Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with CryptoWall 3.0


  • This topic is locked This topic is locked
14 replies to this topic

#1 JWWP

JWWP

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 06 August 2015 - 09:46 PM

I've been working on my sister's computer in an attempt to clean it from viruses. I have ran various malware, spyware, and anti-virus programs but became concerned when I started reading about the CryptoWall 3.0 virus. I just want to make sure that it's completely gone from the computer so that when my sister puts more files (pictures and videos) on her computer that she won't lose everything again. I would also like to make sure there aren't any other viruses left on the computer. It is still running very slow and doesn't respond very well (sometimes will say "not responding") when doing simple tasks like opening/closing programs, clicking on the internet, etc. Thank you for your help! 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:06-08-2015
Ran by Jennifer (administrator) on JENNIFER-PC (06-08-2015 20:53:04)
Running from C:\Users\Jennifer\Desktop
Loaded Profiles: Jennifer & Austin (Available Profiles: Jennifer & Austin)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
(Sunbelt Software) C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe
(Sunbelt Software) C:\Program Files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
(ACD Systems International Inc.) C:\Program Files (x86)\Common Files\ACD Systems\EN\DevDetect.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
(AVG Secure Search) C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\CompatTel\wicainventory.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] => C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [3033112 2015-07-03] ()
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4165447682-2823117455-2930608830-1000\...\Run: [Device Detector] => DevDetect.exe -autorun
HKU\S-1-5-21-4165447682-2823117455-2930608830-1000\...\Run: [FlashPlayerUpdate] => C:\Users\Jennifer\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe
HKU\S-1-5-21-4165447682-2823117455-2930608830-1000\...\Run: [] => C:\Users\Jennifer\AppData\Local\Temp\hcahdkl.exe <===== ATTENTION
HKU\S-1-5-21-4165447682-2823117455-2930608830-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8358680 2015-06-01] (Piriform Ltd)
HKU\S-1-5-21-4165447682-2823117455-2930608830-1001\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3883856 2009-07-26] (Microsoft Corporation)
HKU\S-1-5-21-4165447682-2823117455-2930608830-1001\...\Run: [Google Update] => C:\Users\Austin\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2015-01-31] (Google Inc.)
HKU\S-1-5-21-4165447682-2823117455-2930608830-1001\...\Run: [MusicManager] => C:\Users\Austin\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [7475200 2014-11-13] (Google Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-4165447682-2823117455-2930608830-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://mysearch.avg.com/?cid={2B1A3AF0-C125-49C3-A3D4-572CB9302D85}&mid=dba57842140a47cdbc17d16f2ada0ae5-729a7d6d2485937a1d8e95fa0207c8a083c5e40b&lang=en&ds=AVG&coid=avgtbavg&cmpid=0615pi&pr=fr&d=2015-07-03 22:18:49&v=4.1.0.411&pid=wtu&sg=&sap=hp
HKU\S-1-5-21-4165447682-2823117455-2930608830-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
HKU\S-1-5-21-4165447682-2823117455-2930608830-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
SearchScopes: HKLM -> DefaultScope {4CBE96C3-289F-4A59-BF29-D32A20D764D0} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {4CBE96C3-289F-4A59-BF29-D32A20D764D0} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM-x32 -> DefaultScope {504F4487-1AFF-4D56-B1D4-E708CADDA5F9} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {504F4487-1AFF-4D56-B1D4-E708CADDA5F9} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKU\S-1-5-21-4165447682-2823117455-2930608830-1000 -> {15BC2007-BD04-4655-8A0D-24E1A452E588} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKU\S-1-5-21-4165447682-2823117455-2930608830-1000 -> {4CBE96C3-289F-4A59-BF29-D32A20D764D0} URL = 
SearchScopes: HKU\S-1-5-21-4165447682-2823117455-2930608830-1000 -> {504F4487-1AFF-4D56-B1D4-E708CADDA5F9} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKU\S-1-5-21-4165447682-2823117455-2930608830-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={2B1A3AF0-C125-49C3-A3D4-572CB9302D85}&mid=dba57842140a47cdbc17d16f2ada0ae5-729a7d6d2485937a1d8e95fa0207c8a083c5e40b&lang=en&ds=AVG&coid=avgtbavg&cmpid=0615pi&pr=fr&d=2015-07-03 22:18:49&v=4.1.0.411&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4165447682-2823117455-2930608830-1001 -> {0136D018-3173-42C1-8CBA-2AB90832D118} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKU\S-1-5-21-4165447682-2823117455-2930608830-1001 -> {4CBE96C3-289F-4A59-BF29-D32A20D764D0} URL = 
SearchScopes: HKU\S-1-5-21-4165447682-2823117455-2930608830-1001 -> {504F4487-1AFF-4D56-B1D4-E708CADDA5F9} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-12-18] (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2013-03-26] (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Web TuneUp\4.1.0.411\AVG Web TuneUp.dll [2015-07-03] (AVG)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2013-03-26] (Oracle Corporation)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.43.1
Tcpip\..\Interfaces\{37E50407-6B0D-41DF-9774-BCBE5D6CB6A5}: [DhcpNameServer] 192.168.43.1
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-02-20] ()
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.4.0\\npsitesafety.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 -> C:\windows\SysWOW64\npDeployJava1.dll [2013-03-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2013-03-26] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-08-06] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-08-06] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-02-15] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4165447682-2823117455-2930608830-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Austin\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2015-01-31] (Google Inc.)
FF Plugin HKU\S-1-5-21-4165447682-2823117455-2930608830-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Austin\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2015-01-31] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Jennifer\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jennifer\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-06-28]
CHR Extension: (Google Wallet) - C:\Users\Jennifer\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-28]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 NTI BackupNowEZSvr; C:\Program Files (x86)\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [45312 2010-09-17] (NewTech Infosystems, Inc.)
R2 SBAMSvc; C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe [2804280 2011-05-11] (Sunbelt Software)
R2 SBPIMSvc; C:\Program Files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe [181584 2011-05-11] (Sunbelt Software)
R2 vToolbarUpdater18.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe [1875480 2015-07-03] (AVG Secure Search)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [620056 2015-07-03] ()
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 hitmanpro37; C:\windows\system32\drivers\hitmanpro37.sys [32152 2013-03-28] ()
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-08-06] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [72280 2011-05-11] (Sunbelt Software)
R1 SbFw; C:\Windows\System32\drivers\SbFw.sys [253528 2011-04-05] (Sunbelt Software, Inc.)
S3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [84568 2011-02-08] (Sunbelt Software, Inc.)
R3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [84568 2011-02-08] (Sunbelt Software, Inc.)
S3 SBHIPS; C:\Windows\System32\drivers\sbhips.sys [60504 2011-04-05] (Sunbelt Software, Inc.)
R1 SBRE; C:\windows\system32\drivers\SBREdrv.sys [55384 2011-04-29] (Sunbelt Software)
R1 SBRE; C:\windows\SysWOW64\drivers\SBREdrv.sys [101720 2011-04-29] (Sunbelt Software)
R1 SbTis; C:\Windows\System32\drivers\sbtis.sys [94296 2011-04-05] (Sunbelt Software, Inc.)
S0 jitb; System32\drivers\fbogeq.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-06 20:53 - 2015-08-06 20:53 - 00018656 _____ C:\Users\Jennifer\Desktop\FRST.txt
2015-08-06 20:52 - 2015-08-06 20:52 - 00000000 ____D C:\Users\Jennifer\Desktop\FRST-OlderVersion
2015-08-06 20:42 - 2015-08-06 20:42 - 00000000 ____D C:\Users\Jennifer\AppData\Local\GWX
2015-07-14 16:13 - 2015-08-06 20:53 - 00000000 ____D C:\FRST
2015-07-14 16:09 - 2015-08-06 20:52 - 02170368 _____ (Farbar) C:\Users\Jennifer\Desktop\FRST64.exe
2015-07-14 15:59 - 2015-07-14 15:59 - 00000000 ____D C:\Users\Austin\AppData\Local\AVG Web TuneUp
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-06 20:53 - 2012-08-27 13:47 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-06 20:53 - 2012-08-27 13:47 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-06 20:48 - 2012-08-27 13:47 - 00003894 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-08-06 20:48 - 2012-08-27 13:47 - 00003642 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-08-06 20:47 - 2009-07-13 23:45 - 00018736 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-06 20:47 - 2009-07-13 23:45 - 00018736 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-06 20:43 - 2011-06-28 17:09 - 01696106 _____ C:\windows\WindowsUpdate.log
2015-08-06 20:34 - 2015-06-28 19:07 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-06 20:31 - 2015-07-06 20:51 - 00000448 _____ C:\windows\setupact.log
2015-08-06 20:31 - 2009-07-14 00:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-07-14 16:30 - 2015-07-06 22:17 - 00360592 _____ C:\windows\PFRO.log
2015-07-14 16:30 - 2015-07-03 21:51 - 00000000 ____D C:\ProgramData\MFAData
2015-07-14 16:29 - 2015-07-03 22:08 - 00000000 ____D C:\Program Files\Common Files\AV
2015-07-14 16:29 - 2015-01-31 15:24 - 00000912 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4165447682-2823117455-2930608830-1001UA.job
2015-07-14 15:58 - 2012-05-23 09:26 - 00000000 ____D C:\Users\Austin\Tracing
2015-07-14 15:58 - 2009-07-14 00:09 - 00000000 ____D C:\windows\System32\Tasks\WPD
2015-07-14 15:57 - 2012-08-27 13:47 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
 
