Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots of Trojans found and deleted. But is there anything else?


  • This topic is locked This topic is locked
16 replies to this topic

#1 huntsin2

huntsin2

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 23 December 2015 - 05:28 PM

Hi,

 

I have run a number of scans and deleted a bunch of Trojans, and Adware. However, having been on this site recently I understand

 

that the scans that I run may not find everything. I just want to make sure that this computer is completely clean.

 

I have run rkill, tdsskiller, malwarebytes techbench, eset online scanner, junkware removal tool, adwcleaner.

 

I can provide logs if needed.

 

I have also taken a look at the AutoRuns logon tab.

 

The computer is Windows 7 Home Premium x64.


Edited by huntsin2, 23 December 2015 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 23 December 2015 - 06:47 PM

Adware Cleaner Scan.

 

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

JRT Scan.

Please download Junkware Removal Tool and save it on your desktop.

 

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.
  •  

Adware Removal Tool Scan.

 

Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.

 

 

LOr0Gd7.png

 

Hit Ok.

 

sYFsqHx.png

 

Hit next make sure to leave all items checked, for removal.

 

8NcZjGc.png

 

 

The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK again to finish up. Post log generated by tool.

 

ZHP Scan.

Please download Zhp Cleaner  to your desktop.  Right Click the icon and select run as administrator.

 http://nicolascoolman.com/download/zhpcleaner

 

 

2. Once you have started the program, you will need to click the scanner button.

EgsT69u.png

The program will close all open browsers!

3. Once the scan is completed, the you will want to click the Repair button.

6QJjV50.png

At the end of the process you may be asked to reboot your machine. After you reboot a report will open on your desktop.

Copy and paste the report here in your next reply.

 Zemana Scan

 

 

Run a full scan with Zemana AntiMalware!

Install and select deep scan.

jdmyscF.jpg

Remove any infections found.

Then click on the icon in the pic below.

DOLGyto.jpg

Double click on the scan log, copy and paste here in your reply.



#3 huntsin2

huntsin2
  • Topic Starter

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 24 December 2015 - 05:48 PM


Thanks for the post, I will probably need to wait until tomorrow sometime until I can post again. Happy holidays.

#4 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 24 December 2015 - 06:16 PM

:guitar:  No problem. :guitar:



#5 huntsin2

huntsin2
  • Topic Starter

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 26 December 2015 - 12:06 PM


Hello,

I haven't forgot about this post. I will probably post on Monday.

#6 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 26 December 2015 - 12:09 PM

Not a problem, post monday or next month. Real life comes first. :)



#7 huntsin2

huntsin2
  • Topic Starter

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 28 December 2015 - 09:57 PM


Thanks for your sentiments. I appreciate that.

#8 huntsin2

huntsin2
  • Topic Starter

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 30 December 2015 - 06:25 PM

 
Thank you for your patience.
 
 
-----------------------------------------------------------------
 
# AdwCleaner v5.026 - Logfile created 23/12/2015 at 18:06:31
# Updated 21/12/2015 by Xplode
# Database : 2015-12-23.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : nancy - NANCY-HP
# Running from : C:\Users\nancy\Downloads\adwcleaner_5.026.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [590 bytes] ##########
 
-------------------------------------------------------------------------------------------------------------------
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Home Premium x64 
Ran by nancy (Administrator) on Wed 12/30/2015 at 12:17:16.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 12/30/2015 at 12:53:22.81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------------------------------------------------------
 


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
 
Adware Removal Tool v4.1
Time: 2015_12_30_12_59_08
OS: Windows 7 Home Premium - x64 Bit
Account Name: nancy
Adware Definition: Adware Definition: Dec-28-2015-1
Repair Status:- Automatic Done
\\\\\\\\\\\\\\\\\\\\\\\ Repair Logs \\\\\\\\\\\\\\\\\\\\\\
 
Deleted ->> Registry Value Data ->> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\Settings\ ->> TaskbarPositions : twGenScan|1||lnkCompUpdate|2||lnkRunVirtualKiosk|3||lnkCompQuarantine|4||twGetLiveSupport|5
 
Deleted ->> Registry Value Data ->> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\1\Settings\ ->> TaskbarPositions : twGenScan|1||lnkCompUpdate|2||lnkRunVirtualKiosk|3||lnkCompQuarantine|4||twGetLiveSupport|5
 
Deleted ->> Registry Value Data ->> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\2\Settings\ ->> TaskbarPositions : twGetLiveSupport|5||lnkCompQuarantine|4||lnkCompUpdate|2||lnkRunVirtualKiosk|3||twGenScan|1
 
Deleted ->> Registry Value Data ->> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations\0\Settings\ ->> TaskbarPositions : twGenScan|1||lnkCompUpdate|2||lnkRunVirtualKiosk|3||lnkCompQuarantine|4||twGetLiveSupport|5
 
Deleted ->> Registry Value Data ->> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations\1\Settings\ ->> TaskbarPositions : twGenScan|1||lnkCompUpdate|2||lnkRunVirtualKiosk|3||lnkCompQuarantine|4||twGetLiveSupport|5
 
Deleted ->> Registry Value Data ->> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations\2\Settings\ ->> TaskbarPositions : twGetLiveSupport|5||lnkCompQuarantine|4||lnkCompUpdate|2||lnkRunVirtualKiosk|3||twGenScan|1
 
 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 

~ ZHPCleaner v2015.12.30.409 by Nicolas Coolman (2015/12/30)
~ Run by nancy (Administrator)  (30/12/2015 13:47:08)
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\nancy\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\nancy\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 7 Home Premium, 64-bit Service Pack 1 (Build 7601)
 
 
---\\  Services (0)
~ No malicious or unnecessary items found.
 
