Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker help!


  • This topic is locked This topic is locked
10 replies to this topic

#1 pancakedancer

pancakedancer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 16 December 2015 - 01:08 AM

The computer was infected with Cryptolocker. I've run AVG which found 1 trojan the first scan and 2 the second time around, Malware Bytes (didn't turn up anything), Hitman Pro 3 (didn't turn up anything), Zemanta (1 thing that was found during a scan using the FRST), JRT and AdwCleaner.

 

I checked the HKEYs and there's Crypt PKO and Crypt Sig there.

 

How do I remove Cryptolocker?

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:14-12-2015
Ran by Francis (administrator) on FSSYAPP (16-12-2015 13:56:17)
Running from C:\Users\Francis\Downloads
Loaded Profiles: Francis (Available Profiles: Francis)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\systemcore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\systemcore\mfefire.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.3\ToolbarUpdater.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.3\loggingserver.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.6.1180.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McUICnt.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7642328 2014-10-07] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2818800 2014-06-17] (Synaptics Incorporated)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12902304 2015-12-14] (Zemana Ltd.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-02] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-10] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2012-01-26] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [642664 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863848 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguix.exe [1136552 2015-11-12] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3855272 2015-12-09] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2811792 2015-12-16] ()
HKU\S-1-5-21-1654402718-668299363-900708384-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIJJE.EXE [283232 2012-02-28] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1654402718-668299363-900708384-1001\...\Run: [NETGEARGenie] => C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe [603392 2015-08-26] (NETGEAR Inc.)
HKU\S-1-5-21-1654402718-668299363-900708384-1001\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIJJE.EXE [283232 2012-02-28] (SEIKO EPSON CORPORATION)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{08300455-9470-48B0-AADD-42C2FBE45E64}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5E8B958B-B7C5-46A2-88CF-05E4092A637F}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-1654402718-668299363-900708384-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Web TuneUp\4.2.3.128\AVG Web TuneUp.dll [2015-12-16] (AVG)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => No File
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-07-26] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2015-05-06] (Hewlett-Packard)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2015-09-28] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2015-09-28] (McAfee, Inc.)
 