==================== Files in the root of some directories =======
 
2015-06-28 16:20 - 2015-06-28 16:20 - 0008686 _____ () C:\Users\Jennifer\AppData\Roaming\HELP_DECRYPT.HTML
2015-06-28 16:21 - 2015-06-28 16:21 - 0045528 _____ () C:\Users\Jennifer\AppData\Roaming\HELP_DECRYPT.PNG
2015-06-28 16:20 - 2015-06-28 16:20 - 0004286 _____ () C:\Users\Jennifer\AppData\Roaming\HELP_DECRYPT.TXT
2014-12-21 17:56 - 2014-12-21 17:56 - 0000005 _____ () C:\Users\Jennifer\AppData\Roaming\mbam.context.scan
2011-06-29 07:48 - 2013-12-24 14:08 - 0024064 _____ () C:\Users\Jennifer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-06-28 15:54 - 2015-06-28 15:54 - 0008686 _____ () C:\Users\Jennifer\AppData\Local\HELP_DECRYPT.HTML
2015-06-28 15:55 - 2015-06-28 15:55 - 0045528 _____ () C:\Users\Jennifer\AppData\Local\HELP_DECRYPT.PNG
2015-06-28 15:54 - 2015-06-28 15:54 - 0004286 _____ () C:\Users\Jennifer\AppData\Local\HELP_DECRYPT.TXT
2015-06-06 22:28 - 2015-06-06 22:28 - 0008686 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-06-06 22:28 - 2015-06-06 22:28 - 0045696 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-06-06 22:28 - 2015-06-06 22:28 - 0001392 _____ () C:\ProgramData\HELP_DECRYPT.TXT.ymksehh
2015-06-28 15:01 - 2015-06-28 15:19 - 0445267 _____ () C:\ProgramData\shvhueh.html
 
Some files in TEMP:
====================
C:\Users\Austin\AppData\Local\Temp\gvahbi0g.dll
C:\Users\Austin\AppData\Local\Temp\nhydce85.dll
C:\Users\Jennifer\AppData\Local\Temp\HitmanPro.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-07-03 15:55
 