 
---\\  Browser internet (0)
~ No malicious or unnecessary items found.
 
 
---\\  Hosts file (1)
~ The hosts file is legitimate (21)
 
 
---\\  Scheduled automatic tasks. (1)
DELETED task: [SN.Booster-S-1532781606] [c:\programdata\superbapp\sn.booster\SN.Booster.exe (Not File) ]  =>Trojan.WebPick
 
 
---\\  Explorer ( File, Folder) (10)
MOVED file: C:\Windows\Tasks\SN.Booster-S-1532781606.job    =>Trojan.WebPick
MOVED file: C:\ProgramData\InstallMate\{FB703F9F-62E2-4894-AA7F-2AC020931D69}\Setup.exe [Tarma Software Research Pty Ltd - InstallMate® Setup]  =>PUP.Optional.Tarma
MOVED file: C:\ProgramData\InstallMate\{FB703F9F-62E2-4894-AA7F-2AC020931D69}\TsuDll.dll [Tarma Software Research Pty Ltd - InstallMate® Setup Library]  =>PUP.Optional.Tarma
MOVED file: C:\Users\nancy\Downloads\ReimageRepair.exe [Reimage® - Reimage Downloader]  =>PUP.Optional.ReImageRepair
MOVED file: C:\Users\nancy\AppData\Local\Temp\ReimagePackage.exe [Reimage® - Reimage Package]  =>PUP.Optional.ReImageRepair
MOVED file: C:\Users\nancy\AppData\Local\Temp\ReiSysUpdate.exe [Reimage® - Reimage System Update]  =>PUP.Optional.ReImageRepair
MOVED file: C:\Users\nancy\AppData\Local\Temp\reimage.log    =>PUP.Optional.ReImageRepair
MOVED folder: C:\ProgramData\InstallMate  =>PUP.Optional.Tarma
MOVED folder: C:\Users\Administrator\AppData\Local\Torch  =>.Superfluous.Torch
MOVED folder: C:\Users\Guest\AppData\Local\Torch  =>.Superfluous.Torch
 
 
---\\  Registry ( Key, Value, Data) (41)
DELETED key: [X64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} [http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF] [Ask.com]  =>Toolbar.Ask
DELETED key: [X64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} [http://www.default-search.net/search?sid=492&aid=100&itype=a&ver=12521&tm=317&src=ds&p={searchTerms}] [default-search.net]  =>PUP.Optional.SearchNet
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2499777E-5082-BE23-6EBA-381C01CDF8B8} [BestSaeveFForYoui]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{596D4A3C-B5B1-F501-5981-5BF9563D1889} [YoutubeAdblocker]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5052B44-2769-2006-B392-ED92FA921B6D} [DuigiiSaover]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA35CF94-50DD-7D8E-0712-D503E521D34B} [saVe net]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD2D98D9-F7D5-41A3-8A1E-51B062D11B49} [DigieCoupoon]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Classes\CLSID\{2499777E-5082-BE23-6EBA-381C01CDF8B8} [BestSaeveFForYoui]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2499777E-5082-BE23-6EBA-381C01CDF8B8} []  =>PUP.Optional.Multiplug
DELETED key*: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{596D4A3C-B5B1-F501-5981-5BF9563D1889} []  =>PUP.Optional.Multiplug
DELETED key*: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{596D4A3C-B5B1-F501-5981-5BF9563D1889} []  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Classes\CLSID\{596D4A3C-B5B1-F501-5981-5BF9563D1889} [YoutubeAdblocker]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{596D4A3C-B5B1-F501-5981-5BF9563D1889} []  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{596D4A3C-B5B1-F501-5981-5BF9563D1889} [YoutubeAdblocker]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{596D4A3C-B5B1-F501-5981-5BF9563D1889} []  =>PUP.Optional.Multiplug
DELETED key*: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A5052B44-2769-2006-B392-ED92FA921B6D} []  =>PUP.Optional.Multiplug
DELETED key*: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A5052B44-2769-2006-B392-ED92FA921B6D} []  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Classes\CLSID\{A5052B44-2769-2006-B392-ED92FA921B6D} [DuigiiSaover]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A5052B44-2769-2006-B392-ED92FA921B6D} []  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A5052B44-2769-2006-B392-ED92FA921B6D} [DuigiiSaover]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A5052B44-2769-2006-B392-ED92FA921B6D} []  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Classes\CLSID\{BA35CF94-50DD-7D8E-0712-D503E521D34B} [saVe net]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{BA35CF94-50DD-7D8E-0712-D503E521D34B} []  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Classes\CLSID\{FD2D98D9-F7D5-41A3-8A1E-51B062D11B49} [DigieCoupoon]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD2D98D9-F7D5-41A3-8A1E-51B062D11B49} []  =>PUP.Optional.Multiplug
DELETED key: [X64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} [http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF]  =>Toolbar.Ask
DELETED key: [X64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} [http://www.default-search.net/search?sid=492&aid=100&itype=a&ver=12521&tm=317&src=ds&p={searchTerms}]  =>PUP.Optional.SearchNet
DELETED key*: HKEY_USERS\S-1-5-21-2310484217-659247388-3409459481-1002\SOFTWARE\RegisteredApplicationsEx []  =>PUP.Optional.SfKpCouponApp
DELETED key: HKCU\Software\RegisteredApplicationsEx []  =>PUP.Optional.SfKpCouponApp
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\default-search.net []  =>PUP.Optional.SearchNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\inst.shoppingate.info [155829]  =>PUP.Optional.ShoppinGate
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\reimageplus.com []  =>PUP.Optional.ReImageRepair
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\shoppingate.info []  =>PUP.Optional.ShoppinGate
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.default-search.net [55]  =>PUP.Optional.SearchNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.reimageplus.com [23]  =>PUP.Optional.ReImageRepair
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cdncache-a.akamaihd.net [651]  =>PUP.Optional.Browser
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\putlocker.bz [17]  =>PUP.Optional.PutLocker
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\soundcloud.com [39]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker [YoutubeAdblocker]  =>PUP.Optional.Multiplug
DELETED key*: [X64] HKLM\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0 [YoutubeAdblocker]  =>PUP.Optional.Multiplug
DELETED key: [X64] HKLM\SOFTWARE\Classes\CLSID\{596D4A3C-B5B1-F501-5981-5BF9563D1889}\InprocServer32 [C:\Program Files (x86)\YoutubeAdblocker\U.x64.dll (Not File)]  =>PUP.Optional.Multiplug
 