FireFox:
========
FF ProfilePath: C:\Users\Francis\AppData\Roaming\Mozilla\Firefox\Profiles\vgq3gegl.default
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2015-09-28] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.2.3\\npsitesafety.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-20] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-20] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-09-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-09-04] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2015-09-28] ()
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-06] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-10-24] (Adobe Systems Inc.)
FF Extension: AVG Web TuneUp - C:\Users\Francis\AppData\Roaming\Mozilla\Firefox\Profiles\vgq3gegl.default\extensions\avg@toolbar.xpi [2015-12-16]
FF Extension: Adblock Plus - C:\Users\Francis\AppData\Roaming\Mozilla\Firefox\Profiles\vgq3gegl.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-16]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2015-11-09] [not signed]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [615584 2015-12-09] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3857272 2015-12-09] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1046952 2015-11-12] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [579776 2015-12-09] (AVG Technologies CZ, s.r.o.)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [255040 2014-08-26] (WildTangent)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-12-16] (SurfRight B.V.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-10] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-06-26] (Intel Corporation)
R2 ibtsiva.exe; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [121288 2014-08-14] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [328296 2014-10-08] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-14] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-09-04] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-09-04] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [783120 2015-09-28] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [332528 2014-03-13] (McAfee, Inc.)
R2 mcbootdelaystartsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.6.1180.0\McCSPServiceHost.exe [1694152 2015-09-01] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [639456 2015-08-11] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-07-31] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [376264 2015-08-10] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [254792 2015-07-31] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [368584 2015-09-01] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [265936 2014-06-19] ()
S3 NETGEARGenieDaemon; C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [232192 2015-08-26] (NETGEAR)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-29] (Softex Inc.) [File not signed]
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-15] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-09-05] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [191728 2014-06-17] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [1164688 2015-12-16] ()
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12902304 2015-12-14] (Zemana Ltd.)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3816656 2014-06-19] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [23152 2015-09-09] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [184240 2015-11-06] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [313776 2015-11-06] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [298416 2015-08-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [284080 2015-10-21] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [256432 2015-11-06] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-08-10] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [306608 2015-10-08] (AVG Technologies CZ, s.r.o.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [80768 2015-08-10] (McAfee, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-13] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207208 2015-05-19] (McAfee, Inc.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [219592 2014-08-14] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-16] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [126976 2014-09-04] (Intel Corporation)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [413432 2015-08-10] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [349096 2015-08-10] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [82072 2015-08-10] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [495856 2015-08-10] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [839376 2015-08-10] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [537408 2015-08-12] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [111256 2015-08-12] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [244024 2015-08-10] (McAfee, Inc.)
R3 NETwNb64; C:\Windows\system32\DRIVERS\Netwbw02.sys [3488744 2014-07-23] (Intel Corporation)
R2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2015-11-15] (CACE Technologies, Inc.)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [506072 2014-06-21] (Realsil Semiconductor Corporation)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2014-06-17] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-06-17] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-23] (Hewlett-Packard Development Company, L.P.)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [202144 2015-12-16] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [202144 2015-12-16] (Zemana Ltd.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-16 13:56 - 2015-12-16 13:56 - 00021507 _____ C:\Users\Francis\Downloads\FRST.txt
2015-12-16 13:56 - 2015-12-16 13:56 - 00000000 ____D C:\FRST
2015-12-16 13:52 - 2015-12-16 13:52 - 00001686 _____ C:\Users\Francis\Desktop\JRT.txt
2015-12-16 13:49 - 2015-12-16 13:50 - 01309184 _____ C:\Users\Francis\Downloads\zoek.exe
2015-12-16 13:48 - 2015-12-16 13:48 - 00003552 _____ C:\Users\Francis\Desktop\AdwCleaner[S1].txt
2015-12-16 13:43 - 2015-12-16 13:43 - 00000000 ____D C:\AdwCleaner
2015-12-16 12:38 - 2015-12-16 12:38 - 01599336 _____ (Malwarebytes) C:\Users\Francis\Downloads\JRT.exe
2015-12-16 12:37 - 2015-12-16 12:38 - 01740288 _____ C:\Users\Francis\Downloads\AdwCleaner.exe
2015-12-16 12:37 - 2015-12-16 12:37 - 02369536 _____ (Farbar) C:\Users\Francis\Downloads\FRST64.exe
2015-12-16 12:04 - 2015-12-16 12:04 - 05066096 _____ (AVAST Software) C:\Users\Francis\Downloads\avast_free_antivirus_setup_online.exe
2015-12-16 11:43 - 2015-12-16 11:43 - 00000448 _____ C:\Users\Francis\Desktop\clean.bat
2015-12-16 11:27 - 2015-12-16 11:27 - 00001912 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-12-16 11:27 - 2015-12-16 11:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-12-16 11:26 - 2015-12-16 11:27 - 00000000 ____D C:\Program Files\HitmanPro
2015-12-16 11:25 - 2015-12-16 11:35 - 00000000 ____D C:\ProgramData\HitmanPro
2015-12-16 11:23 - 2015-12-16 11:26 - 11323704 _____ (SurfRight B.V.) C:\Users\Francis\Downloads\HitmanPro_x64.exe
2015-12-16 11:22 - 2015-12-16 11:22 - 00000000 ____D C:\Users\Francis\AppData\Local\AVG Web TuneUp
2015-12-16 11:21 - 2015-12-16 11:22 - 00000000 ____D C:\ProgramData\AVG Web TuneUp
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\ProgramData\AVG Secure Search
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\Program Files\AVG Web TuneUp
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\Program Files (x86)\AVG Web TuneUp
2015-12-16 11:01 - 2015-12-16 11:36 - 00003106 _____ C:\Windows\System32\Tasks\BDAntiCryptoWallTask
2015-12-16 11:00 - 2015-12-16 12:33 - 00000258 __RSH C:\ProgramData\ntuser.pol
2015-12-16 10:59 - 2015-12-16 10:59 - 00000000 ____D C:\Windows\pss
2015-12-16 10:59 - 2015-12-16 10:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AntiCryptoWall
2015-12-16 10:59 - 2015-12-16 10:59 - 00000000 ____D C:\Program Files\Bitdefender
2015-12-16 10:57 - 2015-12-16 13:57 - 00022153 _____ C:\Windows\ZAM_Guard.krnl.trace
2015-12-16 10:57 - 2015-12-16 13:56 - 00806558 _____ C:\Windows\ZAM.krnl.trace
2015-12-16 10:57 - 2015-12-16 12:25 - 00202144 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2015-12-16 10:57 - 2015-12-16 12:25 - 00202144 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2015-12-16 10:57 - 2015-12-16 10:57 - 00001167 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2015-12-16 10:57 - 2015-12-16 10:57 - 00000000 ____D C:\Users\Francis\AppData\Local\Zemana
2015-12-16 10:57 - 2015-12-16 10:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2015-12-16 10:57 - 2015-12-16 10:57 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-12-16 10:53 - 2015-12-16 10:53 - 04773648 _____ (Bitdefender ) C:\Users\Francis\Downloads\BDAntiCryptoWallSetup.exe
2015-12-16 10:49 - 2015-12-16 10:50 - 05298752 _____ ( ) C:\Users\Francis\Downloads\Zemana.AntiMalware.Setup.exe
2015-12-16 10:29 - 2015-12-16 10:29 - 00000000 ____D C:\Users\Francis\AppData\Roaming\AVG
2015-12-16 10:25 - 2015-12-16 10:25 - 00000000 ____D C:\Users\Francis\AppData\Roaming\TuneUp Software
2015-12-16 10:25 - 2015-12-16 10:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-12-16 10:24 - 2015-12-16 10:24 - 00000000 ___HD C:\$AVG
2015-12-16 10:19 - 2015-12-16 10:33 - 00000000 ____D C:\ProgramData\MFAData
2015-12-16 10:19 - 2015-12-16 10:19 - 00000956 _____ C:\Users\Public\Desktop\AVG.lnk
2015-12-16 10:19 - 2015-12-16 10:19 - 00000000 ____D C:\Users\Francis\AppData\Local\MFAData
2015-12-16 10:19 - 2015-12-16 10:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2015-12-16 10:17 - 2015-12-16 10:24 - 00000000 ____D C:\ProgramData\Avg
2015-12-16 10:17 - 2015-12-16 10:22 - 00000000 ____D C:\Program Files (x86)\AVG
2015-12-16 10:16 - 2015-12-16 12:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-16 10:16 - 2015-12-16 10:29 - 00000000 ____D C:\Users\Francis\AppData\Local\Avg
2015-12-16 10:16 - 2015-12-16 10:19 - 00000000 ____D C:\Users\Francis\AppData\Local\AvgSetupLog
2015-12-16 10:15 - 2015-12-16 10:15 - 02970984 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Francis\Downloads\AVG_Protection_Free_698.exe
2015-12-16 10:15 - 2015-12-16 10:15 - 00001121 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-16 10:15 - 2015-12-16 10:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-16 10:15 - 2015-12-16 10:15 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-16 10:15 - 2015-12-16 10:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-16 10:15 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-12-16 10:15 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-12-16 10:15 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-12-16 10:14 - 2015-12-16 10:15 - 22908888 _____ (Malwarebytes ) C:\Users\Francis\Downloads\mbam-setup-2.2.0.1024.exe
2015-12-14 08:36 - 2015-12-14 08:36 - 00002250 _____ C:\Users\Francis\Desktop\HP Support Assistant.lnk
2015-12-12 14:21 - 2015-12-12 14:21 - 00184226 _____ C:\Users\Francis\Downloads\eStatement_12132015.pdf
2015-12-10 20:58 - 2015-12-10 20:58 - 03640559 _____ C:\Users\Francis\Downloads\Xmas lights at the upstair landings.zip
2015-12-10 16:06 - 2015-12-10 16:06 - 00008477 _____ C:\Users\Francis\Downloads\HOW_TO_RESTORE_FILES.html
2015-12-10 16:06 - 2015-12-10 16:06 - 00008477 _____ C:\Users\Francis\Documents\HOW_TO_RESTORE_FILES.html
2015-12-10 16:06 - 2015-12-10 16:06 - 00002933 _____ C:\Users\Francis\Downloads\HOW_TO_RESTORE_FILES.txt
2015-12-10 16:06 - 2015-12-10 16:06 - 00002933 _____ C:\Users\Francis\Documents\HOW_TO_RESTORE_FILES.txt
2015-12-10 16:01 - 2015-12-10 16:02 - 00000000 ____D C:\ProgramData\ytacedefatykysur
2015-12-09 12:06 - 2015-11-12 00:21 - 25837568 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-12-09 12:06 - 2015-11-12 00:00 - 12856832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-12-09 12:06 - 2015-11-11 23:44 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-12-09 12:06 - 2015-11-11 23:44 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2015-12-09 12:06 - 2015-11-11 23:41 - 20366848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-12-09 12:06 - 2015-11-11 23:12 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-12-09 12:06 - 2015-11-10 08:13 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-12-09 12:06 - 2015-11-10 08:11 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-12-09 12:06 - 2015-11-10 08:08 - 02280448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-12-09 12:06 - 2015-11-10 08:04 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-12-09 12:06 - 2015-11-10 08:02 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-12-09 12:06 - 2015-11-10 07:46 - 04514816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-12-09 12:06 - 2015-11-10 07:41 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-12-09 12:06 - 2015-11-10 07:37 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-12-09 12:06 - 2015-11-10 07:36 - 02050560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-12-09 12:06 - 2015-11-10 07:36 - 00687104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-12-09 12:06 - 2015-11-10 07:36 - 00325632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-12-09 12:06 - 2015-11-10 07:25 - 01048576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll
2015-12-09 12:06 - 2015-11-10 07:17 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-12-09 12:06 - 2015-11-10 07:14 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-12-09 12:06 - 2015-11-10 07:12 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-12-09 12:06 - 2015-11-09 06:15 - 02887168 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-12-09 12:06 - 2015-11-09 06:15 - 00571392 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-12-09 12:06 - 2015-11-09 06:04 - 05923840 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-12-09 12:06 - 2015-11-09 06:02 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-12-09 12:06 - 2015-11-09 06:01 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-12-09 12:06 - 2015-11-09 05:32 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-12-09 12:06 - 2015-11-09 05:32 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2015-12-09 12:06 - 2015-11-09 05:25 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-12-09 12:06 - 2015-11-09 05:18 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-12-09 12:06 - 2015-11-09 05:16 - 00372224 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-12-09 12:06 - 2015-11-09 05:15 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-12-09 12:06 - 2015-11-09 05:15 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-12-09 12:06 - 2015-11-09 05:14 - 14456832 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-12-09 12:06 - 2015-11-09 05:13 - 02123264 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-12-09 12:06 - 2015-11-09 04:53 - 02880000 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2015-12-09 12:06 - 2015-11-09 04:53 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-12-09 12:06 - 2015-11-09 04:41 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-12-09 12:06 - 2015-11-09 04:30 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-12-09 12:04 - 2015-11-05 16:59 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-12-09 08:12 - 2015-11-22 14:59 - 07455064 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-12-09 08:12 - 2015-11-22 14:59 - 01735000 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-12-09 08:12 - 2015-11-22 14:59 - 01659568 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-12-09 08:12 - 2015-11-22 14:59 - 01519592 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-12-09 08:12 - 2015-11-22 14:59 - 01487008 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-12-09 08:12 - 2015-11-22 14:59 - 01355848 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-12-09 08:12 - 2015-11-22 14:58 - 01499920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-12-09 08:12 - 2015-11-22 02:32 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-12-09 08:12 - 2015-11-22 01:50 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-12-09 08:12 - 2015-11-22 00:59 - 01706496 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2015-12-09 08:12 - 2015-11-22 00:49 - 01344000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comsvcs.dll