==================== End of log ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:06-08-2015
Ran by Jennifer (2015-08-06 20:54:36)
Running from C:\Users\Jennifer\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4165447682-2823117455-2930608830-500 - Administrator - Disabled)
Austin (S-1-5-21-4165447682-2823117455-2930608830-1001 - Administrator - Enabled) => C:\Users\Austin
Guest (S-1-5-21-4165447682-2823117455-2930608830-501 - Limited - Disabled)
Jennifer (S-1-5-21-4165447682-2823117455-2930608830-1000 - Administrator - Enabled) => C:\Users\Jennifer

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Sunbelt VIPRE (Enabled - Out of date) {BE5DD172-7F42-7948-1A60-E6A720288F81}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Sunbelt VIPRE (Enabled - Out of date) {053C3096-5978-76C6-20D0-DDD55BAFC53C}
FW: Sunbelt VIPRE (Enabled) {86665057-352D-7810-313F-4F92DEFBC8FA}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ACDSee Pro 3 (HKLM-x32\...\{1B280FAF-AE10-4E31-A41A-DB3917D651DC}) (Version: 3.0.475 - ACD Systems International Inc.)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.190 - Adobe Systems Incorporated)
Adobe Reader X (10.1.6) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.6 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Apple Application Support (HKLM-x32\...\{45C56AA7-ED1B-4800-A97F-EDDF3F3520B1}) (Version: 2.3.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}) (Version: 2.1.3.127 - Apple Inc.)
Audacity 2.0.3 (HKLM-x32\...\Audacity_is1) (Version: 2.0.3 - Audacity Team)
AVG Web TuneUp (HKLM-x32\...\AVG Web TuneUp) (Version: 4.1.0.411 - AVG Technologies)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.07 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Dead Space™ 2 (HKLM-x32\...\{96D06FDD-6AF4-4309-BC1B-1C9588B0575E}) (Version: 1.0.942.0 - Electronic Arts)
Defraggler (HKLM\...\Defraggler) (Version: 2.12 - Piriform)
EA Download Manager (HKLM-x32\...\EADM) (Version: 7.1.3.3 - Electronic Arts, Inc.)
GIMP 2.6.11 (HKLM-x32\...\WinGimp-2.0_is1) (Version: 2.6.11 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.130 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.28.1 - Google Inc.) Hidden
Hidden in Time - Mirror Mirror 1.00 (HKLM-x32\...\Hidden in Time - Mirror Mirror 1.00) (Version: - )
Hoyle Card Games (HKLM-x32\...\{8C5766F2-81D9-4B5A-8AD5-A8BD6361EF0A}) (Version: 1.0.0 - Encore)
IMinent Toolbar (HKLM-x32\...\{A76AA284-E52D-47E6-9E4F-B85DBF8E35C3}) (Version: 3.26.0 - IMinent) <==== ATTENTION
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1883 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version: - Intel Corporation)
iTunes (HKLM\...\{0225AD21-F3E2-4916-BFF3-65D3F9052582}) (Version: 11.0.2.26 - Apple Inc.)
Java 7 Update 17 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217017FF}) (Version: 7.0.170 - Oracle)
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Suite Activation Assistant (HKLM-x32\...\{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}) (Version: 2.9 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Music Manager (HKU\S-1-5-21-4165447682-2823117455-2930608830-1001\...\MusicManager) (Version: - Google, Inc.)
Mystery Legends - Sleepy Hollow 1.00 (HKLM-x32\...\Mystery Legends - Sleepy Hollow 1.00) (Version: - )
NTI Backup Now EZ (HKLM-x32\...\InstallShield_{B9ECA41B-55CC-4654-B6B5-6731D009EC69}) (Version: 2.0.2.8 - NewTech Infosystems)
NTI Backup Now EZ (x32 Version: 2.0.2.8 - NewTech Infosystems) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0008 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5904 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30101 - Realtek Semiconductor Corp.)
Realtek WLAN Driver (HKLM-x32\...\{0FB630AB-7BD8-40AE-B223-60397D57C3C9}) (Version: 2.00.0006 - Realtek)
Roxio Burn (HKLM-x32\...\{B2E47DE7-800B-40BB-BD1F-9F221C3AEE87}) (Version: 1.2 - Roxio)
Roxio Express Labeler 3 (HKLM-x32\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 3.2.1 - Roxio)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 13.2.6.1 - Synaptics Incorporated)
TeamViewer 8 (HKLM-x32\...\TeamViewer 8) (Version: 8.0.17396 - TeamViewer)
The Serpent of Isis 1.00 (HKLM-x32\...\The Serpent of Isis 1.00) (Version: - )
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.0 - TOSHIBA)
TOSHIBA Assist (HKLM-x32\...\{1B87C40B-A60B-4EF3-9A68-706CF4B69978}) (Version: 3.00.10 - TOSHIBA)
TOSHIBA ConfigFree (HKLM-x32\...\{F3529665-D75E-4D6D-98F0-745C78C68E9B}) (Version: 8.0.21 - TOSHIBA Corporation)
TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.1.0.1 for x64 - TOSHIBA Corporation)
TOSHIBA DVD PLAYER (HKLM-x32\...\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}) (Version: 3.01.0.07-A - TOSHIBA Corporation)
TOSHIBA Extended Tiles for Windows Mobility Center (HKLM-x32\...\InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}) (Version: - )
TOSHIBA Face Recognition (HKLM-x32\...\InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}) (Version: 3.1.0.64 - TOSHIBA Corporation)
TOSHIBA Hardware Setup (HKLM-x32\...\{D0387727-C89D-4774-B643-B9333EAA09DE}) (Version: 2.00.11 - TOSHIBA Corporation)
TOSHIBA HDD/SSD Alert (HKLM-x32\...\InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}) (Version: 3.1.64.0 - TOSHIBA Corporation)
TOSHIBA Media Controller (HKLM-x32\...\{983CD6FE-8320-4B80-A8F6-0D0366E0AA22}) (Version: 1.0.65 - TOSHIBA CORPORATION)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.4.1.64 - TOSHIBA Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.1 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.1.0.4 for x64 - TOSHIBA Corporation)
TOSHIBA ReelTime (HKLM-x32\...\InstallShield_{5BCC94A1-DEF1-4AB4-8046-BC13048E929A}) (Version: 1.5.07.64 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM-x32\...\{AC6569FA-6919-442A-8552-073BE69E247A}) (Version: 2.1.33 - TOSHIBA)
TOSHIBA Speech System Applications (HKLM-x32\...\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}) (Version: 1.00.2518 - )
TOSHIBA Speech System SR Engine(U.S.) Version1.0 (HKLM-x32\...\{008D69EB-70FF-46AB-9C75-924620DF191A}) (Version: - )
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 (HKLM-x32\...\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}) (Version: - )
TOSHIBA Supervisor Password (HKLM-x32\...\{A208044D-A88B-4ACF-AE95-E4F213E6EDC0}) (Version: 2.00.09 - TOSHIBA Corporation)
TOSHIBA Value Added Package (HKLM-x32\...\InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}) (Version: 1.2.25.64 - TOSHIBA Corporation)
TOSHIBA Web Camera Application (HKLM-x32\...\{5E6F6CF3-BACC-4144-868C-E14622C658F3}) (Version: 1.1.1.4 - TOSHIBA Corporation)
VIPRE Antivirus Premium (HKLM-x32\...\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}) (Version: 4.0.4194 - Sunbelt Software)
VIPRE Antivirus Premium (x32 Version: 4.0.4194 - Sunbelt Software) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 0.9.8a (HKLM-x32\...\VLC media player) (Version: 0.9.8a - VideoLAN Team)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
WinRAR 4.01 beta 1 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.01.1 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

