9:35:09.26"  It seems stuck there.

 

Below is what is on the zoek log results from the c: drive.

 

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Lisa Powell on Sun 06/28/2015 at  9:15:54.10.
Microsoft Windows XP Professional 5.1.2600 Service Pack 3 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Documents and Settings\Lisa Powell\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

6/28/2015 9:19:27 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\MSXML 4.0 deleted successfully
C:\Program Files\Support.com deleted successfully
C:\DOCUME~1\ALLUSE~1\APPLIC~1\PCSettings deleted successfully
C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZoomBrowser deleted successfully
C:\Documents and Settings\Lisa Powell\Application Data\AdobeUM deleted successfully
C:\Documents and Settings\Lisa Powell\Application Data\Lavasoft deleted successfully
C:\Documents and Settings\Lisa Powell\Application Data\ZoomBrowser EX deleted successfully
C:\Documents and Settings\LocalService\Application Data\Apple Computer deleted successfully
C:\Documents and Settings\NetworkService\Application Data\Apple Computer deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Internet Explorer\SearchScopes\{E57002B7-5501-4E4C-835E-348368DD635F} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\Program Files\Support.com not found
C:\Program Files\ComPlus Applications deleted
C:\Program Files\WindowsUpdate deleted
C:\Program Files\BAE deleted
C:\Program Files\File Scanner Library (Spybot - Search & Destroy) deleted
C:\Program Files\Misc. Support Library (Spybot - Search & Destroy) deleted
C:\Program Files\Smilebox deleted
C:\Program Files\Microsoft Plus! Digital Media Edition deleted
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT deleted
C:\Documents and Settings\Lisa Powell\Application Data\Yahoo! deleted
C:\Documents and Settings\LocalService\Application Data\HELP_DECRYPT.TXT deleted
C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO deleted
C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo! deleted
C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallMate deleted
C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\d3d9caps.tmp deleted
C:\WINDOWS\003370_.tmp deleted
C:\WINDOWS\wininit.ini deleted
C:\WINDOWS\system32\GroupPolicy\ADM deleted
C:\WINDOWS\System32\SET182.tmp deleted
C:\WINDOWS\System32\SET183.tmp deleted
C:\WINDOWS\System32\SET184.tmp deleted
C:\WINDOWS\System32\SET18B.tmp deleted
C:\WINDOWS\System32\SET18C.tmp deleted
C:\WINDOWS\System32\SET18D.tmp deleted
C:\WINDOWS\System32\SET1E5.tmp deleted
C:\WINDOWS\System32\SET1F2.tmp deleted
C:\WINDOWS\System32\SET20C.tmp deleted
C:\WINDOWS\System32\SET213.tmp deleted
C:\WINDOWS\System32\SET217.tmp deleted
C:\WINDOWS\System32\SET218.tmp deleted
C:\WINDOWS\System32\SET21A.tmp deleted
C:\WINDOWS\System32\SET21D.tmp deleted
