Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me remove this virus. I have been helped by the people of this forum before


  • This topic is locked This topic is locked
17 replies to this topic

#1 NINTR

NINTR

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 30 August 2016 - 11:48 PM

I'm hoping someone can help me again. I know my previous topic was closed, but I do believe this post is something that can be addressed by the people who help the people who post in this forum section. Please, please help me. Please don't be hateful or tell me I should look elsewhere for help. This is where I always post and have always received help. Thanks

Here's a title of one of the encrypted files:

!c59f88476e1c.txt.id_8091818e5c3bb547_email_enc2@dr.com_.scl

I don't understand where these keep coming from! I can't take this anymore! I've been hit by three of these! I don't use my computer for much other than a little bit of internet browsing and some email. Where do they keep coming from and how can I get rid of it?! Please someone help me! I can't keep going through this! I've lost three family members in the last few months and the last thing I need is this computer to keep catching viruses that are encrypting pictures of my loved ones who have died. Please, please help me fix this, get rid of the virus and find out where they are coming from! PLEASE!

 

I am currently running an Avast! scan, and I am also running an FRST scan, as well. Results will be posted as soon as I get them.

 

***UPDATE***

 

Here are the results of the FRST scan. Can someone look at this and

1. Get rid of the virus that is currently on my computer, and

2. Help me figure out where the issue is that is letting these viruses into my computer consistently. This is the third one I've had in the last year and I don't know where they are coming from.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-08-2016
Ran by Deanna (administrator) on DEANNA-PC (31-08-2016 00:06:48)
Running from C:\Users\Deanna\Downloads
Loaded Profiles: Deanna &  (Available Profiles: Deanna)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ASUSTeK Computer Inc.) C:\Windows\SysWOW64\AsHookDevice.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Lexmark International, Inc.) C:\Windows\System32\spool\drivers\x64\3\lxdcserv.exe
( ) C:\Windows\System32\lxdccoms.exe
(Microsoft Corporation) C:\Windows\System32\Locator.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\TiMiniService.exe
(Digital Market Research Apps Pty Ltd) C:\Program Files (x86)\MR APP\MRAPP.Transfer.Service.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\TiResumeSrv.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\KODAK Share Button App\Listener.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\KODAK Share Button App\KODAK Wireless Utility.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMUPDT.EXE
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMSWCS.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_287_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VizorHtmlDialog.exe] => C:\Program Files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe [1123664 2010-10-08] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [192520 2010-10-12] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\VizorShortCut.exe [322384 2010-09-17] (Trend Micro Inc.)
HKLM\...\Run: [lxdcmon.exe] => "C:\Program Files (x86)\Lexmark 1300 Series\lxdcmon.exe"
HKLM\...\Run: [lxdcamon] => C:\Program Files (x86)\Lexmark 1300 Series\lxdcamon.exe [25256 2009-04-27] ()
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-03-19] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-06-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [3037296 2011-05-06] (VIA)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2014-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ASUSWebStorage] => C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.104.216\AsusWSPanel.exe [737104 2011-07-05] (ecareme)
HKLM-x32\...\Run: [lxdcamon] => C:\Program Files (x86) (x86)\Lexmark 1300 Series\lxdcamon.exe [25256 2009-04-27] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67384 2016-03-18] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-08-08] (AVAST Software)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1285704 2014-08-08] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [453736 2013-02-19] (CANON INC.)
HKU\S-1-5-21-492531289-1107910523-2460122450-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23375200 2016-07-29] (Google)
HKU\S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23375200 2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-06-29] (AVAST Software)
ShellIconOverlayIdentifiers: [AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.104.216\ASUSWSShellExt64.dll [2011-05-25] (eCareme Technologies, Inc.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.104.216\ASUSWSShellExt64.dll [2011-05-25] (eCareme Technologies, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.HTML [2016-08-30] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.TXT [2016-08-30] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001] => http=127.0.0.1:16110;https=127.0.0.1:16110
ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:16110;https=127.0.0.1:16110
Tcpip\Parameters: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\..\Interfaces\{A2CAE2A6-39CA-444D-89D0-636BC711D7D8}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{A2CAE2A6-39CA-444D-89D0-636BC711D7D8}: [DhcpNameServer] 209.18.47.62 209.18.47.61

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-492531289-1107910523-2460122450-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg.dll [2010-09-17] (Trend Micro Inc.)
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2014-07-07] (CANON INC.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe64.dll [2010-09-17] (Trend Micro Inc.)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg32.dll [2010-09-17] (Trend Micro Inc.)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2014-07-07] (CANON INC.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-02-24] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll [2010-09-17] (Trend Micro Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-24] (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2014-07-07] (CANON INC.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2014-07-07] (CANON INC.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe64.dll [2010-09-17] (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll [2010-09-17] (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg.dll [2010-09-17] (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\TmIEPlg32.dll [2010-09-17] (Trend Micro Inc.)