30-06-2015 22:58:07 AA11
30-06-2015 23:34:37 avast! antivirus system restore point
03-07-2015 22:02:02 Installed AVG 2015
03-07-2015 22:05:24 Installed AVG 2015
06-07-2015 23:00:46 AA11
06-07-2015 23:08:36 avast! antivirus system restore point
14-07-2015 16:21:06 Removed AVG 2015
14-07-2015 16:27:38 Removed AVG 2015

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2015-07-06 22:10 - 00000021 ____R C:\windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0779F797-9CAC-4F0F-B066-D2AF277E5C3B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: {1F7B99E8-F1B1-4220-8F39-D5CCD26951E8} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-06-01] (Piriform Ltd)
Task: {3AD8FBF0-4E8C-4F69-BD48-8285E2A25BD4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4165447682-2823117455-2930608830-1001Core => C:\Users\Austin\AppData\Local\Google\Update\GoogleUpdate.exe [2015-01-31] (Google Inc.)
Task: {4D06FE7F-54FE-45D8-8A8B-7100FE1B3347} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-06-30] (Adobe Systems Incorporated)
Task: {65B9F3EC-14A1-4D0C-B511-DAD04D23321D} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4165447682-2823117455-2930608830-1001UA => C:\Users\Austin\AppData\Local\Google\Update\GoogleUpdate.exe [2015-01-31] (Google Inc.)
Task: {91F3CC1D-39D1-4A96-8C27-D8FE5CE3CD77} - System32\Tasks\task1196012 => C:\Users\Jennifer\AppData\Local\Temp\0.436562022326452.exe <==== ATTENTION
Task: {9C4CFD0F-6DE2-422E-827A-FF92053D606D} - System32\Tasks\ConfigFree Startup Programs => C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [2009-07-13] (TOSHIBA CORPORATION)
Task: {AF89FCAC-610B-4455-AB18-7D3356C85B46} - System32\Tasks\nuizbtd => C:\Users\Jennifer\AppData\Local\Temp\hcahdkl.exe <==== ATTENTION
Task: {E796B0B5-CDBB-456D-BF5D-E36F60F189BA} - System32\Tasks\Defraggler Volume C Task => C:\Program Files\Defraggler\df64.exe [2012-12-08] (Piriform Ltd)
Task: {F7611C96-F840-41EA-86D2-3BC3CCB950CC} - \EPUpdater No Task File <==== ATTENTION
Task: {F9000D95-27B1-4A56-BBD5-C4662CA5595D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\Defraggler Volume C Task.job => 0x01060100762C5F7F7E68C547B30B062D8DF5745046006401000000003C000100200000000014730F000000000513040000008421DE07080001001200060009002E00BB010000250043003A005C00500072006F006700720061006D002000460069006C00650073005C0044006500660072006100670067006C00650072005C0064006600360034002E0065007800650000003E0043003A0020002F007400730020002F00750073006500720020002200410075007300740069006E00220020002F0061007000700050006100740068002000220043003A005C00500072006F006700720061006D002000460069006C00650073005C0044006500660072006100670067006C006500720022002000000000000700410075007300740069006E0000001A005300630068006500640075006C006500640020006400650066007200610067006D0065006E0074006100740069006F006E000000000008000000000000000000010030000000DD0702000800F1070200080005000C0000000000000000000000000001000000010000000000000000000000
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4165447682-2823117455-2930608830-1001Core.job => C:\Users\Austin\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4165447682-2823117455-2930608830-1001UA.job => C:\Users\Austin\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-07-03 22:18 - 2015-07-03 22:18 - 00620056 ____N () C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
2015-07-03 22:18 - 2015-07-03 22:18 - 00159768 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe
2009-07-16 17:27 - 2009-07-16 17:27 - 07244600 _____ () C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
2009-07-16 17:27 - 2009-07-16 17:27 - 00051512 _____ () C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnZ.dll
2009-11-12 21:23 - 2009-06-22 18:40 - 00022328 _____ () C:\Program Files\TOSHIBA\Toshiba Assist\NotifyX.dll
2009-03-12 21:08 - 2009-03-12 21:08 - 00048640 _____ () C:\Program Files (x86)\Toshiba\PCDiag\NotifyPCD.dll
2009-07-25 20:38 - 2009-07-25 20:38 - 00017800 _____ () C:\Program Files\TOSHIBA\TOSHIBA Disc Creator\NotifyTDC.dll
2015-07-03 22:18 - 2015-07-03 22:18 - 03033112 _____ () C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
2009-08-03 21:18 - 2009-08-03 21:18 - 00081752 _____ () C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll
2011-11-02 00:26 - 2011-11-02 00:26 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2011-11-02 00:26 - 2011-11-02 00:26 - 01242472 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2008-09-29 18:37 - 2008-09-29 18:37 - 00460199 _____ () C:\Program Files (x86)\NewTech Infosystems\Backup Now EZ\sqlite3.dll
2011-01-19 11:20 - 2011-01-19 11:20 - 00308560 _____ () C:\Program Files (x86)\Sunbelt Software\VIPRE\Vipre.dll
2013-03-26 22:25 - 2012-09-25 16:07 - 00190344 _____ () C:\Program Files (x86)\Sunbelt Software\VIPRE\Definitions\libBase64.dll
2013-03-26 22:25 - 2012-09-25 16:07 - 00165768 _____ () C:\Program Files (x86)\Sunbelt Software\VIPRE\Definitions\libMachoUniv.dll
2005-12-22 17:28 - 2005-12-22 17:28 - 00160768 _____ () C:\Program Files (x86)\Sunbelt Software\VIPRE\unrar.dll
2015-07-03 22:18 - 2015-07-03 22:18 - 00519704 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\log4cplusU.dll
2015-07-03 22:18 - 2015-07-03 22:18 - 40630296 _____ () C:\Program Files (x86)\AVG Web TuneUp\libcef.dll
2015-06-30 20:26 - 2015-06-20 00:46 - 01281864 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.130\libglesv2.dll
2015-06-30 20:26 - 2015-06-20 00:46 - 00080712 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.130\libegl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C6EBC69