2015-12-09 08:12 - 2015-11-22 00:47 - 00522240 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2015-12-09 08:12 - 2015-11-22 00:40 - 00414208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\catsrvut.dll
2015-12-09 08:12 - 2015-11-09 08:41 - 01540728 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2015-12-09 08:12 - 2015-11-09 06:30 - 04176384 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-12-09 08:12 - 2015-11-09 05:23 - 01994752 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-12-09 08:12 - 2015-11-09 05:13 - 01383936 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-12-09 08:12 - 2015-11-09 05:01 - 01753600 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2015-12-09 08:12 - 2015-11-09 04:52 - 01559552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-12-09 08:12 - 2015-11-09 04:48 - 01376256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2015-12-09 08:12 - 2015-11-09 04:42 - 01490944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GdiPlus.dll
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\kbdgeoqw.dll
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZST.DLL
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZEL.DLL
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZE.DLL
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kbdgeoqw.dll
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZST.DLL
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZEL.DLL
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZE.DLL
2015-12-09 08:12 - 2015-10-23 00:21 - 01200128 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Globalization.dll
2015-12-09 08:12 - 2015-10-23 00:21 - 00323072 _____ (Microsoft Corporation) C:\Windows\system32\GlobCollationHost.dll
2015-12-09 08:12 - 2015-10-22 23:58 - 00868864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Globalization.dll
2015-12-09 08:12 - 2015-10-22 23:58 - 00200704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GlobCollationHost.dll
2015-12-09 08:12 - 2015-10-22 22:08 - 00513456 _____ C:\Windows\SysWOW64\locale.nls
2015-12-09 08:12 - 2015-10-22 22:08 - 00513456 _____ C:\Windows\system32\locale.nls
2015-12-09 08:12 - 2015-10-11 01:20 - 00186880 _____ (Microsoft Corporation) C:\Windows\system32\dpapisrv.dll
2015-12-09 08:12 - 2015-10-04 03:41 - 01385280 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-12-09 08:12 - 2015-10-04 03:41 - 01124384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2015-12-09 08:11 - 2015-11-21 06:47 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-12-09 08:11 - 2015-11-21 02:18 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-12-09 08:11 - 2015-11-21 00:58 - 03706880 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-12-09 08:11 - 2015-11-21 00:47 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-12-09 08:11 - 2015-11-21 00:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-12-09 08:11 - 2015-11-21 00:44 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2015-12-09 08:11 - 2015-11-21 00:44 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-12-09 08:11 - 2015-11-21 00:43 - 00897024 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-12-09 08:11 - 2015-11-21 00:42 - 02243584 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-12-09 08:11 - 2015-11-21 00:30 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-12-09 08:11 - 2015-11-21 00:29 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-12-09 08:11 - 2015-11-21 00:28 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-12-09 08:11 - 2015-11-21 00:27 - 00726528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-12-09 08:11 - 2015-10-28 23:49 - 02775552 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-12-09 08:11 - 2015-10-28 23:29 - 02462720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2015-12-09 08:11 - 2015-10-11 14:34 - 00468824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBHUB3.SYS
2015-12-09 08:11 - 2015-10-11 14:34 - 00462168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2015-12-09 08:11 - 2015-10-11 14:34 - 00443224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2015-12-09 08:11 - 2015-10-11 14:34 - 00092504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2015-12-09 08:11 - 2015-10-11 14:34 - 00027992 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2015-12-09 08:11 - 2015-10-11 02:41 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2015-12-09 08:11 - 2015-10-11 02:41 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2015-12-09 08:11 - 2015-10-09 00:11 - 00060928 _____ (Microsoft Corporation) C:\Windows\system32\PCPKsp.dll
2015-12-09 08:11 - 2015-10-08 23:50 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PCPKsp.dll
2015-12-09 08:11 - 2015-10-06 02:28 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\wininit.exe
2015-12-09 08:11 - 2015-10-06 02:25 - 00572928 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2015-12-08 16:35 - 2015-12-10 16:06 - 13397874 _____ C:\Users\Francis\Downloads\ongteik sent you an video file!.zip.encrypted
2015-12-02 14:37 - 2015-12-10 16:06 - 00190145 _____ C:\Users\Francis\Documents\img029.pdf.encrypted
2015-11-25 08:58 - 2015-12-10 16:06 - 07028798 _____ C:\Users\Francis\Downloads\Scheme-Text--updated-to-include-GG-24.3.2015-.pdf.encrypted
2015-11-23 19:15 - 2015-12-10 16:06 - 00024346 _____ C:\Users\Francis\Downloads\Entitlement_Details_-_Angela_Chin_Ying_Han.pdf.encrypted
2015-11-23 19:06 - 2015-12-10 16:06 - 05800662 _____ C:\Users\Francis\Downloads\LF order form.pdf.encrypted
2015-11-22 22:30 - 2015-12-15 17:27 - 00000356 _____ C:\Windows\Tasks\HPCeeScheduleForFrancis.job
2015-11-22 22:30 - 2015-12-13 20:23 - 00003174 _____ C:\Windows\System32\Tasks\HPCeeScheduleForFrancis
2015-11-20 11:00 - 2015-12-10 16:06 - 00115918 _____ C:\Users\Francis\Documents\img027.pdf.encrypted
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-16 13:56 - 2013-08-22 21:36 - 00000000 ____D C:\Windows
2015-12-16 13:44 - 2014-03-18 17:53 - 00958356 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-16 13:44 - 2013-08-22 21:36 - 00000000 ____D C:\Windows\Inf
2015-12-16 12:46 - 2015-08-01 13:54 - 00000000 ____D C:\Users\Francis\Documents\Youcam
2015-12-16 12:37 - 2015-08-01 13:54 - 00003594 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1654402718-668299363-900708384-1001
2015-12-16 12:32 - 2015-08-01 14:18 - 00000000 ____D C:\Users\Francis\OneDrive
2015-12-16 12:30 - 2013-08-22 22:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-16 11:22 - 2015-11-10 16:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-16 11:07 - 2013-08-22 21:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-12-16 10:59 - 2013-08-22 23:36 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-12-16 10:33 - 2013-08-22 21:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2015-12-16 10:28 - 2015-08-01 14:33 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-16 10:25 - 2013-08-22 23:36 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-12-16 08:18 - 2015-08-01 14:40 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{7F6B8A90-16AA-43D3-ACD5-A053FD9C72D5}
2015-12-15 17:42 - 2014-11-01 20:38 - 00000000 ____D C:\Windows\System32\Tasks\Hewlett-Packard
2015-12-15 17:42 - 2014-11-01 20:38 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2015-12-15 17:28 - 2015-01-09 08:19 - 00000000 ____D C:\ProgramData\McAfee
2015-12-15 17:27 - 2015-01-09 08:19 - 00000000 ____D C:\Program Files (x86)\McAfee
2015-12-15 17:26 - 2013-08-22 22:44 - 00378000 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-14 20:12 - 2015-08-01 14:33 - 00003344 _____ C:\Windows\System32\Tasks\McAfee Remediation (Prepare)
2015-12-14 08:36 - 2014-11-01 20:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2015-12-14 08:36 - 2014-11-01 20:33 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-12-14 08:36 - 2014-11-01 20:29 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2015-12-14 08:33 - 2015-08-01 13:52 - 00000000 ____D C:\Users\Francis\AppData\Roaming\hpqlog
2015-12-14 08:33 - 2014-04-05 07:55 - 00000000 ____D C:\SWSetup
2015-12-14 08:20 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-12-13 08:33 - 2013-08-22 23:20 - 00000000 ____D C:\Windows\CbsTemp
2015-12-12 22:52 - 2013-08-22 23:36 - 00000000 __RHD C:\Users\Public\Libraries
2015-12-12 22:49 - 2015-08-01 13:48 - 00000000 ____D C:\Users\Francis
2015-12-11 15:52 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\AppReadiness
2015-12-10 16:06 - 2015-11-12 15:50 - 04337897 _____ C:\Users\Francis\Downloads\Emerald Rhumba.zip.encrypted
2015-12-10 16:06 - 2015-11-11 13:51 - 00101479 _____ C:\Users\Francis\Documents\subi ext of lease.pdf.encrypted
2015-12-10 16:06 - 2015-11-02 12:11 - 01930417 _____ C:\Users\Francis\Documents\img025.pdf.encrypted
2015-12-10 16:06 - 2015-10-30 16:56 - 00213388 _____ C:\Users\Francis\Documents\img024.pdf.encrypted
2015-12-10 16:06 - 2015-10-30 16:21 - 00022705 _____ C:\Users\Francis\Downloads\MindValley Pay.zip.encrypted
2015-12-10 16:06 - 2015-10-28 18:31 - 01507949 _____ C:\Users\Francis\Documents\img023.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 15:35 - 00156311 _____ C:\Users\Francis\Documents\img022.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 15:30 - 00120345 _____ C:\Users\Francis\Documents\img021.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 13:49 - 00157562 _____ C:\Users\Francis\Documents\img020.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 11:39 - 00400014 _____ C:\Users\Francis\Documents\img019.pdf.encrypted
2015-12-10 16:06 - 2015-10-07 10:58 - 05086227 _____ C:\Users\Francis\Downloads\Outlook.com.zip.encrypted
2015-12-10 16:06 - 2015-10-06 15:09 - 01928092 _____ C:\Users\Francis\Documents\img018.pdf.encrypted
2015-12-10 16:06 - 2015-09-24 09:28 - 00370243 _____ C:\Users\Francis\Documents\img017.pdf.encrypted
2015-12-10 16:06 - 2015-09-18 15:33 - 00294712 _____ C:\Users\Francis\Documents\img016.pdf.encrypted
2015-12-10 16:06 - 2015-09-18 15:15 - 00116310 _____ C:\Users\Francis\Documents\img015.pdf.encrypted
2015-12-10 16:06 - 2015-09-17 22:36 - 00285938 _____ C:\Users\Francis\Downloads\eStatement_09132015.pdf.encrypted
2015-12-10 16:06 - 2015-09-08 13:10 - 00009272 _____ C:\Users\Francis\Documents\img012.pdf.encrypted
2015-12-10 16:06 - 2015-09-07 15:21 - 00047127 _____ C:\Users\Francis\Documents\img011.pdf.encrypted
2015-12-10 16:06 - 2015-09-07 15:18 - 00020814 _____ C:\Users\Francis\Documents\img010.pdf.encrypted
2015-12-10 16:06 - 2015-09-01 14:34 - 00039059 _____ C:\Users\Francis\Documents\img003.pdf.encrypted
2015-12-10 16:06 - 2015-08-31 09:24 - 00037152 _____ C:\Users\Francis\Documents\img002.pdf.encrypted
2015-12-10 16:06 - 2015-08-31 09:07 - 00030810 _____ C:\Users\Francis\Downloads\FD Application Form(1).pdf.encrypted
2015-12-10 16:06 - 2015-08-31 09:05 - 00030810 _____ C:\Users\Francis\Downloads\FD Application Form.pdf.encrypted
2015-12-10 16:06 - 2015-08-09 12:03 - 00026715 _____ C:\Users\Francis\Documents\img001.pdf.encrypted
2015-12-10 16:06 - 2015-08-08 15:30 - 00024206 _____ C:\Users\Francis\Downloads\Agenda - AGM 8-8-2015.docx.encrypted
2015-12-10 16:06 - 2015-08-04 16:57 - 01474429 _____ C:\Users\Francis\Downloads\VID-20150803-WA0003.mp4.y5v72y0.partial.encrypted
2015-12-10 16:06 - 2015-08-01 14:20 - 00000000 ____D C:\Users\Francis\Documents\francis old laptop backup 01815
2015-12-10 16:06 - 2015-08-01 13:48 - 00000000 ___HD C:\Users\Francis\Documents\hp.system.package.metadata
2015-12-10 16:03 - 2014-04-05 07:45 - 00000000 ___HD C:\SYSTEM.SAV
2015-12-10 16:01 - 2015-10-30 16:27 - 00000000 ____D C:\Users\Francis\Desktop\OpenOffice 4.1.2 (en-US) Installation Files
2015-12-10 16:01 - 2015-10-07 10:58 - 04031637 _____ C:\Users\Francis\Desktop\Quote attached  Job no.10653, 17 Archdeacon St. Nedlands..eml.encrypted
2015-12-10 16:01 - 2015-10-07 10:58 - 01054715 _____ C:\Users\Francis\Desktop\Quote attached Job no. 10653,17 Archdeacon St , Nedlands.eml.encrypted
2015-12-10 16:01 - 2015-09-18 20:38 - 03409909 _____ C:\Users\Francis\Desktop\IMG_0109.JPG.encrypted
2015-12-10 16:01 - 2015-09-18 20:38 - 02682807 _____ C:\Users\Francis\Desktop\IMG_0110.JPG.encrypted
2015-12-10 16:01 - 2015-08-25 16:14 - 00179505 _____ C:\Users\Francis\Desktop\Realdev Sdn Bhd C2014_0785478300.pdf.encrypted
2015-12-10 16:01 - 2015-08-25 16:14 - 00130062 _____ C:\Users\Francis\Desktop\Realdev.pdf.encrypted
2015-12-09 13:01 - 2015-08-04 13:48 - 00000000 ____D C:\Windows\system32\MRT
2015-12-09 12:59 - 2015-08-04 13:48 - 140158008 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-12-06 08:31 - 2013-08-22 23:36 - 00000000 ___HD C:\Program Files\WindowsApps
2015-12-02 08:36 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\system32\NDF
2015-12-02 01:19 - 2015-08-04 15:12 - 00826872 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-02 01:19 - 2015-08-04 15:12 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-11-28 15:11 - 2015-08-25 16:18 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-11-22 22:30 - 2015-08-01 13:52 - 00000000 ____D C:\Users\Francis\AppData\Local\Hewlett-Packard
2015-11-21 20:22 - 2015-11-15 14:29 - 00000000 ____D C:\Users\Francis\AppData\Local\NETGEARGenie
2015-11-17 14:18 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\rescache
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-13 15:45
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:14-12-2015
Ran by Francis (2015-12-16 13:58:42)
Running from C:\Users\Francis\Downloads
Windows 8.1 (X64) (2015-08-01 05:47:47)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1654402718-668299363-900708384-500 - Administrator - Disabled)