C:\WINDOWS\System32\SET227.tmp deleted
C:\WINDOWS\System32\SET228.tmp deleted
C:\WINDOWS\System32\SET241.tmp deleted
C:\WINDOWS\System32\SET248.tmp deleted
C:\WINDOWS\System32\SET249.tmp deleted
C:\WINDOWS\System32\SET24A.tmp deleted
C:\WINDOWS\System32\SET24B.tmp deleted
C:\WINDOWS\System32\SET24C.tmp deleted
C:\WINDOWS\System32\SET24D.tmp deleted
C:\WINDOWS\System32\SET24F.tmp deleted
C:\WINDOWS\System32\SET251.tmp deleted
C:\WINDOWS\System32\SET252.tmp deleted
C:\WINDOWS\System32\SET254.tmp deleted
C:\WINDOWS\System32\SET255.tmp deleted
C:\WINDOWS\System32\SET25F.tmp deleted
C:\WINDOWS\System32\SET29A.tmp deleted
C:\WINDOWS\System32\SET2FA.tmp deleted
C:\WINDOWS\System32\SET2FB.tmp deleted
C:\WINDOWS\System32\SET2FD.tmp deleted
C:\WINDOWS\System32\SET2FE.tmp deleted
C:\WINDOWS\System32\SET2FF.tmp deleted
C:\WINDOWS\System32\SET300.tmp deleted
C:\WINDOWS\System32\SET301.tmp deleted
C:\WINDOWS\System32\SET302.tmp deleted
C:\WINDOWS\System32\SET303.tmp deleted
C:\WINDOWS\System32\SET304.tmp deleted
C:\WINDOWS\System32\SET305.tmp deleted
C:\WINDOWS\System32\SET307.tmp deleted
C:\WINDOWS\System32\SET309.tmp deleted
C:\WINDOWS\System32\SET30A.tmp deleted
C:\WINDOWS\System32\SET30B.tmp deleted
C:\WINDOWS\System32\SET30C.tmp deleted
C:\WINDOWS\System32\SET30D.tmp deleted
C:\WINDOWS\System32\SET30E.tmp deleted
C:\WINDOWS\System32\SET30F.tmp deleted
C:\WINDOWS\System32\SET312.tmp deleted
C:\WINDOWS\System32\SET313.tmp deleted
C:\WINDOWS\System32\SET314.tmp deleted
C:\WINDOWS\System32\SET316.tmp deleted
C:\WINDOWS\System32\SET318.tmp deleted
C:\WINDOWS\System32\SET319.tmp deleted
C:\WINDOWS\System32\SET31A.tmp deleted
C:\WINDOWS\System32\SET31B.tmp deleted
C:\WINDOWS\System32\SET31C.tmp deleted
C:\WINDOWS\System32\SET31D.tmp deleted
C:\WINDOWS\System32\SET31F.tmp deleted
C:\WINDOWS\System32\SET321.tmp deleted
C:\WINDOWS\System32\SET322.tmp deleted
C:\WINDOWS\System32\SET323.tmp deleted
C:\WINDOWS\System32\SET324.tmp deleted
C:\WINDOWS\System32\SET325.tmp deleted
C:\WINDOWS\System32\SET326.tmp deleted
C:\WINDOWS\System32\SET327.tmp deleted
C:\WINDOWS\System32\SET328.tmp deleted
C:\WINDOWS\System32\SET329.tmp deleted
C:\WINDOWS\System32\SET32A.tmp deleted
C:\WINDOWS\System32\SET32E.tmp deleted
C:\WINDOWS\System32\SET32F.tmp deleted
C:\WINDOWS\System32\SET330.tmp deleted
C:\WINDOWS\System32\SET331.tmp deleted
C:\WINDOWS\System32\SET332.tmp deleted
C:\WINDOWS\System32\SET333.tmp deleted
C:\WINDOWS\System32\SET334.tmp deleted
C:\WINDOWS\System32\SET335.tmp deleted
C:\WINDOWS\System32\SET336.tmp deleted
C:\WINDOWS\System32\SET337.tmp deleted
C:\WINDOWS\System32\SET338.tmp deleted
C:\WINDOWS\System32\SET339.tmp deleted
C:\WINDOWS\System32\SET33B.tmp deleted
C:\WINDOWS\System32\SET33C.tmp deleted
C:\WINDOWS\System32\SET33D.tmp deleted
C:\WINDOWS\System32\SET33E.tmp deleted
C:\WINDOWS\System32\SET340.tmp deleted