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBPIMSvc => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4165447682-2823117455-2930608830-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Jennifer\Documents\!Decrypt-All-Files-ymksehh.bmp
HKU\S-1-5-21-4165447682-2823117455-2930608830-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.43.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AdAwareTray => "C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.7.485.8398\AdAwareTray.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: BackupNowEZtray => "C:\Program Files (x86)\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" -k
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: Desktop Disc Tool => "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: SBAMTray => "C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe"
MSCONFIG\startupreg: SDTray => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{BE5693A9-0B75-4D76-99F7-A9DCC9D696FA}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\wlcsdk.exe
FirewallRules: [{B6F2F9F2-4D4C-44EE-8514-30E380CEF075}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{259B014B-8CA9-405F-9340-537B1220F1D7}] => (Allow) svchost.exe
FirewallRules: [{190BD108-7ED2-4361-9E24-8B082B179026}] => (Allow) C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe
FirewallRules: [{A7C93B5A-22B8-4880-8A92-2FF03EAD3069}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{9AF511FB-CBEE-4700-8964-86FEF2480D1C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{CEB87A72-F17C-473D-83E5-5CED8193E7AA}C:\program files (x86)\ea games\dead space 2\deadspace2.exe] => (Block) C:\program files (x86)\ea games\dead space 2\deadspace2.exe
FirewallRules: [UDP Query User{0A81AB77-0FBB-4F6C-B7D6-CBC36259BE96}C:\program files (x86)\ea games\dead space 2\deadspace2.exe] => (Block) C:\program files (x86)\ea games\dead space 2\deadspace2.exe
FirewallRules: [{E2BAB642-D4BF-4747-A2C6-A19855990898}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [{AA9D84B6-6F36-4A8C-A84D-AFA287F03954}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7D420905-3132-498D-9655-2C78E475FB43}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{850FA321-1784-42ED-8CB8-F1EBA22E68F4}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2CAFA3BA-9DBA-442A-9566-537CD92BC26F}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{ACABF650-1EE7-4167-AAB5-42B69CFD2475}C:\program files (x86)\1clickdownload\1clickdownloader.exe] => (Block) C:\program files (x86)\1clickdownload\1clickdownloader.exe
FirewallRules: [UDP Query User{649B8693-F8BC-44A0-B805-701D4025824A}C:\program files (x86)\1clickdownload\1clickdownloader.exe] => (Block) C:\program files (x86)\1clickdownload\1clickdownloader.exe
FirewallRules: [{77D90DEE-287E-430F-ABAB-6BBD37890D97}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [{EA967179-7C14-4428-9668-671D77A52C8A}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
FirewallRules: [{C3342BCC-7146-4E5A-A6B9-F379D708C013}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
FirewallRules: [{9A84606F-7221-498E-8F21-71332EC2D970}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
FirewallRules: [{9F1FA0AD-26A7-496E-B4F5-B46738CE0749}] => (Allow) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
FirewallRules: [{5FB1EB44-3499-4F2A-91B7-2E3DF524B94F}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{68F57222-C143-4005-8542-71D26F06E46D}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
FirewallRules: [{8E77AC3E-5014-4EC8-9B25-6EF03225EFF6}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
FirewallRules: [{6B1F618B-F0C7-4740-820C-A25CDDC76A7E}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{2997BBD8-84D8-43FB-9C1B-85F9A74DAF7E}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{2FA5CF73-AD60-454F-ACC5-4B585D7DFC8D}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{0E9BEF19-AAB6-48B3-AA3D-5CA543421762}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{F727D5EC-1A95-446B-BDC1-9E7D52626DCC}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{8FADD83E-A1FC-4CBB-B61B-E8CEB1600E53}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/14/2015 04:27:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary AVGIDSDriver.

System Error:
The system cannot find the file specified.
.

Error: (07/03/2015 02:59:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamscheduler.exe, version: 3.1.3.0, time stamp: 0x55252bff
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x724
Faulting application start time: 0xmbamscheduler.exe0
Faulting application path: mbamscheduler.exe1
Faulting module path: mbamscheduler.exe2
Report Id: mbamscheduler.exe3

Error: (06/30/2015 09:52:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program SDScan.exe version 2.4.40.181 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a9c

Start Time: 01d0b3a1e0624a41

Termination Time: 47

Application Path: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe

Report Id: 139955f9-1f9c-11e5-a213-00266c3ee316

Error: (06/30/2015 09:21:01 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: NT AUTHORITY)
Description: Application or service 'Spybot-S&D 2 Scanner Service' could not be shut down.