Francis (S-1-5-21-1654402718-668299363-900708384-1001 - Administrator - Enabled) => C:\Users\Francis
Guest (S-1-5-21-1654402718-668299363-900708384-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1654402718-668299363-900708384-1003 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: AVG AntiVirus Free Edition (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AV: McAfee Anti-Virus and Anti-Spyware (Disabled - Up to date) {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall (Disabled) {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
4 Elements II (x32 Version: 3.0.2.59 - WildTangent) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20079 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.4.144 - Adobe Systems, Inc.)
AntiCryptoWall (HKLM\...\{BE40AB1F-558F-4434-B72F-461EF97E7796}_is1) (Version: 1.0.10.60 - Bitdefender)
AVG (HKLM\...\AvgZen) (Version: 1.22.1.40089 - AVG Technologies)
AVG (Version: 16.12.7303 - AVG Technologies) Hidden
AVG 2016 (Version: 16.0.4489 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.12.7303 - AVG Technologies)
AVG Web TuneUp (HKLM-x32\...\AVG Web TuneUp) (Version: 4.2.3.128 - AVG Technologies)
AVG Zen (Version: 1.22.1 - AVG Technologies) Hidden
Azkend 2: The World Beneath (x32 Version: 2.2.0.98 - WildTangent) Hidden
Bejeweled 3 (x32 Version: 3.0.2.59 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build-a-lot (x32 Version: 3.0.2.59 - WildTangent) Hidden
Building the Great Wall of China Collector's Edition (x32 Version: 3.0.2.48 - WildTangent) Hidden
Curse at Twilight (x32 Version: 3.0.2.51 - WildTangent) Hidden
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.8.4420 - CyberLink Corp.)
Cyberlink PhotoDirector (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.3.5715 - CyberLink Corp.)
Cyberlink PhotoDirector (Version: 5.0.3.5715 - CyberLink Corp.) Hidden
CyberLink Power Media Player 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.5.4505 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.8.4316 - CyberLink Corp.)
CyberLink PowerBackup 2.6 (HKLM-x32\...\InstallShield_{ADD5DB49-72CF-11D8-9D75-000129760D75}) (Version: 2.6.1.0903 - CyberLink Corp.)
CyberLink PowerDirector 12 (HKLM-x32\...\InstallShield_{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.2.3324 - CyberLink Corp.)
CyberLink PowerDirector 12 (Version: 12.0.2.3324 - CyberLink Corp.) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.5.4523 - CyberLink Corp.)
Delicious - Emily's Wonder Wedding Premium Edition (x32 Version: 3.0.2.48 - WildTangent) Hidden
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Dropbox 25 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 0.9.0 - Dropbox, Inc.)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.4.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{44F72193-F59C-4303-BAE8-E3E4BC1C122C}) (Version: 3.01.0003 - Seiko Epson Corporation)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.46.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WF-3520 Series Printer Uninstall (HKLM\...\EPSON WF-3520 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.5.00 - SEIKO EPSON CORPORATION)
Evernote v. 5.5.3 (HKLM-x32\...\{B1A0F908-1448-11E4-8684-00163E98E7D0}) (Version: 5.5.3.4236 - Evernote Corp.)
Farm Frenzy (x32 Version: 3.0.2.59 - WildTangent) Hidden
Fishdom 3: Collector's Edition (x32 Version: 3.0.2.38 - WildTangent) Hidden
FMW 1 (Version: 1.32.2 - AVG Technologies) Hidden
Foxit PhantomPDF (HKLM-x32\...\{89BF1D4D-1D62-451E-9496-B971BDE82720}) (Version: 6.0.33.715 - Foxit Corporation)
FREE EML File Viewer version v2.0 (HKLM-x32\...\{6B16A616-C931-4D4B-B1C5-E04F2D4DDD63}_is1) (Version: v2.0 - www.freeviewer.org)
Governor of Poker 2 Premium Edition (x32 Version: 3.0.2.59 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.12.253 - SurfRight B.V.)
HP 3D DriveGuard (HKLM-x32\...\{13133E99-B0D5-4143-B832-AAD55C62A41C}) (Version: 6.0.19.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{ADE2F6A7-E7BD-4955-BD66-30903B223DDF}) (Version: 2.20.41 - Hewlett-Packard Company)
HP Documentation (HKLM-x32\...\{6AAEDF97-4B93-4169-8FCA-FCB0378CED52}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7745.4851 - Hewlett-Packard)
HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.01.11 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{79C54A05-F146-4EA0-8A70-D4EFE6181E52}) (Version: 8.1.40.3 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{55065080-504F-43BB-BE00-36B80D7D39A5}) (Version: 12.0.30.219 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{C39A7F0F-89A6-44BB-B1BF-5F96569B5345}) (Version: 1.2.9 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
Inst5675 (Version: 8.01.11 - Softex Inc.) Hidden
Inst5676 (Version: 8.01.11 - Softex Inc.) Hidden
Intel® Chipset Device Software (x32 Version: 10.0.21 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.28.1006 - Intel Corporation)
Intel® PRO/Wireless Driver (HKLM\...\{ac7ad2d7-04b3-460c-b370-07e3d3e3aa4e}) (Version: 17.01.0000.1697 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3960 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.2.0.1016 - Intel Corporation)
Intel® Update Manager (HKLM-x32\...\{B991A1BC-DE0F-41B3-9037-B2F948F706EC}) (Version: 3.1.1228 - Intel Corporation)
Intel® WiDi (HKLM\...\{5BBC7722-E4D9-4406-A8B9-1E11A23B9EAF}) (Version: 5.0.32.0 - Intel Corporation)
Intel® Wireless Bluetooth® (HKLM-x32\...\{06A5031E-3B1E-4FB9-AC4C-BA0FE2706152}) (Version: 17.1.1433.02 - Intel Corporation)
Jewel Match 3 (x32 Version: 3.0.2.59 - WildTangent) Hidden
Joining Hands 2 (x32 Version: 3.0.2.51 - WildTangent) Hidden
Letters from Nowhere 2 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Lost in Reefs 2 (x32 Version: 3.0.2.51 - WildTangent) Hidden
LUXOR Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
McAfee LiveSafe - Internet Security (HKLM-x32\...\MSC) (Version: 14.0.5120 - McAfee, Inc.)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
NETGEAR Genie (HKLM-x32\...\NETGEAR Genie) (Version: 2.4.16.00 - NETGEAR Inc.)
OpenOffice 4.1.2 (HKLM-x32\...\{E6AD67BB-1C33-4AB3-A387-E0D48137AB70}) (Version: 4.12.9782 - Apache Software Foundation)
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Penguins! (x32 Version: 3.0.2.59 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 3.0.2.51 - WildTangent) Hidden
Polar Bowler 1st Frame (x32 Version: 3.0.2.59 - WildTangent) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.273.55 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.32.508.2014 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7358 - Realtek Semiconductor Corp.)
Roads of Rome 3 (x32 Version: 3.0.2.59 - WildTangent) Hidden
Software Updater (HKLM-x32\...\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}) (Version: 4.3.7 - SEIKO EPSON CORPORATION) <==== ATTENTION
Solitaire Mystery Four Seasons (x32 Version: 3.0.2.51 - WildTangent) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 18.1.7.16 - Synaptics Incorporated)
Trinklit Supreme (x32 Version: 2.2.0.98 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest™ - Australia (x32 Version: 3.0.2.32 - WildTangent) Hidden
Viking Saga (x32 Version: 3.0.2.48 - WildTangent) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App for HP (x32 Version: 4.0.11.14 - WildTangent) Hidden
Youda Jewel Shop (x32 Version: 3.0.2.51 - WildTangent) Hidden
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.19.737 - Zemana Ltd.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
23-11-2015 14:31:22 Scheduled Checkpoint
04-12-2015 14:52:52 Scheduled Checkpoint
09-12-2015 12:56:58 Windows Update
13-12-2015 08:31:47 Windows Update
13-12-2015 08:32:17 Windows Modules Installer
14-12-2015 08:34:29 Installed HP Support Assistant
16-12-2015 10:21:31 Installed AVG 2016
16-12-2015 10:22:43 Installed AVG
16-12-2015 13:49:09 JRT Pre-Junkware Removal
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 21:25 - 2013-08-22 21:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {06523DEC-3492-4C9D-9677-E5F36277DDB3} - System32\Tasks\HPCeeScheduleForFrancis => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {3211100A-EDAB-4FD3-AE45-BC21FEFCFAB6} - System32\Tasks\BDAntiCryptoWallTask => C:\Program Files\Bitdefender\Tools\AntiCryptoWall\BDAntiCryptoWall.exe [2015-12-10] ()
Task: {382A181F-C556-4478-A7E9-8D6368BA65FB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)
Task: {498D8B4A-2FE4-4513-A9F0-FAAC365B320C} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {4E34174A-A12D-4F36-B2CC-8F04E10173D3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)
Task: {5A8BBDF0-A53E-452F-B338-B4FC6B7BA8DC} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2015-12-09] (Microsoft Corporation)
Task: {65208344-2300-4BD9-89B5-7DEF46A12DFF} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2014-05-20] (Hewlett-Packard Development Company, L.P.)
Task: {8259A90F-2760-4481-8CC0-1C1BDECFEA97} - System32\Tasks\McAfee\McAfee Auto Maintenance Task Agent
Task: {9363C336-3AA3-4169-B955-3DB139B5E617} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2014-09-16] ()
Task: {A5797990-AB3C-4A85-A012-6BBF1CC85B7D} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {A5D55F00-A5C7-40EE-9FAE-7648E73E0922} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2015-09-24] (Hewlett-Packard)
Task: {BDF928BF-4039-4B4C-964E-044104859798} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\McAfee\platform\McUICnt.exe [2015-09-01] (McAfee, Inc.)
Task: {DA3E4106-FB6C-429A-8A46-2545A27C7551} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Active Health Launcher => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2015-09-24] (Hewlett-Packard)
Task: {DF7458BB-E82C-40C5-B428-8F44EEBB516D} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [2014-09-23] (CyberLink Corp.)
Task: {F34F38BE-70D8-4A68-863C-435B5A4633AA} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {F5738D72-3491-48C9-8ECB-0C535C1B676D} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2015-11-03] (McAfee, Inc.)
Task: {F837DC61-E327-440B-B7CD-44082C8954A7} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2015-09-27] (Hewlett-Packard)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\HPCeeScheduleForFrancis.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-12-16 11:21 - 2015-12-16 11:21 - 01164688 ____N () C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
2014-03-29 04:31 - 2014-03-29 04:31 - 02110464 _____ () C:\Program Files\Hewlett-Packard\SimplePass\autheng.dll
2014-03-29 04:27 - 2014-03-29 04:27 - 00021504 _____ () C:\Program Files\Hewlett-Packard\SimplePass\cryptodll.dll
2014-03-29 04:27 - 2014-03-29 04:27 - 00035328 _____ () C:\Program Files\Hewlett-Packard\SimplePass\ssplogon.dll
2014-03-29 04:27 - 2014-03-29 04:27 - 00055296 _____ () C:\Program Files\Hewlett-Packard\SimplePass\RandomPass.dll
2014-03-29 04:48 - 2014-03-29 04:48 - 00367504 _____ () C:\Program Files\Hewlett-Packard\SimplePass\mstrpwd.dll
2014-03-29 04:48 - 2014-03-29 04:48 - 00712080 _____ () C:\Program Files\Hewlett-Packard\SimplePass\GraphicalPwd.dll
2015-01-09 08:27 - 2014-04-15 10:59 - 00389896 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2015-12-16 11:21 - 2015-12-16 11:21 - 00192912 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.3\loggingserver.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1654402718-668299363-900708384-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Hewlett-Packard Backgrounds\backgroundDefault.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{4D2AB478-ABD4-4A76-9460-E328C95C3CA3}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{6ACEAA75-8035-43CF-9B73-E0796D6F41F3}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{1AF039B1-1307-469F-9EB9-A03027AC1A8D}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{F696D8C6-F591-45B7-A5A2-66B8A6E57D14}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0E871B61-2CBD-4AB6-8A3F-2AB5F4188C18}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{A743BB8E-C7E1-43F3-B5C7-68F6BCBD0201}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{8A0F492A-2F30-410C-A3C2-5084BAF47780}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
FirewallRules: [{4BDCFEA2-3638-4C0D-96D4-281D4637AA27}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{3354F817-E386-4A0D-AF5B-B5173BA4CA6B}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe
FirewallRules: [{69069257-9B77-4697-BBD4-29985F55E2EE}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{8899FB73-2FAB-4DFD-966F-E7642F799518}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{5FA70673-957F-4DE7-BF4A-50863DD4B193}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{FEA21887-2776-411D-B7C5-900E816AC4DB}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{9D6DBA99-B138-42A4-9897-17EE3AE01DCF}] => (Allow) C:\Program Files\CyberLink\PowerDirector12\PDR10.EXE
FirewallRules: [{FAAFE4BA-AC82-4222-9C3F-E072C69F7B3D}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{65ADFAB3-9830-434A-82A2-806D1B415700}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{FF79684C-DF9D-41BF-BAD4-9DC9780AB7BF}] => (Allow) C:\Users\Francis\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{BB134773-5E22-4C61-B217-A4CAFD09ECF2}] => (Allow) C:\Users\Francis\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{9088D955-5626-471A-AD5B-852936CE2A46}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D29CFD1C-E5B3-4AFE-85B0-771413059FB9}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2DC9B27D-D725-402E-963B-EE5CF78540A9}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{DB88F274-EF37-4771-A5EB-61639E9A6F5C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{BFC03944-F1BC-4199-84F9-26B59E0A5529}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{0F086135-FE44-4B62-818F-A70E88B87FB8}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [TCP Query User{F1DF6CDB-D555-4246-88E6-20E9AF7B5872}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Block) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
FirewallRules: [UDP Query User{999AAD9A-7BB5-417F-B299-5138A4B25F84}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Block) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
FirewallRules: [{F25ABB34-266A-45CE-8CBF-6CBDF85544D2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{DD1EA502-1DB4-4579-828C-67D30E29B956}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{9DCA42AF-7100-40F4-8F5D-F96BE98A3F7D}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{9B6A6D05-C36B-47FD-BDDB-AB493603B96E}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{3598E096-B339-4D36-9B37-FD7C81BCA86C}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{6A908229-4FC7-47C1-9312-CBF91231355A}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{10C5C93D-9042-43DF-9D0D-24C30950FAEE}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{2063295A-F7C1-4B21-BBEE-6318E864FF60}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/16/2015 11:58:27 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1c0
 