 
---\\  Summary of the elements found (11)
http://www.nicolascoolman.fr/?p=1075  =>PUP.Optional.ReImageRepair
http://www.nicolascoolman.fr/?p=83  =>PUP.Optional.SearchNet
http://www.nicolascoolman.fr/?p=1402  =>PUP.Optional.Multiplug
http://www.nicolascoolman.fr/?p=4664  =>PUP.Optional.SfKpCouponApp
http://www.nicolascoolman.fr/?p=4664  =>PUP.Optional.ShoppinGate
http://www.nicolascoolman.fr/?p=546  =>PUP.Optional.Browser
http://www.nicolascoolman.fr/?p=134  =>PUP.Optional.PutLocker
 
 
---\\  Other deletions. (31)
~ Registry Keys Tracing deleted (31)
~ Remove the old reports ZHPCleaner. (0)
 
 
---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Mozilla Firefox)
~ Browser not found (Opera Software)
 
 
---\\ Statistics
~ Items scanned : 285
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 52
 
 
~ End of clean in 00h01mn04s
===================
ZHPCleaner-[R]-30122015-13_48_12.txt
ZHPCleaner-[S]-30122015-13_42_08.txt
-------------------------------------------------------------------------------------------------------------------------------------
 

Zemana AntiMalware 2.19.179.797 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2015/12/30
Operating System       : Windows 7 64-bit
Processor              : 2X AMD E-300 APU with Radeon™ HD Graphics
BIOS Mode              : Legacy
CUID                   : 00FBF2C9F46C5A445DBE34
Scan Type              : Deep Scan
Duration               : 53m 58s
Scanned Objects        : 147623
Detected Objects       : 6
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Yes
Include All Extensions : No
Scan Documents         : No
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
adwcleaner_5.026.exe
Status             : Scanned
Object             : %userprofile%\downloads\adwcleaner_5.026.exe
MD5                : 76F7569DB01B4D65431B0E6BBBDD261D
Publisher          : -
Size               : 1743360
Version            : 5.0.2.6
Detection          : Heur.Malicious!Pa
Cleaning Action    : Quarantine
Traces             :
                File - %userprofile%\downloads\adwcleaner_5.026.exe
 
ReiSysUpdate.exe
Status             : Scanned
Object             : %appdata%\zhp\quarantine\reisysupdate.exe
MD5                : 8AE1D9232F12B20487A498586A170ADE
Publisher          : Reimage Limited
Size               : 295912
Version            : 1.0.0.0
Detection          : Scareware:Win32/NonBeneficialOptimizer!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %appdata%\zhp\quarantine\reisysupdate.exe
 
ReimageRepair.exe
Status             : Scanned
Object             : %appdata%\zhp\quarantine\reimagerepair.exe
MD5                : D729E0726F77304B299085AFBA059B5F
Publisher          : Reimage Limited
Size               : 768512
Version            : 1.5.1.4
Detection          : Scareware:Win32/NonBeneficialOptimizer!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %appdata%\zhp\quarantine\reimagerepair.exe
 
ReimagePackage.exe
Status             : Scanned
Object             : %appdata%\zhp\quarantine\reimagepackage.exe
MD5                : DD0F17FD52F53D3392ED8E69C61D2725
Publisher          : Reimage Limited
Size               : 50176
Version            : 1.8.1.4
Detection          : Scareware:Win32/NonBeneficialOptimizer!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %appdata%\zhp\quarantine\reimagepackage.exe
 
ReiSysUpdate[1].exe
Status             : Scanned
Object             : %localappdata%\microsoft\windows\temporary internet files\content.ie5\m6kl7jto\reisysupdate[1].exe
MD5                : 8AE1D9232F12B20487A498586A170ADE
Publisher          : Reimage Limited
Size               : 295912
Version            : 1.0.0.0
Detection          : Scareware:Win32/NonBeneficialOptimizer!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %localappdata%\microsoft\windows\temporary internet files\content.ie5\m6kl7jto\reisysupdate[1].exe
 
ReimagePackage1814x64[1].exe
Status             : Scanned
Object             : %localappdata%\microsoft\windows\temporary internet files\content.ie5\05mbkciy\reimagepackage1814x64[1].exe
MD5                : DD0F17FD52F53D3392ED8E69C61D2725
Publisher          : Reimage Limited
Size               : 50176
Version            : 1.8.1.4
Detection          : Scareware:Win32/NonBeneficialOptimizer!Ep
Cleaning Action    : Quarantine
Traces             :
                File - %localappdata%\microsoft\windows\temporary internet files\content.ie5\05mbkciy\reimagepackage1814x64[1].exe
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 6
Reported as safe      : 0
Failed                : 0
------------------------------------------------------------------------------------------------------------------------------------------


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:46 PM

Posted 31 December 2015 - 11:41 AM

Hi huntsin2,
 
Since InadequateInfirmity is not available currently, I will take over the topic.
 