Error: (06/28/2015 09:14:11 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (06/28/2015 05:25:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ACDSeePro3.exe, version: 3.0.475.0, time stamp: 0x4bd89433
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0150010
Fault offset: 0x0008482b
Faulting process id: 0xe68
Faulting application start time: 0xACDSeePro3.exe0
Faulting application path: ACDSeePro3.exe1
Faulting module path: ACDSeePro3.exe2
Report Id: ACDSeePro3.exe3

Error: (06/28/2015 05:25:01 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (06/28/2015 05:24:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ACDSeePro3.exe, version: 3.0.475.0, time stamp: 0x4bd89433
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc015000f
Fault offset: 0x00084671
Faulting process id: 0xe68
Faulting application start time: 0xACDSeePro3.exe0
Faulting application path: ACDSeePro3.exe1
Faulting module path: ACDSeePro3.exe2
Report Id: ACDSeePro3.exe3

Error: (06/28/2015 04:48:16 PM) (Source: Windows Search Service) (EventID: 3100) (User: )
Description: Unable to initialize the filter host process. Terminating.


Details:
This operation returned because the timeout period expired. (HRESULT : 0x800705b4) (0x800705b4)

Error: (06/28/2015 04:39:39 PM) (Source: Windows Search Service) (EventID: 3100) (User: )
Description: Unable to initialize the filter host process. Terminating.


Details:
This operation returned because the timeout period expired. (HRESULT : 0x800705b4) (0x800705b4)


System errors:
=============
Error: (08/06/2015 08:31:51 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
jitb

Error: (07/14/2015 04:32:05 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
jitb

Error: (07/14/2015 04:16:54 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Error: (07/14/2015 03:57:51 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
jitb

Error: (07/09/2015 12:42:39 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
jitb

Error: (07/09/2015 09:15:09 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
jitb

Error: (07/06/2015 10:21:27 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
jitb

Error: (07/06/2015 10:19:32 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vToolbarUpdater18.4.0 service failed to start due to the following error:
%%1053

Error: (07/06/2015 10:19:32 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the vToolbarUpdater18.4.0 service to connect.

Error: (07/06/2015 09:27:53 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
jitb


Microsoft Office:
=========================
Error: (07/14/2015 04:27:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary AVGIDSDriver.

System Error:
The system cannot find the file specified.

Error: (07/03/2015 02:59:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: mbamscheduler.exe3.1.3.055252bffunknown0.0.0.000000000c00000050000000072401d0b5ca6727b36fC:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exeunknownfb7706cf-21bd-11e5-9fad-00266c3ee316

Error: (06/30/2015 09:52:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: SDScan.exe2.4.40.181a9c01d0b3a1e0624a4147C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe139955f9-1f9c-11e5-a213-00266c3ee316

Error: (06/30/2015 09:21:01 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: NT AUTHORITY)
Description: 0C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exeSpybot-S&D 2 Scanner Service0302621614960143003A005C00500072006F006700720061006D002000460069006C00650073002000280078003800360029005C0053007000790062006F00740020002D002000530065006100720063006800200026002000440065007300740072006F007900200032005C00610076005C006200640063006F00720065002E0064006C006C000000

Error: (06/28/2015 09:14:11 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMaker.ExeC:\Program Files (x86)\Windows Live\Photo Gallery\WLMFDS.DLL8

Error: (06/28/2015 05:25:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ACDSeePro3.exe3.0.475.04bd89433ntdll.dll6.1.7601.18247521ea8e7c01500100008482be6801d0b1da11d2c15aC:\Program Files (x86)\ACD Systems\ACDSee Pro\3.0\ACDSeePro3.exeC:\windows\SysWOW64\ntdll.dll89efdc54-1de4-11e5-8ca9-00266c3ee316

Error: (06/28/2015 05:25:01 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMaker.ExeC:\Program Files (x86)\Windows Live\Photo Gallery\WLMFDS.DLL8

Error: (06/28/2015 05:24:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ACDSeePro3.exe3.0.475.04bd89433ntdll.dll6.1.7601.18247521ea8e7c015000f00084671e6801d0b1da11d2c15aC:\Program Files (x86)\ACD Systems\ACDSee Pro\3.0\ACDSeePro3.exeC:\windows\SysWOW64\ntdll.dll7163a070-1de4-11e5-8ca9-00266c3ee316

Error: (06/28/2015 04:48:16 PM) (Source: Windows Search Service) (EventID: 3100) (User: )
Description:
Details:
This operation returned because the timeout period expired. (HRESULT : 0x800705b4) (0x800705b4)

Error: (06/28/2015 04:39:39 PM) (Source: Windows Search Service) (EventID: 3100) (User: )
Description:
Details:
This operation returned because the timeout period expired. (HRESULT : 0x800705b4) (0x800705b4)


==================== Memory info ===========================

Processor: Pentium® Dual-Core CPU T4400 @ 2.20GHz
Percentage of memory in use: 75%
Total physical RAM: 2939.99 MB
Available physical RAM: 731.7 MB
Total Virtual: 5878.18 MB
Available Virtual: 2597.79 MB

==================== Drives ================================

Drive c: (TI105487W0B) (Fixed) (Total:287.55 GB) (Free:159.11 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: 6B28C5F9)
Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Not Active) - (Size=287.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=9.1 GB) - (Type=17)

==================== End of log ============================

Attached Files


Edited by Oh My!, 10 August 2015 - 10:07 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 10 August 2015 - 10:21 AM

Greetings JWWP and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. We are going to tackle a lot in these first steps. Please consider and do this.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Please let me know if you have already noticed evidences of financial institution irregularities. Those accounts should be monitored from this point forward.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 

Here are some thoughts I have put together for people who ask what they should do in light of the infection. Ultimately each user must decide for themselves what to do and the below are things you might want to consider.