Start Time: 01d137b548ec1c0e
 
Termination Time: 4294967295
 
Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe
 
Report Id: 3ded6a80-a3a9-11e5-8270-34de1a0df2cc
 
Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe
 
Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1
 
Error: (12/16/2015 11:36:20 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: FSSYAPP)
Description: Activation of app 2703103D.McAfeeCentral_4ehj4w4frejdr!McAfeeCentral failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (12/16/2015 11:36:20 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program UNKNOWN version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 854
 
Start Time: 01d137b2d0fb280a
 
Termination Time: 4294967295
 
Application Path: UNKNOWN
 
Report Id: 18481528-a3a6-11e5-8270-34de1a0df2cc
 
Faulting package full name: 2703103D.McAfeeCentral_4.5.153.1_x64__4ehj4w4frejdr
 
Faulting package-relative application ID: McAfeeCentral
 
Error: (12/16/2015 11:35:47 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: FSSYAPP)
Description: App 2703103D.McAfeeCentral_4.5.153.1_x64__4ehj4w4frejdr+McAfeeCentral did not launch within its allotted time.
 
Error: (12/16/2015 10:14:11 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database
 
Error: (12/16/2015 10:13:50 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5434296
 
Error: (12/16/2015 10:13:50 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5434296
 
Error: (12/16/2015 10:13:50 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/16/2015 08:14:44 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 52343422
 
Error: (12/16/2015 08:14:44 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 52343422
 
 
System errors:
=============
Error: (12/16/2015 12:29:02 PM) (Source: DCOM) (EventID: 10005) (User: FSSYAPP)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (12/16/2015 12:28:44 PM) (Source: DCOM) (EventID: 10005) (User: FSSYAPP)
Description: 1084WSearchUnavailable{9E175B68-F52A-11D8-B9A5-505054503030}
 
Error: (12/16/2015 12:28:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: 
%%1068
 
Error: (12/16/2015 12:28:44 PM) (Source: DCOM) (EventID: 10005) (User: FSSYAPP)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (12/16/2015 12:28:43 PM) (Source: DCOM) (EventID: 10005) (User: FSSYAPP)
Description: 1068netprofmUnavailable{A47979D2-C419-11D9-A5B4-001185AD2B89}
 
Error: (12/16/2015 12:28:43 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (12/16/2015 12:28:43 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network Location Awareness service depends on the DHCP Client service which failed to start because of the following error: 
%%1068
 
Error: (12/16/2015 12:27:37 PM) (Source: DCOM) (EventID: 10005) (User: FSSYAPP)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (12/16/2015 12:27:27 PM) (Source: DCOM) (EventID: 10005) (User: FSSYAPP)
Description: 1084WSearchUnavailable{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
 
Error: (12/16/2015 12:27:27 PM) (Source: DCOM) (EventID: 10005) (User: FSSYAPP)
Description: 1084WSearchUnavailable{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
 
 
CodeIntegrity:
===================================
  Date: 2015-12-16 13:58:40.680
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:58:40.383
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:58:38.665
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:58:38.493
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:53:10.760
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:53:10.573
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:51:48.910
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:51:48.676
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:50:29.341
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-12-16 13:50:28.987
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-5500U CPU @ 2.40GHz
Percentage of memory in use: 32%
Total physical RAM: 8114.27 MB
Available physical RAM: 5460.57 MB
Total Virtual: 8626.27 MB
Available Virtual: 5781.72 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:906.28 GB) (Free:854.13 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:24.22 GB) (Free:2.7 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 66EC646A)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

Attached Files


Edited by xXToffeeXx, 16 December 2015 - 08:58 AM.
Posted logs in the topic~


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:54 PM

Posted 16 December 2015 - 09:11 AM

Hi pancakedancer,
 
Do you know what file caused this infection (did your antivirus remove the file by any chance)?
 
I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other antivirus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't. 
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these; AVG 2016 or McAfee LiveSafe - Internet Security.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 pancakedancer

pancakedancer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 17 December 2015 - 04:34 AM

The McAfee LiveSafe is bloatware from Windows. I'm not sure how to uninstall it. That's why I installed AVG because I actually use it. I can uninstall it if you want but the chances are it's still there.

 

I'm not sure. The wall locker thing came up when my stepdad actually used the computer. Apparently he was infected by an email link that he clicked on or something, not sure what really happened. But mum says he got an email from the post office saying that he had a parcel to collect and then whatever they did said that he had to pay up.

 

There are instructions on how to pay up but they haven't been coming up whenever I restart the computer. I don't know if they're still there or not and whether  the 3 trojans that were caught are the things that have infected the computer.

 

So what's the next step then once I remove AVG?



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:54 PM

Posted 17 December 2015 - 01:49 PM

Hi pancakedancer,
 
Ah, I understand now. Please see here on how to properly uninstall McAfee LiveSafe. Let me know if there are any problems.
 