Let's get an overview of the system:
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 huntsin2

huntsin2
  • Topic Starter

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 31 December 2015 - 04:57 PM

 
Hi xXToffeeXx,
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-12-2015
Ran by nancy (administrator) on NANCY-HP (31-12-2015 15:38:28)
Running from C:\Users\nancy\Desktop
Loaded Profiles: nancy (Available Profiles: nancy)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\winsxs\amd64_microsoft-windows-d..frameworks-usermode_31bf3856ad364e35_6.1.7601.17803_none_fb416b4f0bdbe260\WUDFHost.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7466600 2011-09-14] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2821416 2011-08-19] (Synaptics Incorporated)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1427648 2015-08-05] (COMODO)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12783848 2015-12-30] (Zemana Ltd.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-08-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKU\S-1-5-21-2310484217-659247388-3409459481-1002\...\MountPoints2: {0604e697-bb97-11e2-b158-009c0219938a} - G:\setup.exe -a
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 192.168.1.1
Tcpip\..\Interfaces\{8D04D225-941F-4259-A848-254577912C49}: [DhcpNameServer] 209.18.47.61 209.18.47.62 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-2310484217-659247388-3409459481-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {7B52DF41-5543-48E5-B48B-860D7C146157} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-2310484217-659247388-3409459481-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2310484217-659247388-3409459481-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2310484217-659247388-3409459481-1002 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
SearchScopes: HKU\S-1-5-21-2310484217-659247388-3409459481-1002 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-2310484217-659247388-3409459481-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-08-01] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-08-01] (Microsoft Corporation.)
Toolbar: HKU\S-1-5-21-2310484217-659247388-3409459481-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-17] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll [2012-02-24] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
StartMenuInternet: firefox.exe - firefox.exe
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-12-17]
CHR Extension: (Google Docs) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-12-17]
CHR Extension: (Google Drive) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-17]
CHR Extension: (YouTube) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-17]
CHR Extension: (Google Search) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-17]
CHR Extension: (Google Sheets) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-12-17]
CHR Extension: (Google Docs Offline) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-17]
CHR Extension: (Gmail) - C:\Users\nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-12-17]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [365568 2011-07-05] (Advanced Micro Devices, Inc.) [File not signed]
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [5542472 2015-09-03] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265792 2015-08-05] (COMODO)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [1817088 2010-12-27] (Realsil Microelectronics Inc.) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [12783848 2015-12-30] (Zemana Ltd.)
S2 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [21184 2015-11-18] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [806032 2015-11-18] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [45856 2015-08-05] (COMODO)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105096 2015-08-05] (COMODO)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [202144 2015-12-30] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [202144 2015-12-30] (Zemana Ltd.)
S3 cpuz134; \??\C:\Users\nancy\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-31 15:38 - 2015-12-31 15:39 - 00013967 _____ C:\Users\nancy\Desktop\FRST.txt
2015-12-31 15:36 - 2015-12-31 15:38 - 00000000 ____D C:\FRST
2015-12-31 15:35 - 2015-12-31 15:35 - 02370560 _____ (Farbar) C:\Users\nancy\Desktop\FRST64.exe
2015-12-30 17:21 - 2015-12-30 17:21 - 00001989 _____ C:\Users\nancy\Desktop\Adware Repair_Logs_2015_12_30_12_59_08 - Shortcut.lnk
2015-12-30 17:13 - 2015-12-30 17:13 - 00003877 _____ C:\Users\nancy\Desktop\zemana log 2015.12.30.txt
2015-12-30 16:04 - 2015-12-30 17:40 - 00065449 _____ C:\Windows\ZAM.krnl.trace
2015-12-30 16:04 - 2015-12-30 16:04 - 00000120 _____ C:\Windows\ZAM_Guard.krnl.trace
2015-12-30 16:04 - 2015-12-30 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2015-12-30 16:03 - 2015-12-30 16:04 - 00202144 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2015-12-30 16:03 - 2015-12-30 16:04 - 00001076 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2015-12-30 16:03 - 2015-12-30 16:04 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-12-30 16:02 - 2015-12-30 17:13 - 00000000 ____D C:\Users\nancy\AppData\Local\Zemana
2015-12-30 16:02 - 2015-12-30 16:04 - 00202144 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2015-12-30 16:01 - 2015-12-30 16:01 - 05013792 _____ ( ) C:\Users\nancy\Downloads\Zemana.AntiMalware.Setup.exe
2015-12-30 13:48 - 2015-12-30 13:48 - 00009434 _____ C:\Users\nancy\Desktop\ZHPCleaner.txt
2015-12-30 13:25 - 2015-12-30 14:03 - 00000000 ____D C:\Users\nancy\AppData\Roaming\ZHP
2015-12-30 13:25 - 2015-12-30 13:25 - 00000830 _____ C:\Users\nancy\Desktop\ZHPCleaner.lnk
2015-12-30 13:18 - 2015-12-30 13:19 - 01978368 _____ C:\Users\nancy\Downloads\ZHPCleaner.exe
2015-12-30 13:15 - 2015-12-30 13:15 - 00001392 _____ C:\Users\nancy\Desktop\Adware results.txt
2015-12-30 12:59 - 2015-12-30 12:59 - 00290304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\subinacl.exe
2015-12-30 12:59 - 2015-12-30 12:59 - 00000000 ____D C:\Program Files (x86)\Adware Removal Tool by TSA