It is necessary for us to at least make you aware of the worse case scenario. This is because of the potential Backdoor Trojans bring with them, but it is not a determination on our part that your situation currently falls within this worse case scenario.

Ultimately it is a personal decision whether to reformat or not. What decision should you make to let you sleep well at night? It is different for different people. I will say whether rightly or wrongly most people decide to clean and not reformat, at least initially.

The only insight I can offer is how I evaluate the issue personally even though I have never had a Backdoor Trojan on my computer. One of the primary purposes for malicious software is to somehow separate you from your money. It seems reasonable to assume that a thief trying to take your money via a Backdoor Trojan will hit you hard, and quickly. Once your computer starts to act up and you become suspicious you have the opportunity to eliminate access to your computer and change the information taken, namely account and password information. The key to this, in my opinion, is whether or not you have noticed any irregularities in your banking or other financial institutions, or things like email and social network accounts (i.e. Facebook). If you have not seen any evidence of that then you may question whether your information has truly been stolen. If it seems it hasn't, and your critical information has been changed, it is reasonable to be more confident you are safe but you must stop short of claiming an absolute guarantee.

If, after careful consideration you decide not to reformat your computer it would be wise to continue monitoring your sensitive data and don't wait to address future symptoms on your computer which seem to be malware related.

The bottom line, the only way to be absolutely sure to be rid of a Backdoor Trojan is to reformat. The decision is yours.

Oh My!


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed youi will see Pending. Please check elements you don't want to remove above the progress bar
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can also find the logfile at C:\AdwCleaner\AdwCleaner.txt
===================================================

Junkware Removal Tool

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKU\S-1-5-21-4165447682-2823117455-2930608830-1000\...\Run: [] => C:\Users\Jennifer\AppData\Local\Temp\hcahdkl.exe
C:\Users\Jennifer\AppData\Local\Temp\hcahdkl.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
S0 jitb; System32\drivers\fbogeq.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
2015-06-28 16:20 - 2015-06-28 16:20 - 0008686 _____ () C:\Users\Jennifer\AppData\Roaming\HELP_DECRYPT.HTML
2015-06-28 16:21 - 2015-06-28 16:21 - 0045528 _____ () C:\Users\Jennifer\AppData\Roaming\HELP_DECRYPT.PNG
2015-06-28 16:20 - 2015-06-28 16:20 - 0004286 _____ () C:\Users\Jennifer\AppData\Roaming\HELP_DECRYPT.TXT
2011-06-29 07:48 - 2013-12-24 14:08 - 0024064 _____ () C:\Users\Jennifer\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-06-28 15:54 - 2015-06-28 15:54 - 0008686 _____ () C:\Users\Jennifer\AppData\Local\HELP_DECRYPT.HTML
2015-06-28 15:55 - 2015-06-28 15:55 - 0045528 _____ () C:\Users\Jennifer\AppData\Local\HELP_DECRYPT.PNG
2015-06-28 15:54 - 2015-06-28 15:54 - 0004286 _____ () C:\Users\Jennifer\AppData\Local\HELP_DECRYPT.TXT
2015-06-06 22:28 - 2015-06-06 22:28 - 0008686 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-06-06 22:28 - 2015-06-06 22:28 - 0045696 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-06-06 22:28 - 2015-06-06 22:28 - 0001392 _____ () C:\ProgramData\HELP_DECRYPT.TXT.ymksehh
2015-06-28 15:01 - 2015-06-28 15:19 - 0445267 _____ () C:\ProgramData\shvhueh.html
C:\Users\Austin\AppData\Local\Temp\gvahbi0g.dll
C:\Users\Austin\AppData\Local\Temp\nhydce85.dll
C:\Users\Jennifer\AppData\Local\Temp\HitmanPro.exe
Task: {91F3CC1D-39D1-4A96-8C27-D8FE5CE3CD77} - System32\Tasks\task1196012 => C:\Users\Jennifer\AppData\Local\Temp\0.436562022326452.exe
C:\Users\Jennifer\AppData\Local\Temp\0.436562022326452.exe
Task: {AF89FCAC-610B-4455-AB18-7D3356C85B46} - System32\Tasks\nuizbtd => C:\Users\Jennifer\AppData\Local\Temp\hcahdkl.exe
C:\Users\Jennifer\AppData\Local\Temp\hcahdkl.exe
Task: {F7611C96-F840-41EA-86D2-3BC3CCB950CC} - \EPUpdater No Task File
AlternateDataStreams: C:\ProgramData\TEMP:5C6EBC69
C:\Users\Jennifer\Documents\!Decrypt-All-Files-ymksehh.bmp
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Type the following in the Search Field
*decrypt*
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Run TDSSKiller by Kaspersky

--------------------
  • Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
  • Right-click on TDSSKiller.exe and select Run As Administrator.
  • When the program opens, click the Start Scan button.

tdss1.png

  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

tdss2.png

  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

tdss4.png

  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply even if no threats are found.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".
===================================================

Farbar's MiniRegTool

--------------------
  • Please download MiniRegTool.zip (for 32 bit systems) or MiniRegTool64.zip (for 64 bit systems) and save it to your desktop
  • Unzip the folder and double click the icon
  • Copy and paste the following into the white box:

*decrypt*

  • Check the Search radio button.
  • Press the Go button and post the result.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • AdwCleaner log
  • Junkware log
  • Fixlog
  • Search.txt
  • TDSSKiller report
  • MiniRegTool report
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 JWWP

JWWP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 10 August 2015 - 09:08 PM

Gary,

 

My name is Jessica and I want to say thank you so much for your time and help! After reading the information you posted about backdoor trojans, I think it would be best to reformat. My sister did reassure me that she doesn't use the computer for anything financial (nor has she ever entered credit/debit card information) but has merely used it for pictures, videos, and social media. Since she lost all her personal files to the CryptoWall 3.0 virus anyway, she's perfectly fine with doing a reformat on it. She actually asked me to do that before I posted but I've never done a reformat. She doesn't have any cds for a reinstall but I believe her computer has the hidden partition with the recovery option (maybe - or that's what it looked like to me). Do I wait on a reply from you to help with the reformat or do I follow the "When Should I Format, How Should I Reinstall" link? 