Does he still have that email?
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
2015-12-10 16:01 - 2015-12-10 16:02 - 00000000 ____D C:\ProgramData\ytacedefatykysur
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Emsisoft log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 pancakedancer

pancakedancer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 17 December 2015 - 09:15 PM

FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-12-2015
Ran by Francis (administrator) on FSSYAPP (18-12-2015 10:10:12)
Running from C:\Users\Francis\Downloads
Loaded Profiles: Francis (Available Profiles: Francis)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIJJE.EXE
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIJJE.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXSTM.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7642328 2014-10-07] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2818800 2014-06-17] (Synaptics Incorporated)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-02] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-10] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2012-01-26] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [642664 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863848 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguix.exe [1136552 2015-11-12] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3855272 2015-12-09] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2811792 2015-12-16] ()
HKU\S-1-5-21-1654402718-668299363-900708384-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIJJE.EXE [283232 2012-02-28] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1654402718-668299363-900708384-1001\...\Run: [NETGEARGenie] => C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe [603392 2015-08-26] (NETGEAR Inc.)
HKU\S-1-5-21-1654402718-668299363-900708384-1001\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIJJE.EXE [283232 2012-02-28] (SEIKO EPSON CORPORATION)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{08300455-9470-48B0-AADD-42C2FBE45E64}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5E8B958B-B7C5-46A2-88CF-05E4092A637F}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-1654402718-668299363-900708384-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Web TuneUp\4.2.3.128\AVG Web TuneUp.dll [2015-12-16] (AVG)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => No File
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-07-26] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2015-05-06] (Hewlett-Packard)