FireFox:
========
FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.40.2 -> C:\windows\SysWOW64\npDeployJava1.dll [2013-10-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @samsungsmartcam.com/npwViewer -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib.dll [2015-11-06] (Samsung Techwin)
FF Plugin-x32: @samsungsmartcam.com/npwViewer_turn -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib_turn.dll [2015-11-06] (Samsung Techwin)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin-x32: samsungtechwin.com/SmartCamFinder -> C:\Program Files (x86)\Samsung\SmartCam\npSmartCamFinder.dll [2015-09-24] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-492531289-1107910523-2460122450-1001: @samsungsmartcam.com/npwViewer -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib.dll [2015-11-06] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-492531289-1107910523-2460122450-1001: @samsungsmartcam.com/npwViewer_turn -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib_turn.dll [2015-11-06] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-492531289-1107910523-2460122450-1001: samsungtechwin.com/SmartCamFinder -> C:\Program Files (x86)\Samsung\SmartCam\npSmartCamFinder.dll [2015-09-24] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @samsungsmartcam.com/npwViewer -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib.dll [2015-11-06] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @samsungsmartcam.com/npwViewer_turn -> C:\Program Files (x86)\Samsung\SmartCam\npwViewer_lib_turn.dll [2015-11-06] (Samsung Techwin)
FF Plugin HKU\S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: samsungtechwin.com/SmartCamFinder -> C:\Program Files (x86)\Samsung\SmartCam\npSmartCamFinder.dll [2015-09-24] (Samsung Techwin)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-08-30]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-08-30]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension
FF Extension: (Trend Micro NSC Firefox Extension) - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension [2011-10-21] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2016-06-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [365568 2011-06-29] (Advanced Micro Devices, Inc.) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-06-29] (AVAST Software)
S2 EventService; C:\Program Files (x86)\MR APP\MRAPP.Event.Service.exe [34304 2015-07-06] (Digital Market Research Apps Pty Ltd) [File not signed]
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2012-03-28] ()
R2 lxdcCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdcserv.exe [34224 2007-05-25] (Lexmark International, Inc.)
R2 lxdc_device; C:\windows\system32\lxdccoms.exe [567216 2007-05-25] ( )
R2 lxdc_device; C:\windows\SysWOW64\lxdccoms.exe [537520 2007-05-25] ( )
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2009-05-14] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2009-05-14] (Hewlett-Packard) [File not signed]
R2 TiMiniService; C:\Program Files\Trend Micro\Titanium\TiMiniService.exe [241488 2010-09-17] (Trend Micro Inc.)
R2 TransferService; C:\Program Files (x86)\MR APP\MRAPP.Transfer.Service.exe [32256 2015-07-06] (Digital Market Research Apps Pty Ltd) [File not signed]
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2011-03-29] (VIA Technologies, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] ()
R3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-08-30] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-08-30] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-08-30] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-08-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-08-30] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969560 2016-08-30] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513496 2016-08-30] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-08-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-30] (AVAST Software)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [113880 2016-08-30] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [15416 2009-07-16] ()
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90704 2010-09-17] (Trend Micro Inc.)
R2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [144464 2010-09-17] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [67664 2010-09-17] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2010-09-17] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-30 23:03 - 2016-08-30 23:03 - 00000000 ____D C:\Users\Deanna\AppData\Local\{830F824D-FD13-483E-A5DB-79C1F82CE7B8}
2016-08-30 22:32 - 2016-08-30 22:32 - 00391496 _____ (AVAST Software) C:\windows\system32\aswBoot.exe
2016-08-30 22:32 - 2016-08-30 22:32 - 00053208 _____ (AVAST Software) C:\windows\avastSS.scr
2016-08-30 22:32 - 2016-08-30 22:29 - 00473592 _____ (AVAST Software) C:\windows\system32\Drivers\aswC150.tmp
2016-08-30 22:32 - 2016-08-30 22:29 - 00292704 _____ (AVAST Software) C:\windows\system32\Drivers\aswC3D0.tmp
2016-08-30 22:32 - 2016-06-29 21:23 - 01070904 _____ (AVAST Software) C:\windows\system32\Drivers\aswAAA0.tmp
2016-08-30 22:32 - 2016-06-29 21:23 - 00162904 _____ (AVAST Software) C:\windows\system32\Drivers\aswC9BB.tmp
2016-08-30 22:32 - 2016-06-29 21:23 - 00108304 _____ (AVAST Software) C:\windows\system32\Drivers\aswB9B0.tmp
2016-08-30 22:32 - 2016-06-29 21:23 - 00103064 _____ (AVAST Software) C:\windows\system32\Drivers\aswB29C.tmp
2016-08-30 22:32 - 2016-06-29 21:23 - 00074544 _____ (AVAST Software) C:\windows\system32\Drivers\aswBC40.tmp