 

Thank you!

 

Jessica



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 10 August 2015 - 09:18 PM

Hi Jessica,

I think that is a wise choice.

I would be happy to assist you with the reformat/reinstall.

Can you tell me the manufacturer and model of the computer?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 JWWP

JWWP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 10 August 2015 - 10:18 PM

Toshiba Satellite L505

 

I will check back in tomorrow as soon as I get home from work.

 

Thank you!



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 10 August 2015 - 10:34 PM

You are welcome.

Please start on Page #61 here. If you have not created the Factory Restore disks you may want to do that as well.

 

Let me know if you have any questions. I can keep this Topic open until you are all set.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 JWWP

JWWP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 12 August 2015 - 10:36 AM

On page 61 it lists different recovery options. I'm guessing that I need to go with the "Restore from recovery DVDs/media" which has steps to follow on page 71... On step 8, which option do I go with to make sure I keep the partition that contains the Recovery Media Creator just in case it's needed in the future? Also, if the viruses did corrupt, delete, etc. system files will doing this reformat actually restore the computer so that it fixes any issues the viruses may have caused? I'm assuming it does but just want to know for sure. The recovery disks will reload Windows back onto the laptop, right? I've never done a reformat so those are just a few questions I had about it... Thanks!



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 12 August 2015 - 11:26 AM

Greetings,

I am glad you are asking if you are not sure. I am sure the tasks seem overwhelming but they are not as bad as they appear.

We really want to do 2 things. One is to create the Recovery Disks so you have a "hard copy", so to speak. Those disks will be the exact same thing as the Recovery Partition on your hard drive. So you will end up with 2 versions of the same thing.

First, go to page 69 and following to follow the instructions to create the Recovery Disks if you have not done that already. Let me know if you are able to do that successfully and then we will continue.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 JWWP

JWWP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 12 August 2015 - 09:07 PM

I now have a 5 disk set created from the recovery partition.

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 12 August 2015 - 09:10 PM

Very good. You will need to reinstall any program that did not come from the factory. So if you have any of those programs you will either need the downloaded installation file or an installation CD.

Are there any data files you want to save? Not sure if everything was encrypted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 JWWP

JWWP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 13 August 2015 - 08:09 PM

My sister doesn't want anything saved. The virus encrypted almost every file she had... and she had very few programs installed so that's not a big deal either.

I apologize for the delayed responses. This is one of the busiest weeks of the year at my workplace. I plan on actually doing the reformat tomorrow night or sometime this weekend. If the topic can remain open for that time frame until I see how the reformat goes then that would be great! I really appreciate all the help!

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 13 August 2015 - 08:22 PM

No apologies necessary and don't stress over reformatting or replying. If I don't hear from you by Monday I may check to see if you are OK.

Put the first disk in your drive and boot from the CD. That should start the process and then you merely respond to the prompts that come up.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 JWWP

JWWP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 15 August 2015 - 04:00 PM

Okay, I have used the recovery disks to reformat the laptop and it has reloaded Windows. It seems to be running just fine! I do have a few questions...

1. It never did prompt me to use the last two disks which I think are called application disks. I did put the fourth disk in when it was configuring the system but I don't know as it actually ran it since it didn't prompt me to put it in. Also, I didn't put the last (fifth) disk in at all since it is reloaded. Any thoughts on that?

2. What anti-virus/malware/spyware program (s) would you recommend installing? I would prefer free or reasonably priced if possible.

3. My sister was using an external drive to save some of her and her son's files. If I make sure to install the recommended anti-virus or other software then would it be safe enough to plug it in then immediately run a scan on it to make sure it's clean of viruses?

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 15 August 2015 - 05:04 PM

It sounds like the operating system disks are separate from the applications files. If you put the 4th and 5th disks in the CD drive then use Windows Explorer to navigate to the drive you may be able to tell exactly what is on those disks.

I am going to provide you with instructions for scanning the external drive and also some information regarding an antivirus program (personally I use Avast Free) and other things to consider to keep the computer clean.

I think you will be all set and I anticipate closing the Topic tomorrow but if you need further help just send me a Personal Message.

===================================================

Malwarebytes Anti-Malware Free and Malwarebytes Chameleon Including External Drive

----------
  • Download Malwarebytes Anti-Malware Free and save it to your desktop
  • Double click the desktop icon, click Run, then OK
  • Click Next
  • Select I accept the agreement then continue to click Next then finally click Install
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
  • If you are notified the Database is out of date click Update Now
  • Attach any external drives you want to scan if not already attached
  • Click the Scan button near the top
  • Select Custom Scan then click Scan Now >>
  • Place a check mark in any additonal drives you would like to scan
  • Click Start Scan
----------
Note:
  • If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
  • Using Windows Explorer navigate to C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows
  • Double click one of the four following files (if one does not work try the next one, and so on) - Follow those instructions until the Malwarebytes program starts the scan

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com

----------
  • When completed click the down arrow on Export Log and select Text file (*.txt)
  • Save the file to your desktop as MBAM
  • Click Apply Actions then restart your computer if requested
===================================================

ESET Online Scanner Including External Device

--------------------

I'd like us to scan your machine with ESET OnlineScan Including External Device This process may may take several hours, that is normal
  • Attach your external device
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click Run ESET Online Scanner.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Click Enable detection of potentially unwanted applications
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Remove found threats
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
    • In the Current scan targets line click Change...
    • Place an additional check mark next to any attached external drives
    • Click OK, then Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Save the file just for reference Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.
===================================================

Keeping Your Computer Safe

----------

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:I will leave this topic open for just a brief period of time in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 PM

Posted 16 August 2015 - 09:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users