2015-12-30 12:58 - 2015-12-30 12:58 - 00700584 _____ C:\Users\nancy\Desktop\Adware_Removal_Tool_by_TSA.exe
2015-12-23 18:22 - 2015-12-23 18:23 - 00000000 ____D C:\Windows\System32\Tasks\COMODO
2015-12-23 18:22 - 2015-12-23 18:22 - 00001870 _____ C:\Users\Public\Desktop\COMODO Firewall.lnk
2015-12-23 18:22 - 2015-12-23 18:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
2015-12-23 18:19 - 2015-12-23 18:19 - 00000000 ____D C:\ProgramData\Shared Space
2015-12-23 18:18 - 2015-12-23 18:18 - 00000000 ____D C:\Program Files\COMODO
2015-12-23 18:14 - 2015-12-23 18:22 - 00000000 ____D C:\ProgramData\Comodo
2015-12-23 17:44 - 2015-12-23 17:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyFinder
2015-12-23 17:44 - 2015-12-23 17:44 - 00000000 ____D C:\Program Files (x86)\Magical Jelly Bean
2015-12-23 17:42 - 2015-12-23 17:43 - 01178272 _____ (Magical Jelly Bean ) C:\Users\nancy\Downloads\KeyFinderInstaller.exe
2015-12-23 17:37 - 2015-12-23 17:37 - 00000000 ____D C:\licensecrawler
2015-12-23 17:35 - 2015-12-23 17:36 - 01381153 _____ C:\Users\nancy\Downloads\licensecrawler.zip
2015-12-23 17:29 - 2015-12-23 17:29 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-23 17:29 - 2015-12-23 17:29 - 00000000 ____D C:\Users\nancy\AppData\Roaming\Malwarebytes
2015-12-23 17:29 - 2015-12-23 17:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
2015-12-23 17:29 - 2015-12-23 17:29 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-23 17:29 - 2015-12-23 17:29 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-12-23 17:29 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-12-23 17:26 - 2014-05-14 10:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-12-23 17:26 - 2014-05-14 10:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-12-23 17:26 - 2014-05-14 10:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-12-23 17:26 - 2014-05-14 10:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-12-23 17:25 - 2014-05-14 10:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-12-23 17:25 - 2014-05-14 10:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-12-23 17:25 - 2014-05-14 10:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-12-23 17:25 - 2014-05-14 10:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-12-23 17:25 - 2014-05-14 10:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-12-23 17:25 - 2014-05-14 10:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-12-23 17:25 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-12-23 17:25 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-12-23 17:25 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-12-23 17:25 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-12-23 16:32 - 2015-12-23 16:32 - 01599336 _____ (Malwarebytes) C:\Users\nancy\Downloads\JRT.exe
2015-12-23 16:19 - 2015-12-30 12:53 - 00000562 _____ C:\Users\nancy\Desktop\JRT.txt
2015-12-23 16:12 - 2015-11-24 17:43 - 01599336 _____ (Malwarebytes) C:\Users\nancy\Desktop\JRT.exe
2015-12-23 15:35 - 2015-12-23 15:35 - 00002019 _____ C:\Users\Public\Desktop\Adobe Reader X.lnk
2015-12-23 15:20 - 2015-12-23 15:20 - 01743360 _____ C:\Users\nancy\Downloads\adwcleaner_5.026.exe
2015-12-17 22:16 - 2015-12-17 22:16 - 00020642 _____ C:\Users\nancy\Desktop\eset scanner results.txt
2015-12-17 18:00 - 2015-12-17 18:01 - 02870984 _____ (ESET) C:\Users\nancy\Downloads\esetsmartinstaller_enu.exe
2015-12-17 17:59 - 2015-12-17 17:59 - 00002255 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-12-17 17:59 - 2015-12-17 17:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-12-17 17:58 - 2015-12-17 17:58 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d13926cd5bb95c.job
2015-12-17 17:58 - 2015-12-17 17:58 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-17 17:58 - 2015-12-17 17:58 - 00000000 ____D C:\Program Files (x86)\Google
2015-12-17 17:57 - 2015-12-17 17:58 - 00000000 ____D C:\Users\nancy\AppData\Local\Deployment
2015-12-17 17:57 - 2015-12-17 17:57 - 00000000 ____D C:\Users\nancy\AppData\Local\Apps\2.0
2015-12-17 17:46 - 2015-12-23 18:06 - 00000000 ____D C:\AdwCleaner
2015-12-17 17:42 - 2015-12-17 17:42 - 01740288 _____ C:\Users\nancy\Downloads\adwcleaner_5.025.exe
2015-12-17 13:33 - 2015-12-17 13:33 - 00000000 ____D C:\Program Files (x86)\ESET
2015-12-17 13:28 - 2015-12-17 13:30 - 00206774 _____ C:\TDSSKiller.3.1.0.9_17.12.2015_13.28.56_log.txt
2015-12-17 13:27 - 2015-12-17 13:27 - 00000364 _____ C:\TDSSKiller.3.1.0.7_17.12.2015_13.27.38_log.txt
2015-12-17 13:21 - 2015-12-17 13:24 - 00002588 _____ C:\Users\nancy\Desktop\Rkill.txt
2015-12-17 12:57 - 2015-12-17 17:38 - 00216970 _____ C:\Windows\ntbtlog.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-31 15:37 - 2009-07-13 21:20 - 00000000 ____D C:\Windows
2015-12-31 15:34 - 2012-02-13 22:25 - 00003926 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{049865A5-B88B-4833-A810-E4735A455067}
2015-12-31 15:33 - 2015-04-26 16:40 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-30 17:38 - 2009-07-13 23:13 - 00919460 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-30 17:38 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2015-12-30 16:00 - 2009-07-13 22:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-30 16:00 - 2009-07-13 22:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-30 14:07 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-30 13:11 - 2015-04-26 16:40 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-30 13:11 - 2015-04-26 16:40 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-30 13:11 - 2011-10-14 14:36 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-23 17:57 - 2012-01-13 11:11 - 00000000 ____D C:\ProgramData\Norton
2015-12-23 15:35 - 2012-07-21 18:18 - 00000000 ____D C:\Users\nancy\AppData\Local\Spotify
2015-12-23 15:35 - 2011-10-14 15:06 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-12-23 15:34 - 2012-07-21 18:16 - 00000000 ____D C:\Users\nancy\AppData\Roaming\Spotify
2015-12-17 18:35 - 2014-04-14 08:27 - 00000000 ____D C:\Users\nancy\AppData\Local\Google
2015-12-17 13:33 - 2009-07-13 23:32 - 00000000 ____D C:\Windows\Downloaded Program Files
 