C:\WINDOWS\System32\SET36C.tmp deleted
C:\WINDOWS\System32\SET36D.tmp deleted
C:\WINDOWS\System32\SET36E.tmp deleted
C:\WINDOWS\System32\SET36F.tmp deleted
C:\WINDOWS\System32\SET370.tmp deleted
C:\WINDOWS\System32\SET371.tmp deleted
C:\WINDOWS\System32\SET372.tmp deleted
C:\WINDOWS\System32\SET373.tmp deleted
C:\WINDOWS\System32\SET374.tmp deleted
C:\WINDOWS\System32\SET375.tmp deleted
C:\WINDOWS\System32\SET376.tmp deleted
C:\WINDOWS\System32\SET377.tmp deleted
C:\WINDOWS\System32\SET378.tmp deleted
C:\WINDOWS\System32\SET379.tmp deleted
C:\WINDOWS\System32\SET37A.tmp deleted
C:\WINDOWS\System32\SET37B.tmp deleted
C:\WINDOWS\System32\SET37C.tmp deleted
C:\WINDOWS\System32\SET37D.tmp deleted
C:\WINDOWS\System32\SET37E.tmp deleted
C:\WINDOWS\System32\SET37F.tmp deleted
C:\WINDOWS\System32\SET380.tmp deleted
C:\WINDOWS\System32\SET381.tmp deleted
C:\WINDOWS\System32\SET382.tmp deleted
C:\WINDOWS\System32\SET383.tmp deleted
C:\WINDOWS\System32\SET384.tmp deleted
C:\WINDOWS\System32\SET385.tmp deleted
C:\WINDOWS\System32\SET386.tmp deleted
C:\WINDOWS\System32\SET387.tmp deleted
C:\WINDOWS\System32\SET388.tmp deleted
C:\WINDOWS\System32\SET389.tmp deleted
C:\WINDOWS\System32\SET38A.tmp deleted
C:\WINDOWS\System32\SET38B.tmp deleted
C:\WINDOWS\System32\SET38C.tmp deleted
C:\WINDOWS\System32\SET38D.tmp deleted
C:\WINDOWS\System32\SET38E.tmp deleted
C:\WINDOWS\System32\SET38F.tmp deleted
C:\WINDOWS\System32\SET390.tmp deleted
C:\WINDOWS\System32\SET391.tmp deleted
C:\WINDOWS\System32\SET3912.tmp deleted
C:\WINDOWS\System32\SET3913.tmp deleted
C:\WINDOWS\System32\SET3915.tmp deleted
C:\WINDOWS\System32\SET3916.tmp deleted
C:\WINDOWS\System32\SET392.tmp deleted
C:\WINDOWS\System32\SET393.tmp deleted
C:\WINDOWS\System32\SET394.tmp deleted
C:\WINDOWS\System32\SET397C.tmp deleted
C:\WINDOWS\System32\SET397D.tmp deleted
C:\WINDOWS\System32\SET3C2.tmp deleted
C:\WINDOWS\System32\SET3C3.tmp deleted
C:\WINDOWS\System32\SET3C4.tmp deleted
C:\WINDOWS\System32\SET3C5.tmp deleted
C:\WINDOWS\System32\SET3C6.tmp deleted
C:\WINDOWS\System32\SET3C8.tmp deleted
C:\WINDOWS\System32\SET3C9.tmp deleted
C:\WINDOWS\System32\SET3CC.tmp deleted
C:\WINDOWS\System32\SET3CD.tmp deleted
C:\WINDOWS\System32\SET3CF.tmp deleted
C:\WINDOWS\System32\SET3D0.tmp deleted
C:\WINDOWS\System32\SET3D1.tmp deleted
C:\WINDOWS\System32\SET3D2.tmp deleted
C:\WINDOWS\System32\SET3D4.tmp deleted
C:\WINDOWS\System32\SET3D5.tmp deleted
C:\WINDOWS\System32\SET3EE.tmp deleted
C:\WINDOWS\System32\SET3EF.tmp deleted
C:\WINDOWS\System32\SET3F1.tmp deleted
C:\WINDOWS\System32\SET3F2.tmp deleted
C:\WINDOWS\System32\SET3F4.tmp deleted
C:\WINDOWS\System32\SET3F6.tmp deleted
C:\WINDOWS\System32\SET3F7.tmp deleted
C:\WINDOWS\System32\SET3FA.tmp deleted
C:\WINDOWS\System32\SET3FC.tmp deleted
C:\WINDOWS\System32\SET3FE.tmp deleted
C:\WINDOWS\System32\SET3FF.tmp deleted