2016-08-30 22:32 - 2016-06-29 21:23 - 00037656 _____ (AVAST Software) C:\windows\system32\Drivers\aswB4EE.tmp
2016-08-30 22:32 - 2016-06-29 21:23 - 00037144 _____ (AVAST Software) C:\windows\system32\Drivers\asw9F87.tmp
2016-08-30 22:28 - 2016-08-05 12:00 - 00292704 _____ (AVAST Software) C:\windows\system32\Drivers\aswDDAB.tmp
2016-08-30 22:28 - 2016-07-13 12:10 - 00473592 _____ (AVAST Software) C:\windows\system32\Drivers\aswDA40.tmp
2016-08-30 22:28 - 2016-06-29 21:23 - 01070904 _____ (AVAST Software) C:\windows\system32\Drivers\aswC1EA.tmp
2016-08-30 22:28 - 2016-06-29 21:23 - 00162904 _____ (AVAST Software) C:\windows\system32\Drivers\aswE347.tmp
2016-08-30 22:28 - 2016-06-29 21:23 - 00108304 _____ (AVAST Software) C:\windows\system32\Drivers\aswCFC3.tmp
2016-08-30 22:28 - 2016-06-29 21:23 - 00103064 _____ (AVAST Software) C:\windows\system32\Drivers\aswC748.tmp
2016-08-30 22:28 - 2016-06-29 21:23 - 00074544 _____ (AVAST Software) C:\windows\system32\Drivers\aswD408.tmp
2016-08-30 22:28 - 2016-06-29 21:23 - 00037656 _____ (AVAST Software) C:\windows\system32\Drivers\aswC9E8.tmp
2016-08-30 22:28 - 2016-06-29 21:23 - 00037144 _____ (AVAST Software) C:\windows\system32\Drivers\asw52C3.tmp
2016-08-30 20:31 - 2016-08-30 20:31 - 05990192 _____ C:\Users\Deanna\Documents\marc maron.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 01905024 _____ C:\Users\Deanna\Documents\leconte bill.pdf.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 01431696 _____ C:\Users\Deanna\Documents\le conte bill 2.pdf.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 01182320 _____ C:\Users\Deanna\Documents\baby shower poster.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 01014000 _____ C:\Users\Deanna\Documents\gregg and eddie.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00775648 _____ C:\Users\Deanna\Documents\plaid marc maron.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00325888 _____ C:\Users\Deanna\Documents\durbin_the unstoppable force paradox.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00203568 _____ C:\Users\Deanna\Documents\dr. carter.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00191152 _____ C:\Users\Deanna\Documents\flowers of liberty building.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00091456 _____ C:\Users\Deanna\Documents\wyndham price division.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00065520 _____ C:\Users\Deanna\Documents\fishy!.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00046832 _____ C:\Users\Deanna\Documents\pain diary.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00036208 _____ C:\Users\Deanna\Documents\!c59f88476e1c.html.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00034384 _____ C:\Users\Deanna\Documents\13 flowchart.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00019776 _____ C:\Users\Deanna\Documents\maron letter.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00015296 _____ C:\Users\Deanna\Documents\cds for vacation tracklists.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00013392 _____ C:\Users\Deanna\Documents\13 flowchart 2.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00001760 _____ C:\Users\Deanna\Documents\!c59f88476e1c.txt.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00000176 _____ C:\Users\Deanna\Documents\~$owers of liberty building.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:31 - 2016-08-30 20:31 - 00000176 _____ C:\Users\Deanna\Documents\~$ flowchart.docx.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 03174160 _____ C:\ProgramData\spldb6e.tmp.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:29 - 2016-08-30 20:29 - 03174160 _____ C:\ProgramData\spl6bbb.tmp.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:29 - 2016-08-30 20:29 - 00036208 _____ C:\!c59f88476e1c.html.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00001760 _____ C:\!c59f88476e1c.txt.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:29 - 2016-08-30 20:29 - 00000992 _____ C:\lxdc.log.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 13:16 - 2016-08-30 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{78D9EE5A-EC83-47B2-98F3-B8BF31E0105A}
2016-08-29 21:30 - 2016-08-29 21:30 - 00000000 ____D C:\Users\Deanna\AppData\Local\{7B5FCB9E-7C2A-4B30-A547-06DE8CF62C16}
2016-08-29 21:12 - 2016-08-29 21:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2B675941-3A31-4406-82E3-762A86CB855A}
2016-08-29 02:38 - 2016-08-29 02:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{94C28713-753E-401B-A229-6AFE506E629D}
2016-08-28 12:04 - 2016-08-28 12:04 - 00000000 ____D C:\Users\Deanna\AppData\Local\{F34080EE-59B2-43CA-8F58-F660E516B9E3}
2016-08-27 21:38 - 2016-08-27 21:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0ADFBD61-5228-4F88-B2F0-2AE2A20D08EF}
2016-08-19 12:14 - 2016-08-19 12:14 - 00000000 ____D C:\Users\Deanna\AppData\Local\{E7AF2430-702B-4A80-A669-B2F186173587}
2016-08-18 13:05 - 2016-08-18 13:05 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BE9DC55A-A733-44B0-B1DA-483540760FFE}
2016-08-17 19:17 - 2016-07-08 11:32 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2016-08-17 19:17 - 2016-07-08 11:16 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2016-08-17 11:42 - 2016-08-17 11:42 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C2124D09-6EC7-4BED-AC6C-68B1EB99E6EB}
2016-08-16 19:12 - 2016-08-16 19:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{40F0B3AA-20B1-4014-B417-EBB470036DB3}
2016-08-16 02:41 - 2016-08-16 02:41 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C4748EF6-3C8D-4896-91BA-02EE60C0339D}