Some files in TEMP:
====================
C:\Users\nancy\AppData\Local\Temp\Extract.exe
C:\Users\nancy\AppData\Local\Temp\htmlayout.dll
C:\Users\nancy\AppData\Local\Temp\Resource.exe
C:\Users\nancy\AppData\Local\Temp\SP56929.exe
C:\Users\nancy\AppData\Local\Temp\SP56942.exe
C:\Users\nancy\AppData\Local\Temp\SP57398.exe
C:\Users\nancy\AppData\Local\Temp\sp58915.exe
C:\Users\nancy\AppData\Local\Temp\SP59202.exe
C:\Users\nancy\AppData\Local\Temp\sp64126.exe
C:\Users\nancy\AppData\Local\Temp\UninstallHPSA.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-04-13 21:17
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:31-12-2015
Ran by nancy (2015-12-31 15:40:01)
Running from C:\Users\nancy\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2012-02-14 04:18:35)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2310484217-659247388-3409459481-500 - Administrator - Disabled)
Guest (S-1-5-21-2310484217-659247388-3409459481-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2310484217-659247388-3409459481-1003 - Limited - Enabled)
nancy (S-1-5-21-2310484217-659247388-3409459481-1002 - Administrator - Enabled) => C:\Users\nancy
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Comodo Defense+ (Enabled - Up to date) {493CE176-EB84-BC8D-9707-B3ACF7598648}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall (Enabled) {CA6681B7-87D1-B25B-86E8-21EB720D8B8E}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.267 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.1.629 - Adobe Systems, Inc.)
ATI Catalyst Install Manager (HKLM\...\{B3C4ADC9-637E-DDD9-A66C-782AE5E2E667}) (Version: 3.0.829.0 - ATI Technologies, Inc.)
AVG 2012 (Version: 12.0.2112 - AVG Technologies) Hidden
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Bing Bar (HKLM-x32\...\{9FA13759-5C2B-4177-9DDC-0038F8B5BEFD}) (Version: 7.0.826.0 - Microsoft Corporation)
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blio (HKLM-x32\...\{741006D1-7B2B-4E33-B2B0-831F282EEF64}) (Version: 2.2.8188 - K-NFB Reading Technology, Inc.)
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
COMODO Firewall (HKLM\...\{04833277-EE61-4251-9273-0CF86C0FE710}) (Version: 8.2.0.4792 - COMODO Security Solutions Inc.)
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.0.4606 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ESU for Microsoft Windows 7 SP1 (HKLM-x32\...\{E96CAA2A-0244-4A2A-8403-0C3C9534778B}) (Version: 2.1.1 - Hewlett-Packard)
Evernote v. 4.2.3 (HKLM-x32\...\{F761359C-9CED-45AE-9A51-9D6605CD55C4}) (Version: 4.2.3.22 - Evernote Corp.)
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Farmscapes (x32 Version: 2.2.0.98 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden
Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)
Google Update Helper (x32 Version: 1.3.29.1 - Google Inc.) Hidden
Hoyle Card Games (x32 Version: 2.2.0.95 - WildTangent) Hidden
HP Application Assistant (HKLM\...\{6032497A-4479-462B-ADB8-A0A372BB9A23}) (Version: 1.0.409.3882 - Hewlett-Packard)
HP Documentation (HKLM-x32\...\{39FCC6B7-FFF5-4075-A5E8-B5CEBD54C331}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP Launch Box (HKLM\...\{BF1E75D0-E7AF-4BEA-9FBC-567F0C54BDF9}) (Version: 1.0.12 - Hewlett-Packard Company)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.1.21091.0 - Hewlett-Packard Company)
HP On Screen Display (HKLM-x32\...\{ED1BD69A-07E3-418C-91F1-D856582581BF}) (Version: 1.3.5 - Hewlett-Packard Company)
HP Power Manager (HKLM-x32\...\{7E799992-5DA0-4A1A-9443-B1836B063FEC}) (Version: 1.4.8 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{53B17A98-5BF0-40BC-AAFF-850A357975AC}) (Version: 2.7.2 - Hewlett-Packard Company)
HP QuickWeb (HKLM-x32\...\{41298BF3-DF6B-449C-BFB7-83663ECB5108}) (Version: 3.1.1.10184 - Hewlett-Packard Company)
HP Security Assistant (HKLM\...\{562608FE-2051-4488-BF22-8CE4C03046AC}) (Version: 1.0.12 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1}) (Version: 9.0.15076.3891 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.2.14901.3869 - Hewlett-Packard Company)
HP Software Framework (HKLM-x32\...\{675D093B-815D-47FD-AB2C-192EC751E8E2}) (Version: 4.6.10.1 - Hewlett-Packard Company)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Jewel Quest Mysteries: The Seventh Gate Collector's Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Letters from Nowhere 2 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Luxor HD (x32 Version: 2.2.0.98 - WildTangent) Hidden
Magical Jelly Bean KeyFinder (HKLM-x32\...\KeyFinder_is1) (Version: 2.0.10.10 - Magical Jelly Bean)
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.5139.5005 - Microsoft Corporation)
Microsoft PowerPoint Viewer (HKLM-x32\...\{95140000-00AF-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.98 - WildTangent) Hidden
Ralink RT5390 802.11b/g/n WiFi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 3.2.12.0 - Ralink)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.42.304.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6461 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7600.77 - Realtek Semiconductor Corp.)
RollerCoaster Tycoon 3: Platinum (x32 Version: 2.2.0.98 - WildTangent) Hidden
Skype™ 6.11 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-2310484217-659247388-3409459481-1002\...\Spotify) (Version: 1.0.4.90.g0b6df40b - Spotify AB)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.21.0 - Synaptics Incorporated)
The Treasures of Mystery Island: The Ghost Ship (x32 Version: 2.2.0.98 - WildTangent) Hidden
Torchlight (x32 Version: 2.2.0.98 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.98 - WildTangent) Hidden
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
WildTangent Games App (HP Games) (x32 Version: 4.0.5.32 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.19.797 - Zemana Ltd.)
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {29279474-B622-48F2-BBA9-7CC2D82BDD4D} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2015-08-05] (COMODO)
Task: {297A52E4-EDE5-4C8A-A1B9-7D0D840AF497} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2011-10-06] (CyberLink)