C:\WINDOWS\System32\SET400.tmp deleted
C:\WINDOWS\System32\SET401.tmp deleted
C:\WINDOWS\System32\SET402.tmp deleted
C:\WINDOWS\System32\SET40B.tmp deleted
C:\WINDOWS\System32\SET40E.tmp deleted
C:\WINDOWS\System32\SET413.tmp deleted
C:\WINDOWS\System32\SET416.tmp deleted
C:\WINDOWS\System32\SET41A.tmp deleted
C:\WINDOWS\System32\SET41B.tmp deleted
C:\WINDOWS\System32\SET421.tmp deleted
C:\WINDOWS\System32\SET422.tmp deleted
C:\WINDOWS\System32\SET4284.tmp deleted
C:\WINDOWS\System32\SET4285.tmp deleted
C:\WINDOWS\System32\SET42A.tmp deleted
C:\WINDOWS\System32\SET42CE.tmp deleted
C:\WINDOWS\System32\SET42CF.tmp deleted
C:\WINDOWS\System32\SET4302.tmp deleted
C:\WINDOWS\System32\SET4303.tmp deleted
C:\WINDOWS\System32\SET432.tmp deleted
C:\WINDOWS\System32\SET441C.tmp deleted
C:\WINDOWS\System32\SET441D.tmp deleted
C:\WINDOWS\System32\SET445.tmp deleted
C:\WINDOWS\System32\SET447.tmp deleted
C:\WINDOWS\System32\SET44CB.tmp deleted
C:\WINDOWS\System32\SET44CC.tmp deleted
C:\WINDOWS\System32\SET4587.tmp deleted
C:\WINDOWS\System32\SET4588.tmp deleted
C:\WINDOWS\System32\SET464A.tmp deleted
C:\WINDOWS\System32\SET464B.tmp deleted
C:\WINDOWS\System32\SET496.tmp deleted
C:\WINDOWS\System32\SET49F.tmp deleted
C:\WINDOWS\System32\SET4A1.tmp deleted
C:\WINDOWS\System32\SET4A2.tmp deleted
C:\WINDOWS\System32\SET4A9.tmp deleted
C:\WINDOWS\System32\SET4AA.tmp deleted
C:\WINDOWS\System32\SET4B4.tmp deleted
C:\WINDOWS\System32\SET4B6.tmp deleted
C:\WINDOWS\System32\SET4B7.tmp deleted
C:\WINDOWS\System32\SET4BE.tmp deleted
C:\WINDOWS\System32\SET4C1.tmp deleted
C:\WINDOWS\System32\SET4C6.tmp deleted
C:\WINDOWS\System32\SET4C8.tmp deleted
C:\WINDOWS\System32\SET4D9.tmp deleted
C:\WINDOWS\System32\SET4DC.tmp deleted
C:\WINDOWS\System32\SET4DD.tmp deleted
C:\WINDOWS\System32\SET4DF.tmp deleted
C:\WINDOWS\System32\SET4E2.tmp deleted
C:\WINDOWS\System32\SET4E3.tmp deleted
C:\WINDOWS\System32\SET4E7.tmp deleted
C:\WINDOWS\System32\SET4E8.tmp deleted
C:\WINDOWS\System32\SET4E9.tmp deleted
C:\WINDOWS\System32\SET4EA.tmp deleted
C:\WINDOWS\System32\SET4EB.tmp deleted
C:\WINDOWS\System32\SET4EF8.tmp deleted
C:\WINDOWS\System32\SET4EF9.tmp deleted
C:\WINDOWS\System32\SET4F3B.tmp deleted
C:\WINDOWS\System32\SET4F3C.tmp deleted
C:\WINDOWS\System32\SET502.tmp deleted
C:\WINDOWS\System32\SET5024.tmp deleted
C:\WINDOWS\System32\SET5025.tmp deleted
C:\WINDOWS\System32\SET507.tmp deleted
C:\WINDOWS\System32\SET509.tmp deleted
C:\WINDOWS\System32\SET50C.tmp deleted
C:\WINDOWS\System32\SET513.tmp deleted
C:\WINDOWS\System32\SET516.tmp deleted
C:\WINDOWS\System32\SET518.tmp deleted
C:\WINDOWS\System32\SET5188.tmp deleted
C:\WINDOWS\System32\SET5189.tmp deleted
C:\WINDOWS\System32\SET51DB.tmp deleted
C:\WINDOWS\System32\SET51DC.tmp deleted
C:\WINDOWS\System32\SET51E.tmp deleted
C:\WINDOWS\System32\SET521.tmp deleted
C:\WINDOWS\System32\SET521B.tmp deleted