2016-08-15 13:21 - 2016-08-15 13:21 - 00000000 ____D C:\Users\Deanna\AppData\Local\{A6610531-5D36-4F71-9BE8-CAB8B5867F13}
2016-08-14 15:36 - 2016-08-14 15:36 - 00000000 ____D C:\Users\Deanna\AppData\Local\{DF3BCF99-81FA-491B-B079-CA738B5FAE49}
2016-08-13 15:51 - 2016-08-13 15:51 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D622B1B3-2F91-4B03-95E1-9DF299E325AC}
2016-08-13 01:57 - 2016-08-13 01:57 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0B88B512-2E9E-41D6-9DCF-76BCEBB2D7D3}
2016-08-12 13:16 - 2016-08-12 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BC24E0F1-FDDE-4236-909D-958AC7B2AB21}
2016-08-11 13:35 - 2016-08-11 13:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D44BD246-DF72-43DF-A434-FE947B58DC60}
2016-08-10 21:33 - 2016-07-08 11:37 - 00154856 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2016-08-10 21:33 - 2016-07-08 11:37 - 00095464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2016-08-10 21:33 - 2016-07-08 11:32 - 01464320 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 01212928 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00730624 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00463872 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00343552 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00316416 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00312320 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00190464 _____ (Microsoft Corporation) C:\windows\system32\rpchttp.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\cryptbase.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00028672 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2016-08-10 21:33 - 2016-07-08 11:32 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2016-08-10 21:33 - 2016-07-08 11:17 - 00666112 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2016-08-10 21:33 - 2016-07-08 11:17 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00553472 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00342528 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00260608 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00251392 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00223232 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00141312 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpchttp.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2016-08-10 21:33 - 2016-07-08 11:16 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2016-08-10 21:33 - 2016-07-08 11:03 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2016-08-10 21:33 - 2016-07-08 10:57 - 00159744 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2016-08-10 21:33 - 2016-07-08 10:56 - 00291328 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb10.sys
2016-08-10 21:33 - 2016-07-08 10:56 - 00129536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb20.sys
2016-08-10 21:33 - 2016-07-08 10:55 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2016-08-10 21:33 - 2016-07-08 10:55 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2016-08-10 21:33 - 2016-07-08 10:50 - 00036352 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptbase.dll
2016-08-10 21:32 - 2016-08-02 10:54 - 00394440 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2016-08-10 21:32 - 2016-08-02 10:08 - 00346312 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2016-08-10 21:32 - 2016-08-02 02:54 - 25808384 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2016-08-10 21:32 - 2016-08-02 02:47 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2016-08-10 21:32 - 2016-08-02 02:47 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2016-08-10 21:32 - 2016-08-02 02:32 - 02894336 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2016-08-10 21:32 - 2016-08-02 02:32 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2016-08-10 21:32 - 2016-08-02 02:31 - 00572416 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2016-08-10 21:32 - 2016-08-02 02:31 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2016-08-10 21:32 - 2016-08-02 02:31 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2016-08-10 21:32 - 2016-08-02 02:31 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2016-08-10 21:32 - 2016-08-02 02:24 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2016-08-10 21:32 - 2016-08-02 02:23 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2016-08-10 21:32 - 2016-08-02 02:20 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2016-08-10 21:32 - 2016-08-02 02:19 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2016-08-10 21:32 - 2016-08-02 02:19 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2016-08-10 21:32 - 2016-08-02 02:18 - 06047744 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2016-08-10 21:32 - 2016-08-02 02:18 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2016-08-10 21:32 - 2016-08-02 02:18 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2016-08-10 21:32 - 2016-08-02 02:11 - 00969216 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2016-08-10 21:32 - 2016-08-02 02:08 - 00489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2016-08-10 21:32 - 2016-08-02 02:03 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2016-08-10 21:32 - 2016-08-02 02:00 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2016-08-10 21:32 - 2016-08-02 01:59 - 00107520 _____ (Microsoft Corporation) C:\windows\system32\inseng.dll