Task: {3D076284-9E7D-4652-BECF-FE11E6285A74} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-30] (Adobe Systems Incorporated)
Task: {5A40E926-9E86-4B89-9CFD-B12311724371} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {CFE6B1C0-632C-44C8-BBAC-922A0513283F} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2015-08-05] (COMODO)
Task: {DD9F510C-95F4-499A-90C8-BAC5BC372FF4} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc
Task: {DE0127DD-38ED-4C36-80AB-EE992708AFCE} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2015-08-05] (COMODO)
Task: {EEAB1290-FF21-4096-9CD6-292839B05B77} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe
Task: {F8F096CD-70E9-4100-AD57-8E7B6C3DE78B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d13926cd5bb95c.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2011-07-05 13:27 - 2011-07-05 13:27 - 00073728 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2015-12-30 16:03 - 2015-12-30 16:03 - 00118640 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2015-12-17 17:59 - 2015-12-10 21:54 - 01583432 _____ () C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\libglesv2.dll
2015-12-17 17:59 - 2015-12-10 21:54 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Windows\SysWOW64\FlashPlayerApp.exe:$CmdTcID
AlternateDataStreams: C:\Windows\SysWOW64\subinacl.exe:$CmdTcID
AlternateDataStreams: C:\Users\nancy\Desktop\Adware_Removal_Tool_by_TSA.exe:$CmdTcID
AlternateDataStreams: C:\Users\nancy\Desktop\Adware_Removal_Tool_by_TSA.exe:$CmdZnID
AlternateDataStreams: C:\Users\nancy\Desktop\FRST64.exe:$CmdTcID
AlternateDataStreams: C:\Users\nancy\Desktop\FRST64.exe:$CmdZnID
AlternateDataStreams: C:\Users\nancy\Downloads\Zemana.AntiMalware.Setup.exe:$CmdTcID
AlternateDataStreams: C:\Users\nancy\Downloads\Zemana.AntiMalware.Setup.exe:$CmdZnID
AlternateDataStreams: C:\Users\nancy\Downloads\ZHPCleaner.exe:$CmdTcID
AlternateDataStreams: C:\Users\nancy\Downloads\ZHPCleaner.exe:$CmdZnID
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 20:34 - 2009-06-10 15:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2310484217-659247388-3409459481-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\nancy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 209.18.47.61 - 209.18.47.62
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupreg: HP Quick Launch => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
MSCONFIG\startupreg: HPOSD => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
MSCONFIG\startupreg: HPQuickWebProxy => "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
MSCONFIG\startupreg: SetDefault => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe
MSCONFIG\startupreg: Spotify => "C:\Users\nancy\AppData\Roaming\Spotify\Spotify.exe" -autostart -minimized
MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\nancy\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{DC3047AD-4FA9-4816-B7E8-507428985733}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{48E34E3F-A1CB-4688-9A5D-7C4F23372ADA}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{52E41CA0-41DE-41DA-9741-7EE294092218}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\IndivDRM.exe
FirewallRules: [{E7A3AAA3-EE63-48BA-BF19-5A054E1458DF}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\IndivDRM.exe
FirewallRules: [{AB4E4C9F-F548-4695-9CEB-A59E872A030B}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{27E2AD31-D824-4E29-B7BE-68DF7061803B}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{D3875090-2DAA-4664-8BEB-190AA8CDCBDE}] => (Allow) LPort=2869
FirewallRules: [{12485372-E6AD-4BE5-8C0C-4155A1E56ABA}] => (Allow) LPort=1900
FirewallRules: [{4771D0A0-D5B7-467F-9E06-AA22CAACDD67}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{6462E1DF-58F6-4B3B-8B95-C8B4B10EA285}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [TCP Query User{FCA34DD1-3406-42B9-8E87-3B7D51C4FC7F}C:\users\nancy\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\nancy\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{D4DCC250-D6A2-42FB-A992-902451462523}C:\users\nancy\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\nancy\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{D979B05F-DAD3-4B3E-A0BE-FF849DACBA9D}C:\users\nancy\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\nancy\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{0E26D9CA-4754-4CE4-BA0B-8BB2859BEB99}C:\users\nancy\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\nancy\appdata\roaming\spotify\spotify.exe
FirewallRules: [{676F5E91-848F-4B2E-A7A8-EAA623CA70F2}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe
FirewallRules: [{6799D5FF-5C98-44D0-B7D2-859159E930F4}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
05-05-2014 00:16:12 Windows Update
10-05-2014 23:39:45 Windows Update
15-05-2014 15:24:17 Windows Modules Installer
20-05-2014 23:30:47 Windows Update
29-05-2014 17:16:35 Windows Update
02-06-2014 05:12:29 Windows Update
03-06-2014 21:58:15 Windows Modules Installer
13-06-2014 12:26:49 Windows Update
16-06-2014 03:21:52 Windows Update
23-12-2015 16:13:05 JRT Pre-Junkware Removal
23-12-2015 17:23:40 Windows Update
23-12-2015 18:17:20 Installing COMODO Firewall
23-12-2015 18:20:34 Device Driver Package Install: COMODO Network Service
30-12-2015 12:17:24 JRT Pre-Junkware Removal
30-12-2015 17:10:53 Zemana AntiMalware 12/30/2015 5:10:46 PM
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/30/2015 03:53:23 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/30/2015 12:10:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM CisFileRatingChangeCisFileRatingChange//./root/cis
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM CisStatusChangeCisStatusChange//./root/cis
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM CisNotificationCisNotification//./root/cis
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM FwAlertFwAlert//./root/cis
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM DfAlertDfAlert//./root/cis
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM AvAlertAvAlert//./root/cis
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM CisAlertCisAlert//./root/cis
 