C:\WINDOWS\System32\SET521C.tmp deleted
C:\WINDOWS\System32\SET523.tmp deleted
C:\WINDOWS\System32\SET525.tmp deleted
C:\WINDOWS\System32\SET52EC.tmp deleted
C:\WINDOWS\System32\SET52ED.tmp deleted
C:\WINDOWS\System32\SET54A.tmp deleted
C:\WINDOWS\System32\SET54B.tmp deleted
C:\WINDOWS\System32\SET553.tmp deleted
C:\WINDOWS\System32\SET554.tmp deleted
C:\WINDOWS\System32\SET577.tmp deleted
C:\WINDOWS\System32\SET57C.tmp deleted
C:\WINDOWS\System32\SET5A6E.tmp deleted
C:\WINDOWS\System32\SET5A6F.tmp deleted
C:\WINDOWS\System32\SET5BC3.tmp deleted
C:\WINDOWS\System32\SET5BC4.tmp deleted
C:\WINDOWS\System32\SET5C3F.tmp deleted
C:\WINDOWS\System32\SET5C40.tmp deleted
C:\WINDOWS\System32\SET5CD8.tmp deleted
C:\WINDOWS\System32\SET5CD9.tmp deleted
C:\WINDOWS\System32\SET5D09.tmp deleted
C:\WINDOWS\System32\SET5D0A.tmp deleted
C:\WINDOWS\System32\SET5E4C.tmp deleted
C:\WINDOWS\System32\SET5E4D.tmp deleted
C:\WINDOWS\System32\SET5EF7.tmp deleted
C:\WINDOWS\System32\SET5EF8.tmp deleted
C:\WINDOWS\System32\SET5F6.tmp deleted
C:\WINDOWS\System32\SET5F7.tmp deleted
C:\WINDOWS\System32\SET659E.tmp deleted
C:\WINDOWS\System32\SET659F.tmp deleted
C:\WINDOWS\System32\SET6625.tmp deleted
C:\WINDOWS\System32\SET6626.tmp deleted
C:\WINDOWS\System32\SET6675.tmp deleted
C:\WINDOWS\System32\SET6676.tmp deleted
C:\WINDOWS\System32\SET6717.tmp deleted
C:\WINDOWS\System32\SET6718.tmp deleted
C:\WINDOWS\System32\SET6764.tmp deleted
C:\WINDOWS\System32\SET6765.tmp deleted
C:\WINDOWS\System32\SET6859.tmp deleted
C:\WINDOWS\System32\SET685B.tmp deleted
C:\WINDOWS\System32\SET685D.tmp deleted
C:\WINDOWS\System32\SET685E.tmp deleted
C:\WINDOWS\System32\SET685F.tmp deleted
C:\WINDOWS\System32\SET6860.tmp deleted
C:\WINDOWS\System32\SET6864.tmp deleted
C:\WINDOWS\System32\SET6865.tmp deleted
C:\WINDOWS\System32\SET6866.tmp deleted
C:\WINDOWS\System32\SET6867.tmp deleted
C:\WINDOWS\System32\SET686B.tmp deleted
C:\WINDOWS\System32\SET686D.tmp deleted
C:\WINDOWS\System32\SET686F.tmp deleted
C:\WINDOWS\System32\SET6874.tmp deleted
C:\WINDOWS\System32\SET6875.tmp deleted
C:\WINDOWS\System32\SET6876.tmp deleted
C:\WINDOWS\System32\SET68B4.tmp deleted
C:\WINDOWS\System32\SET68B5.tmp deleted
C:\WINDOWS\System32\SET68B7.tmp deleted
C:\WINDOWS\System32\SET68BC.tmp deleted
C:\WINDOWS\System32\SET68BE.tmp deleted
C:\WINDOWS\System32\SET68C0.tmp deleted
C:\WINDOWS\System32\SET68C4.tmp deleted
C:\WINDOWS\System32\SET68C5.tmp deleted
C:\WINDOWS\System32\SET68C6.tmp deleted
C:\WINDOWS\System32\SET68C7.tmp deleted
C:\WINDOWS\System32\SET68CB.tmp deleted
C:\WINDOWS\System32\SET68CC.tmp deleted
C:\WINDOWS\System32\SET68CD.tmp deleted
C:\WINDOWS\System32\SET68CE.tmp deleted
C:\WINDOWS\System32\SET692B.tmp deleted
C:\WINDOWS\System32\SET692C.tmp deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.1.0.9\coFFPlgn" [06/28/2015 09:05 AM]