FireFox:
========
FF ProfilePath: C:\Users\Francis\AppData\Roaming\Mozilla\Firefox\Profiles\vgq3gegl.default
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.2.3\\npsitesafety.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-20] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-20] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-09-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-09-04] (Intel Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-06] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-10-24] (Adobe Systems Inc.)
FF Extension: AVG Web TuneUp - C:\Users\Francis\AppData\Roaming\Mozilla\Firefox\Profiles\vgq3gegl.default\extensions\avg@toolbar.xpi [2015-12-16]
FF Extension: Adblock Plus - C:\Users\Francis\AppData\Roaming\Mozilla\Firefox\Profiles\vgq3gegl.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-18]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [615584 2015-12-09] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3857272 2015-12-09] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1046952 2015-11-12] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [579776 2015-12-09] (AVG Technologies CZ, s.r.o.)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [255040 2014-08-26] (WildTangent)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-10] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-06-26] (Intel Corporation)
R2 ibtsiva.exe; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [121288 2014-08-14] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [328296 2014-10-08] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-14] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-09-04] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-09-04] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [265936 2014-06-19] ()
S3 NETGEARGenieDaemon; C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [232192 2015-08-26] (NETGEAR)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-29] (Softex Inc.) [File not signed]
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-15] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-09-05] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [191728 2014-06-17] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [1164688 2015-12-16] ()
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3816656 2014-06-19] (Intel® Corporation)
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [23152 2015-09-09] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [184240 2015-11-06] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [313776 2015-11-06] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [298416 2015-08-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [284080 2015-10-21] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [256432 2015-11-06] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-08-10] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [306608 2015-10-08] (AVG Technologies CZ, s.r.o.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-13] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [41080 2015-12-18] ()
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [219592 2014-08-14] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-18] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [126976 2014-09-04] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\Netwbw02.sys [3488744 2014-07-23] (Intel Corporation)
R2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2015-11-15] (CACE Technologies, Inc.)
U5 RTSPER; C:\Windows\System32\Drivers\RTSPER.sys [506072 2014-06-21] (Realsil Semiconductor Corporation)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2014-06-17] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-06-17] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-23] (Hewlett-Packard Development Company, L.P.)
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-18 10:10 - 2015-12-18 10:10 - 00000000 ____D C:\Users\Francis\Downloads\FRST-OlderVersion
2015-12-18 10:04 - 2015-12-18 10:04 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-18 09:57 - 2015-12-18 09:57 - 07480112 _____ (McAfee, Inc.) C:\Users\Francis\Downloads\MCPR.exe
2015-12-18 09:56 - 2015-12-18 10:08 - 00041080 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2015-12-16 13:58 - 2015-12-16 13:59 - 00035500 _____ C:\Users\Francis\Downloads\Addition.txt
2015-12-16 13:56 - 2015-12-18 10:10 - 00018544 _____ C:\Users\Francis\Downloads\FRST.txt
2015-12-16 13:56 - 2015-12-18 10:10 - 00000000 ____D C:\FRST
2015-12-16 13:49 - 2015-12-16 13:50 - 01309184 _____ C:\Users\Francis\Downloads\zoek.exe
2015-12-16 13:43 - 2015-12-16 13:43 - 00000000 ____D C:\AdwCleaner
2015-12-16 12:38 - 2015-12-16 12:38 - 01599336 _____ (Malwarebytes) C:\Users\Francis\Downloads\JRT.exe
2015-12-16 12:37 - 2015-12-18 10:10 - 02370048 _____ (Farbar) C:\Users\Francis\Downloads\FRST64.exe
2015-12-16 12:37 - 2015-12-16 12:38 - 01740288 _____ C:\Users\Francis\Downloads\AdwCleaner.exe
2015-12-16 12:04 - 2015-12-16 12:04 - 05066096 _____ (AVAST Software) C:\Users\Francis\Downloads\avast_free_antivirus_setup_online.exe
2015-12-16 11:26 - 2015-12-18 10:09 - 00000000 ____D C:\Program Files\HitmanPro
2015-12-16 11:25 - 2015-12-16 11:35 - 00000000 ____D C:\ProgramData\HitmanPro
2015-12-16 11:23 - 2015-12-16 11:26 - 11323704 _____ (SurfRight B.V.) C:\Users\Francis\Downloads\HitmanPro_x64.exe
2015-12-16 11:22 - 2015-12-16 11:22 - 00000000 ____D C:\Users\Francis\AppData\Local\AVG Web TuneUp
2015-12-16 11:21 - 2015-12-16 11:22 - 00000000 ____D C:\ProgramData\AVG Web TuneUp
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\ProgramData\AVG Secure Search
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\Program Files\AVG Web TuneUp
2015-12-16 11:21 - 2015-12-16 11:21 - 00000000 ____D C:\Program Files (x86)\AVG Web TuneUp
2015-12-16 11:01 - 2015-12-18 09:57 - 00003106 _____ C:\Windows\System32\Tasks\BDAntiCryptoWallTask
2015-12-16 11:00 - 2015-12-16 12:33 - 00000258 __RSH C:\ProgramData\ntuser.pol
2015-12-16 10:59 - 2015-12-16 10:59 - 00000000 ____D C:\Windows\pss
2015-12-16 10:59 - 2015-12-16 10:59 - 00000000 ____D C:\Program Files\Bitdefender
2015-12-16 10:57 - 2015-12-18 10:03 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-12-16 10:57 - 2015-12-18 09:56 - 00872747 _____ C:\Windows\ZAM.krnl.trace
2015-12-16 10:57 - 2015-12-18 09:56 - 00026229 _____ C:\Windows\ZAM_Guard.krnl.trace
2015-12-16 10:57 - 2015-12-16 10:57 - 00000000 ____D C:\Users\Francis\AppData\Local\Zemana
2015-12-16 10:53 - 2015-12-16 10:53 - 04773648 _____ (Bitdefender ) C:\Users\Francis\Downloads\BDAntiCryptoWallSetup.exe
2015-12-16 10:49 - 2015-12-16 10:50 - 05298752 _____ ( ) C:\Users\Francis\Downloads\Zemana.AntiMalware.Setup.exe
2015-12-16 10:29 - 2015-12-16 10:29 - 00000000 ____D C:\Users\Francis\AppData\Roaming\AVG
2015-12-16 10:25 - 2015-12-16 10:25 - 00000000 ____D C:\Users\Francis\AppData\Roaming\TuneUp Software
2015-12-16 10:25 - 2015-12-16 10:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-12-16 10:24 - 2015-12-16 10:24 - 00000000 ___HD C:\$AVG
2015-12-16 10:19 - 2015-12-18 09:51 - 00000000 ____D C:\ProgramData\MFAData
2015-12-16 10:19 - 2015-12-16 10:19 - 00000956 _____ C:\Users\Public\Desktop\AVG.lnk
2015-12-16 10:19 - 2015-12-16 10:19 - 00000000 ____D C:\Users\Francis\AppData\Local\MFAData
2015-12-16 10:19 - 2015-12-16 10:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2015-12-16 10:17 - 2015-12-16 10:24 - 00000000 ____D C:\ProgramData\Avg
2015-12-16 10:17 - 2015-12-16 10:22 - 00000000 ____D C:\Program Files (x86)\AVG
2015-12-16 10:16 - 2015-12-18 10:05 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-16 10:16 - 2015-12-16 10:29 - 00000000 ____D C:\Users\Francis\AppData\Local\Avg
2015-12-16 10:16 - 2015-12-16 10:19 - 00000000 ____D C:\Users\Francis\AppData\Local\AvgSetupLog
2015-12-16 10:15 - 2015-12-16 10:15 - 02970984 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Francis\Downloads\AVG_Protection_Free_698.exe
2015-12-16 10:15 - 2015-12-16 10:15 - 00001121 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-16 10:15 - 2015-12-16 10:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-16 10:15 - 2015-12-16 10:15 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-16 10:15 - 2015-12-16 10:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-16 10:15 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-12-16 10:15 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-12-16 10:15 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-12-16 10:14 - 2015-12-16 10:15 - 22908888 _____ (Malwarebytes ) C:\Users\Francis\Downloads\mbam-setup-2.2.0.1024.exe
2015-12-14 08:36 - 2015-12-14 08:36 - 00002250 _____ C:\Users\Francis\Desktop\HP Support Assistant.lnk
2015-12-12 14:21 - 2015-12-12 14:21 - 00184226 _____ C:\Users\Francis\Downloads\eStatement_12132015.pdf
2015-12-10 20:58 - 2015-12-10 20:58 - 03640559 _____ C:\Users\Francis\Downloads\Xmas lights at the upstair landings.zip
2015-12-10 16:06 - 2015-12-10 16:06 - 00008477 _____ C:\Users\Francis\Downloads\HOW_TO_RESTORE_FILES.html
2015-12-10 16:06 - 2015-12-10 16:06 - 00008477 _____ C:\Users\Francis\Documents\HOW_TO_RESTORE_FILES.html
2015-12-10 16:06 - 2015-12-10 16:06 - 00002933 _____ C:\Users\Francis\Downloads\HOW_TO_RESTORE_FILES.txt
2015-12-10 16:06 - 2015-12-10 16:06 - 00002933 _____ C:\Users\Francis\Documents\HOW_TO_RESTORE_FILES.txt
2015-12-10 16:01 - 2015-12-10 16:02 - 00000000 ____D C:\ProgramData\ytacedefatykysur
2015-12-09 12:06 - 2015-11-12 00:21 - 25837568 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-12-09 12:06 - 2015-11-12 00:00 - 12856832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-12-09 12:06 - 2015-11-11 23:44 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-12-09 12:06 - 2015-11-11 23:44 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2015-12-09 12:06 - 2015-11-11 23:41 - 20366848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-12-09 12:06 - 2015-11-11 23:12 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-12-09 12:06 - 2015-11-10 08:13 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-12-09 12:06 - 2015-11-10 08:11 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-12-09 12:06 - 2015-11-10 08:08 - 02280448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-12-09 12:06 - 2015-11-10 08:04 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-12-09 12:06 - 2015-11-10 08:02 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-12-09 12:06 - 2015-11-10 07:46 - 04514816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-12-09 12:06 - 2015-11-10 07:41 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-12-09 12:06 - 2015-11-10 07:37 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-12-09 12:06 - 2015-11-10 07:36 - 02050560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-12-09 12:06 - 2015-11-10 07:36 - 00687104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-12-09 12:06 - 2015-11-10 07:36 - 00325632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-12-09 12:06 - 2015-11-10 07:25 - 01048576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll
2015-12-09 12:06 - 2015-11-10 07:17 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-12-09 12:06 - 2015-11-10 07:14 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-12-09 12:06 - 2015-11-10 07:12 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-12-09 12:06 - 2015-11-09 06:15 - 02887168 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-12-09 12:06 - 2015-11-09 06:15 - 00571392 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-12-09 12:06 - 2015-11-09 06:04 - 05923840 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-12-09 12:06 - 2015-11-09 06:02 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-12-09 12:06 - 2015-11-09 06:01 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-12-09 12:06 - 2015-11-09 05:32 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-12-09 12:06 - 2015-11-09 05:32 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2015-12-09 12:06 - 2015-11-09 05:25 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-12-09 12:06 - 2015-11-09 05:18 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-12-09 12:06 - 2015-11-09 05:16 - 00372224 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-12-09 12:06 - 2015-11-09 05:15 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-12-09 12:06 - 2015-11-09 05:15 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-12-09 12:06 - 2015-11-09 05:14 - 14456832 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-12-09 12:06 - 2015-11-09 05:13 - 02123264 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-12-09 12:06 - 2015-11-09 04:53 - 02880000 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2015-12-09 12:06 - 2015-11-09 04:53 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-12-09 12:06 - 2015-11-09 04:41 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-12-09 12:06 - 2015-11-09 04:30 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-12-09 12:04 - 2015-11-05 16:59 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-12-09 08:12 - 2015-11-22 14:59 - 07455064 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-12-09 08:12 - 2015-11-22 14:59 - 01735000 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-12-09 08:12 - 2015-11-22 14:59 - 01659568 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-12-09 08:12 - 2015-11-22 14:59 - 01519592 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-12-09 08:12 - 2015-11-22 14:59 - 01487008 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-12-09 08:12 - 2015-11-22 14:59 - 01355848 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-12-09 08:12 - 2015-11-22 14:58 - 01499920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-12-09 08:12 - 2015-11-22 02:32 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-12-09 08:12 - 2015-11-22 01:50 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-12-09 08:12 - 2015-11-22 00:59 - 01706496 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2015-12-09 08:12 - 2015-11-22 00:49 - 01344000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comsvcs.dll
2015-12-09 08:12 - 2015-11-22 00:47 - 00522240 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2015-12-09 08:12 - 2015-11-22 00:40 - 00414208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\catsrvut.dll
2015-12-09 08:12 - 2015-11-09 08:41 - 01540728 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2015-12-09 08:12 - 2015-11-09 06:30 - 04176384 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-12-09 08:12 - 2015-11-09 05:23 - 01994752 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-12-09 08:12 - 2015-11-09 05:13 - 01383936 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-12-09 08:12 - 2015-11-09 05:01 - 01753600 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2015-12-09 08:12 - 2015-11-09 04:52 - 01559552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-12-09 08:12 - 2015-11-09 04:48 - 01376256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2015-12-09 08:12 - 2015-11-09 04:42 - 01490944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GdiPlus.dll
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\kbdgeoqw.dll
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZST.DLL
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZEL.DLL
2015-12-09 08:12 - 2015-10-23 01:43 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZE.DLL
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kbdgeoqw.dll
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZST.DLL
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZEL.DLL
2015-12-09 08:12 - 2015-10-23 00:59 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZE.DLL
2015-12-09 08:12 - 2015-10-23 00:21 - 01200128 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Globalization.dll
2015-12-09 08:12 - 2015-10-23 00:21 - 00323072 _____ (Microsoft Corporation) C:\Windows\system32\GlobCollationHost.dll
2015-12-09 08:12 - 2015-10-22 23:58 - 00868864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Globalization.dll
2015-12-09 08:12 - 2015-10-22 23:58 - 00200704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GlobCollationHost.dll
2015-12-09 08:12 - 2015-10-22 22:08 - 00513456 _____ C:\Windows\SysWOW64\locale.nls
2015-12-09 08:12 - 2015-10-22 22:08 - 00513456 _____ C:\Windows\system32\locale.nls
2015-12-09 08:12 - 2015-10-11 01:20 - 00186880 _____ (Microsoft Corporation) C:\Windows\system32\dpapisrv.dll
2015-12-09 08:12 - 2015-10-04 03:41 - 01385280 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-12-09 08:12 - 2015-10-04 03:41 - 01124384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2015-12-09 08:11 - 2015-11-21 06:47 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-12-09 08:11 - 2015-11-21 02:18 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-12-09 08:11 - 2015-11-21 00:58 - 03706880 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-12-09 08:11 - 2015-11-21 00:47 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-12-09 08:11 - 2015-11-21 00:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-12-09 08:11 - 2015-11-21 00:44 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2015-12-09 08:11 - 2015-11-21 00:44 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-12-09 08:11 - 2015-11-21 00:43 - 00897024 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-12-09 08:11 - 2015-11-21 00:42 - 02243584 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-12-09 08:11 - 2015-11-21 00:30 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-12-09 08:11 - 2015-11-21 00:29 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-12-09 08:11 - 2015-11-21 00:28 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-12-09 08:11 - 2015-11-21 00:27 - 00726528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-12-09 08:11 - 2015-10-28 23:49 - 02775552 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-12-09 08:11 - 2015-10-28 23:29 - 02462720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2015-12-09 08:11 - 2015-10-11 14:34 - 00468824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBHUB3.SYS
2015-12-09 08:11 - 2015-10-11 14:34 - 00462168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2015-12-09 08:11 - 2015-10-11 14:34 - 00443224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2015-12-09 08:11 - 2015-10-11 14:34 - 00092504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2015-12-09 08:11 - 2015-10-11 14:34 - 00027992 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2015-12-09 08:11 - 2015-10-11 02:41 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2015-12-09 08:11 - 2015-10-11 02:41 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2015-12-09 08:11 - 2015-10-09 00:11 - 00060928 _____ (Microsoft Corporation) C:\Windows\system32\PCPKsp.dll
2015-12-09 08:11 - 2015-10-08 23:50 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PCPKsp.dll
2015-12-09 08:11 - 2015-10-06 02:28 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\wininit.exe
2015-12-09 08:11 - 2015-10-06 02:25 - 00572928 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2015-12-08 16:35 - 2015-12-10 16:06 - 13397874 _____ C:\Users\Francis\Downloads\ongteik sent you an video file!.zip.encrypted
2015-12-02 14:37 - 2015-12-10 16:06 - 00190145 _____ C:\Users\Francis\Documents\img029.pdf.encrypted
2015-11-25 08:58 - 2015-12-10 16:06 - 07028798 _____ C:\Users\Francis\Downloads\Scheme-Text--updated-to-include-GG-24.3.2015-.pdf.encrypted
2015-11-23 19:15 - 2015-12-10 16:06 - 00024346 _____ C:\Users\Francis\Downloads\Entitlement_Details_-_Angela_Chin_Ying_Han.pdf.encrypted
2015-11-23 19:06 - 2015-12-10 16:06 - 05800662 _____ C:\Users\Francis\Downloads\LF order form.pdf.encrypted
2015-11-22 22:30 - 2015-12-15 17:27 - 00000356 _____ C:\Windows\Tasks\HPCeeScheduleForFrancis.job
2015-11-22 22:30 - 2015-12-13 20:23 - 00003174 _____ C:\Windows\System32\Tasks\HPCeeScheduleForFrancis
2015-11-20 11:00 - 2015-12-10 16:06 - 00115918 _____ C:\Users\Francis\Documents\img027.pdf.encrypted