Error: (12/23/2015 06:22:15 PM) (Source: WinMgmt) (EventID: 24) (User: )
Description: CisWmiSELECT * FROM CisEventCisEvent//./root/cis
 
 
System errors:
=============
Error: (12/30/2015 05:41:34 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IconMan_R service.
 
Error: (12/30/2015 05:40:33 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IconMan_R service.
 
Error: (12/30/2015 05:40:02 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IconMan_R service.
 
Error: (12/30/2015 05:39:18 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IconMan_R service.
 
Error: (12/30/2015 03:55:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The HP Support Assistant Service service failed to start due to the following error: 
%%2
 
Error: (12/30/2015 03:54:17 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
 
Error: (12/30/2015 03:53:40 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service.
 
Error: (12/30/2015 03:52:53 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The IP Helper service hung on starting.
 
Error: (12/30/2015 12:45:12 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The IconMan_R service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (12/30/2015 12:44:49 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{8D04D225-941F-4259-A848-254577912C49} because another computer on the network has the same name.  The server could not start.
 
 
==================== Memory info =========================== 
 
Processor: AMD E-300 APU with Radeon™ HD Graphics
Percentage of memory in use: 72%
Total physical RAM: 3690.91 MB
Available physical RAM: 1005.43 MB
Total Virtual: 7379.99 MB
Available Virtual: 4241.56 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:442.21 GB) (Free:378.03 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Recovery) (Fixed) (Total:19.39 GB) (Free:2.1 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.08 GB) FAT32
Drive g: () (Removable) (Total:7.6 GB) (Free:7.54 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 27F7617E)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=442.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=19.4 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 7.6 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:46 PM

Posted 31 December 2015 - 06:21 PM

Hi huntsin2,
 
How is the system running?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 huntsin2

huntsin2
  • Topic Starter

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 02 January 2016 - 03:52 PM

The system seems to be running fine.

#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:46 PM

Posted 05 January 2016 - 09:02 AM

Hi huntsin2,
 
Glad to hear that :)
 
Download 51a5ce45263de-delfix.pngDelfix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.
 
Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore
  • Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't need to copy and paste it into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 huntsin2

huntsin2
  • Topic Starter

  • Members
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 05 January 2016 - 06:27 PM

Hi xXToffeeXx,

 

I take it the computer is clean and that there is nothing else that needs to be done after this?



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:46 PM

Posted 07 January 2016 - 03:25 PM

Hi huntsin2,
 
Yes, that is correct.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users