2016-08-10 21:32 - 2016-08-02 01:56 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2016-08-10 21:32 - 2016-08-02 01:55 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2016-08-10 21:32 - 2016-08-02 01:54 - 20343808 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2016-08-10 21:32 - 2016-08-02 01:53 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2016-08-10 21:32 - 2016-08-02 01:51 - 00497664 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2016-08-10 21:32 - 2016-08-02 01:51 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2016-08-10 21:32 - 2016-08-02 01:51 - 00152064 _____ (Microsoft Corporation) C:\windows\system32\occache.dll
2016-08-10 21:32 - 2016-08-02 01:51 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2016-08-10 21:32 - 2016-08-02 01:51 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2016-08-10 21:32 - 2016-08-02 01:50 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2016-08-10 21:32 - 2016-08-02 01:47 - 02286592 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2016-08-10 21:32 - 2016-08-02 01:45 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2016-08-10 21:32 - 2016-08-02 01:44 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2016-08-10 21:32 - 2016-08-02 01:42 - 00476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2016-08-10 21:32 - 2016-08-02 01:41 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2016-08-10 21:32 - 2016-08-02 01:41 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2016-08-10 21:32 - 2016-08-02 01:41 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2016-08-10 21:32 - 2016-08-02 01:40 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2016-08-10 21:32 - 2016-08-02 01:38 - 00806400 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2016-08-10 21:32 - 2016-08-02 01:38 - 00724992 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2016-08-10 21:32 - 2016-08-02 01:37 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2016-08-10 21:32 - 2016-08-02 01:36 - 02131456 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2016-08-10 21:32 - 2016-08-02 01:33 - 00416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2016-08-10 21:32 - 2016-08-02 01:29 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-08-10 21:32 - 2016-08-02 01:28 - 15412224 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2016-08-10 21:32 - 2016-08-02 01:28 - 00091136 _____ (Microsoft Corporation) C:\windows\SysWOW64\inseng.dll
2016-08-10 21:32 - 2016-08-02 01:26 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2016-08-10 21:32 - 2016-08-02 01:25 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2016-08-10 21:32 - 2016-08-02 01:24 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2016-08-10 21:32 - 2016-08-02 01:23 - 02868224 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2016-08-10 21:32 - 2016-08-02 01:22 - 00130048 _____ (Microsoft Corporation) C:\windows\SysWOW64\occache.dll
2016-08-10 21:32 - 2016-08-02 01:21 - 04608000 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2016-08-10 21:32 - 2016-08-02 01:16 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2016-08-10 21:32 - 2016-08-02 01:15 - 00692736 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2016-08-10 21:32 - 2016-08-02 01:14 - 02055680 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2016-08-10 21:32 - 2016-08-02 01:14 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2016-08-10 21:32 - 2016-08-02 01:11 - 13808128 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2016-08-10 21:32 - 2016-08-02 01:10 - 01550848 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2016-08-10 21:32 - 2016-08-02 00:59 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2016-08-10 21:32 - 2016-08-02 00:56 - 02393088 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2016-08-10 21:32 - 2016-08-02 00:53 - 01316352 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2016-08-10 21:32 - 2016-08-02 00:51 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2016-08-10 21:31 - 2016-07-08 11:01 - 03218944 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2016-08-10 21:09 - 2016-08-10 21:09 - 00000000 ____D C:\Users\Deanna\AppData\Local\{45311FE5-0C99-4804-8576-07BF9B44CC2D}
2016-08-10 01:37 - 2016-08-10 01:37 - 00000000 ____D C:\Users\Deanna\AppData\Local\{538D4AB4-518B-4D59-8D96-316FA253278E}
2016-08-09 13:17 - 2016-08-09 13:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AAE5150-8DB5-4540-A392-1A6427FCEA78}
2016-08-08 13:27 - 2016-08-08 13:27 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C50BE185-CA2F-466F-92B2-A4F019D1FDC6}
2016-08-07 14:17 - 2016-08-07 14:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{3D976413-2094-40AE-98C1-E55440890DF8}
2016-08-07 02:03 - 2016-08-07 02:03 - 00000000 ____D C:\Users\Deanna\AppData\Local\{05C49673-8046-4305-B205-4EBAB34A63D0}
2016-08-06 04:25 - 2016-08-06 04:25 - 00000000 ____D C:\Users\Deanna\AppData\Local\{713B0D39-4C04-4AAF-B981-13B2CD00B320}
2016-08-05 12:01 - 2016-08-05 12:01 - 00000000 ____D C:\Users\Deanna\AppData\Local\{B2F7674D-0D2E-4626-BF6E-838BC199F358}
2016-08-04 23:47 - 2016-08-04 23:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AF20376-D011-4068-89CD-FC8350AF6384}
2016-08-04 03:35 - 2016-08-04 03:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2458C204-1F93-4E44-900E-340DEA1BE546}
2016-08-03 04:47 - 2016-08-03 04:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{60D9F90F-7469-4BDB-88A5-C6528D5C5CF6}
2016-08-02 13:47 - 2016-08-02 13:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{5147390D-8766-41F9-9CD2-616022A47037}
2016-08-01 19:23 - 2016-08-01 19:23 - 00000000 ____D C:\Users\Deanna\AppData\Local\{FD93E5BC-4272-4FC3-BCEC-45476584E8AD}