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.130

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
cjabmdjcfcfdmffimndhafhblfmpjdpe - C:\Program Files\Norton Security with Backup\Engine\22.5.0.124\Exts\Chrome.crx[06/05/2015 02:55 AM]
iikflkcanblccfahdhdonehdalibjnif - No path found[]

Norton Security Toolbar - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe
Norton Identity Safe - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif
Chrome Hotword Shared Module - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.HTML
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.PNG
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.TXT
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.URL

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://verizon.yahoo.com"
"Search Page"="http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com"
"Search Bar"="http://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html"
"Home_Page"="http://www.dell.com"
"Help_Page"="http://support.dell.com"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
@="http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us"
"CustomSearch"="http://red.clientapps.yahoo.com/customize/ie/defaults/cs/verizon/*http://www.yahoo.com/search/ie.html"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Search Bar"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Home_Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Help_Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://search.msn.com/results.asp?q=%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"CustomSearch"="http://go.microsoft.com/fwlink/?LinkId=54896"
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rlz=1I7DMUS_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
{70D46D94-BF1E-45ED-B567-48701376298E} Google Desktop Url="http://127.0.0.1:4664/search&s=avOvYtneRZkAI9aqHdWkrI5A_k0?q={searchTerms}"

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully
HKEY_USERS\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully
HKEY_USERS\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA6319C0-31B7-401E-A518-A07C3DB8F777} deleted successfully
HKEY_USERS\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA6319C0-31B7-401E-A518-A07C3DB8F777} deleted successfully
HKEY_USERS\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} deleted successfully
HKEY_USERS\S-1-5-21-1610986790-2146471656-1072785999-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} deleted successfully

==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\jqs@sun.com deleted successfully



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:48 AM

Posted 29 June 2015 - 06:44 AM

Stop the process.

Restart the computer normally.

Execute the Zoek tool one more time.

How is the computer running now?

#9 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 29 June 2015 - 07:42 AM

I can't stop the process.  I've shut down the computer and restarted, it still shows up.  I ended it in the task manager, every time I click the "x" to close, the window tells me the process is running and the window will close when finished. 

 

How do I end it? 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:48 AM

Posted 29 June 2015 - 09:43 AM

Restart Windows

It may take some times but it will close.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:48 AM

Posted 04 July 2015 - 08:48 AM

Are you still with me.

#12 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 05 July 2015 - 07:15 AM

Yes, but I am out of town til Tuesday. I'll run the zoek again then.

Then I'll see what happens.

Thank you for asking!