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-18 10:10 - 2015-08-01 13:54 - 00003594 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1654402718-668299363-900708384-1001
2015-12-18 10:09 - 2014-03-18 17:53 - 00958356 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-18 10:09 - 2013-08-22 21:36 - 00000000 ____D C:\Windows\Inf
2015-12-18 10:07 - 2015-08-01 13:54 - 00000000 ____D C:\Users\Francis\Documents\Youcam
2015-12-18 10:05 - 2015-08-01 14:18 - 00000000 ____D C:\Users\Francis\OneDrive
2015-12-18 10:03 - 2013-08-22 22:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-18 10:02 - 2013-08-22 21:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-12-18 10:00 - 2013-08-22 23:36 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-12-18 10:00 - 2013-08-22 21:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2015-12-18 09:59 - 2014-11-01 20:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security and Protection
2015-12-18 09:55 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-12-18 09:54 - 2015-08-01 14:40 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{7F6B8A90-16AA-43D3-ACD5-A053FD9C72D5}
2015-12-18 09:54 - 2015-08-01 13:49 - 00000000 ____D C:\Users\Francis\AppData\Local\Packages
2015-12-18 09:54 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\AppReadiness
2015-12-16 13:59 - 2013-08-22 21:36 - 00000000 ____D C:\Windows
2015-12-16 11:22 - 2015-11-10 16:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-16 10:59 - 2013-08-22 23:36 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-12-15 17:42 - 2014-11-01 20:38 - 00000000 ____D C:\Windows\System32\Tasks\Hewlett-Packard
2015-12-15 17:42 - 2014-11-01 20:38 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2015-12-15 17:26 - 2013-08-22 22:44 - 00378000 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-14 08:36 - 2014-11-01 20:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2015-12-14 08:36 - 2014-11-01 20:33 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-12-14 08:36 - 2014-11-01 20:29 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2015-12-14 08:33 - 2015-08-01 13:52 - 00000000 ____D C:\Users\Francis\AppData\Roaming\hpqlog
2015-12-14 08:33 - 2014-04-05 07:55 - 00000000 ____D C:\SWSetup
2015-12-13 08:33 - 2013-08-22 23:20 - 00000000 ____D C:\Windows\CbsTemp
2015-12-12 22:52 - 2013-08-22 23:36 - 00000000 __RHD C:\Users\Public\Libraries
2015-12-12 22:49 - 2015-08-01 13:48 - 00000000 ____D C:\Users\Francis
2015-12-10 16:06 - 2015-11-12 15:50 - 04337897 _____ C:\Users\Francis\Downloads\Emerald Rhumba.zip.encrypted
2015-12-10 16:06 - 2015-11-11 13:51 - 00101479 _____ C:\Users\Francis\Documents\subi ext of lease.pdf.encrypted
2015-12-10 16:06 - 2015-11-02 12:11 - 01930417 _____ C:\Users\Francis\Documents\img025.pdf.encrypted
2015-12-10 16:06 - 2015-10-30 16:56 - 00213388 _____ C:\Users\Francis\Documents\img024.pdf.encrypted
2015-12-10 16:06 - 2015-10-30 16:21 - 00022705 _____ C:\Users\Francis\Downloads\MindValley Pay.zip.encrypted
2015-12-10 16:06 - 2015-10-28 18:31 - 01507949 _____ C:\Users\Francis\Documents\img023.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 15:35 - 00156311 _____ C:\Users\Francis\Documents\img022.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 15:30 - 00120345 _____ C:\Users\Francis\Documents\img021.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 13:49 - 00157562 _____ C:\Users\Francis\Documents\img020.pdf.encrypted
2015-12-10 16:06 - 2015-10-08 11:39 - 00400014 _____ C:\Users\Francis\Documents\img019.pdf.encrypted
2015-12-10 16:06 - 2015-10-07 10:58 - 05086227 _____ C:\Users\Francis\Downloads\Outlook.com.zip.encrypted
2015-12-10 16:06 - 2015-10-06 15:09 - 01928092 _____ C:\Users\Francis\Documents\img018.pdf.encrypted
2015-12-10 16:06 - 2015-09-24 09:28 - 00370243 _____ C:\Users\Francis\Documents\img017.pdf.encrypted
2015-12-10 16:06 - 2015-09-18 15:33 - 00294712 _____ C:\Users\Francis\Documents\img016.pdf.encrypted
2015-12-10 16:06 - 2015-09-18 15:15 - 00116310 _____ C:\Users\Francis\Documents\img015.pdf.encrypted
2015-12-10 16:06 - 2015-09-17 22:36 - 00285938 _____ C:\Users\Francis\Downloads\eStatement_09132015.pdf.encrypted
2015-12-10 16:06 - 2015-09-08 13:10 - 00009272 _____ C:\Users\Francis\Documents\img012.pdf.encrypted
2015-12-10 16:06 - 2015-09-07 15:21 - 00047127 _____ C:\Users\Francis\Documents\img011.pdf.encrypted
2015-12-10 16:06 - 2015-09-07 15:18 - 00020814 _____ C:\Users\Francis\Documents\img010.pdf.encrypted
2015-12-10 16:06 - 2015-09-01 14:34 - 00039059 _____ C:\Users\Francis\Documents\img003.pdf.encrypted
2015-12-10 16:06 - 2015-08-31 09:24 - 00037152 _____ C:\Users\Francis\Documents\img002.pdf.encrypted
2015-12-10 16:06 - 2015-08-31 09:07 - 00030810 _____ C:\Users\Francis\Downloads\FD Application Form(1).pdf.encrypted
2015-12-10 16:06 - 2015-08-31 09:05 - 00030810 _____ C:\Users\Francis\Downloads\FD Application Form.pdf.encrypted
2015-12-10 16:06 - 2015-08-09 12:03 - 00026715 _____ C:\Users\Francis\Documents\img001.pdf.encrypted
2015-12-10 16:06 - 2015-08-08 15:30 - 00024206 _____ C:\Users\Francis\Downloads\Agenda - AGM 8-8-2015.docx.encrypted
2015-12-10 16:06 - 2015-08-04 16:57 - 01474429 _____ C:\Users\Francis\Downloads\VID-20150803-WA0003.mp4.y5v72y0.partial.encrypted
2015-12-10 16:06 - 2015-08-01 14:20 - 00000000 ____D C:\Users\Francis\Documents\francis old laptop backup 01815
2015-12-10 16:06 - 2015-08-01 13:48 - 00000000 ___HD C:\Users\Francis\Documents\hp.system.package.metadata
2015-12-10 16:03 - 2014-04-05 07:45 - 00000000 ___HD C:\SYSTEM.SAV
2015-12-10 16:01 - 2015-10-30 16:27 - 00000000 ____D C:\Users\Francis\Desktop\OpenOffice 4.1.2 (en-US) Installation Files
2015-12-10 16:01 - 2015-10-07 10:58 - 04031637 _____ C:\Users\Francis\Desktop\Quote attached  Job no.10653, 17 Archdeacon St. Nedlands..eml.encrypted
2015-12-10 16:01 - 2015-10-07 10:58 - 01054715 _____ C:\Users\Francis\Desktop\Quote attached Job no. 10653,17 Archdeacon St , Nedlands.eml.encrypted
2015-12-10 16:01 - 2015-09-18 20:38 - 03409909 _____ C:\Users\Francis\Desktop\IMG_0109.JPG.encrypted
2015-12-10 16:01 - 2015-09-18 20:38 - 02682807 _____ C:\Users\Francis\Desktop\IMG_0110.JPG.encrypted
2015-12-10 16:01 - 2015-08-25 16:14 - 00179505 _____ C:\Users\Francis\Desktop\Realdev Sdn Bhd C2014_0785478300.pdf.encrypted
2015-12-10 16:01 - 2015-08-25 16:14 - 00130062 _____ C:\Users\Francis\Desktop\Realdev.pdf.encrypted
2015-12-09 13:01 - 2015-08-04 13:48 - 00000000 ____D C:\Windows\system32\MRT
2015-12-09 12:59 - 2015-08-04 13:48 - 140158008 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-12-06 08:31 - 2013-08-22 23:36 - 00000000 ___HD C:\Program Files\WindowsApps
2015-12-02 08:36 - 2013-08-22 23:36 - 00000000 ____D C:\Windows\system32\NDF
2015-12-02 01:19 - 2015-08-04 15:12 - 00826872 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-02 01:19 - 2015-08-04 15:12 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-11-28 15:11 - 2015-08-25 16:18 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-11-22 22:30 - 2015-08-01 13:52 - 00000000 ____D C:\Users\Francis\AppData\Local\Hewlett-Packard
2015-11-21 20:22 - 2015-11-15 14:29 - 00000000 ____D C:\Users\Francis\AppData\Local\NETGEARGenie

Some files in TEMP:
====================
C:\Users\Francis\AppData\Local\Temp\0236501450403837mcinst.exe
C:\Users\Francis\AppData\Local\Temp\HitmanPro.exe
C:\Users\Francis\AppData\Local\Temp\McCSPInstall.dll
C:\Users\Francis\AppData\Local\Temp\mccspuninstall.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-12-13 15:45

==================== End of FRST.txt ============================



#6 pancakedancer

pancakedancer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 17 December 2015 - 11:24 PM

Emsisoft

 

Emsisoft Emergency Kit - Version 10.0
Last update: 18/12/2015 10:17:48 AM
User account: FSSYAPP\Francis

Scan settings:

Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: On

Scan start:    18/12/2015 10:19:06 AM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI.1     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}     detected: Application.AdReg (A)

Scanned    308042
Found    6

Scan end:    18/12/2015 11:31:54 AM
Scan time:    1:12:48

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SCRIPTHELPER.SCRIPTHELPERAPI.1    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}    Quarantined Application.AdReg (A)

Quarantined    6
 



#7 pancakedancer

pancakedancer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 17 December 2015 - 11:26 PM

Admittedly the Cryptolocker box hasn't been appearing although the files about how to restore the computer/pay us type thing is still on the computer. So I'm not sure if the trojans that were found by AVG have caught it whatever it was. How do I know if it's still there and is it safe to delete the files?



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:54 PM

Posted 19 December 2015 - 01:52 PM

Hi pancakedancer,
 
The malware is no longer active, only the encrypted files are left. Unfortunately without an active sample, it becomes very difficult to offer a solution to decrypt the files. 
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 pancakedancer

pancakedancer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 20 December 2015 - 04:08 AM

Hmm I don't think that's true. All of the files on the computer now end with .encrypted. How do I decrypt all the files?



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:54 PM

Posted 21 December 2015 - 02:00 PM

Hi pancakedancer,
 
Which part do you think is not true?
 
Without an active sample, those of us who would look into the infection to see if we can decrypt it really cannot. Dr Web used to offer decryption, however they stopped unless you were running their product when you were encrypted.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:54 PM

Posted 30 December 2015 - 04:23 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users