#13 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 07 July 2015 - 01:41 PM

Sorry for the delay.  Below are the Zoek results.

 

My pictures still have the .jpg.omaswzg extension that will not allow me to open them.  The desktop still has the "Your personal files are being encrypted with ctb locker background"

 

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Lisa Powell on Mon 06/29/2015 at 15:27:27.82.
Microsoft Windows XP Professional 5.1.2600 Service Pack 3 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Documents and Settings\Lisa Powell\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

6/29/2015 3:32:31 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Documents and Settings\LocalService\Application Data\Apple Computer deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.1.0.9\coFFPlgn" [06/29/2015 03:24 PM]

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.130

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
cjabmdjcfcfdmffimndhafhblfmpjdpe - C:\Program Files\Norton Security with Backup\Engine\22.5.0.124\Exts\Chrome.crx[06/05/2015 02:55 AM]
iikflkcanblccfahdhdonehdalibjnif - No path found[]

Norton Security Toolbar - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe
Norton Identity Safe - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif
Chrome Hotword Shared Module - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.HTML
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.PNG
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.TXT
undetermined - Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\HELP_DECRYPT.URL

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Home_Page"="http://www.dell.com"
"Help_Page"="http://support.dell.com"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Home_Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Help_Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rlz=1I7DMUS_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
{70D46D94-BF1E-45ED-B567-48701376298E} Google Desktop Url="http://127.0.0.1:4664/search&s=avOvYtneRZkAI9aqHdWkrI5A_k0?q={searchTerms}"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{DFAFEE74-4AF3-E4F8-0654-FB6067F894AC} deleted successfully

==== Empty IE Cache ======================

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 emptied successfully
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1JQX0RGV will be deleted at reboot
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6UNLT5FC will be deleted at reboot
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DO1OHE0W will be deleted at reboot
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GCUGNKM0 will be deleted at reboot
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIYPRIK2 will be deleted at reboot
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JJPM4EE2 will be deleted at reboot
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LF5UFI7W will be deleted at reboot
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NY5VE1G3 will be deleted at reboot
C:\Documents and Settings\Lisa Powell\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Documents and Settings\Lisa Powell\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=355 folders=36 383551685 bytes)

==== Empty Temp Folders ======================

C:\Documents and Settings\Administrator\Local Settings\Temp emptied successfully
C:\Documents and Settings\Default User\Local Settings\Temp emptied successfully
C:\Documents and Settings\Lisa Powell\Local Settings\Temp will be emptied at reboot
C:\Documents and Settings\LocalService\Local Settings\Temp emptied successfully
C:\Documents and Settings\NetworkService\Local Settings\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\DOCUME~1\LISAPO~1\LOCALS~1\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\RECYCLER successfully emptied

==== Deleting Files / Folders ======================

"C:\Documents and Settings\Lisa Powell\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1JQX0RGV" not deleted
"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6UNLT5FC" not deleted
"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DO1OHE0W" not deleted
"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GCUGNKM0" not deleted
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIYPRIK2" not found
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JJPM4EE2" not found
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LF5UFI7W" not found
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NY5VE1G3" not found

==== EOF on Mon 06/29/2015 at 18:19:22.32 ======================



#14 SimiRed

SimiRed
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 08 July 2015 - 06:38 AM

Zoek results listed above, I apologize for being away.

 

This is a friends computer, so after Thursday, I won't be able to help her.

 

Thanks.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:48 AM

Posted 08 July 2015 - 06:55 AM

My pictures still have the .jpg.omaswzg extension that will not allow me to open them

The pictures and possibly others file with similar extension have been encrypted by the infection.
There is nothing we can do to clean them.

I hope you have a good backup to restore them.
===

I've shut down the computer and restarted, it still shows up


Their could a some startup item still present.

Check the Windows Start up folder and delete anything that is referring to that infection.

===

You could also post the Addition.txt file that was created when you first executed the Farbar tool.
The file should be in the folder were the tool was placed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users