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-31 00:06 - 2016-07-13 00:50 - 00000000 ____D C:\Users\Deanna\Downloads\FRST-OlderVersion
2016-08-31 00:06 - 2016-06-22 02:58 - 00022082 _____ C:\Users\Deanna\Downloads\FRST.txt
2016-08-31 00:06 - 2016-06-22 02:57 - 00000000 ____D C:\FRST
2016-08-31 00:06 - 2016-06-22 02:52 - 02397696 _____ (Farbar) C:\Users\Deanna\Downloads\FRST64.exe
2016-08-30 23:43 - 2014-10-07 01:32 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-30 23:41 - 2014-10-07 01:32 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-30 22:50 - 2009-07-14 00:45 - 00024608 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-30 22:50 - 2009-07-14 00:45 - 00024608 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-30 22:45 - 2015-02-01 16:03 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-30 22:37 - 2014-10-07 01:33 - 00000000 ___RD C:\Users\Deanna\Google Drive
2016-08-30 22:33 - 2014-12-17 21:45 - 00003922 _____ C:\windows\System32\Tasks\avast! Emergency Update
2016-08-30 22:33 - 2012-06-09 18:53 - 00000000 ____D C:\Users\Deanna
2016-08-30 22:33 - 2011-10-21 23:37 - 00000000 ____D C:\ProgramData\Trend Micro
2016-08-30 22:32 - 2016-06-14 15:09 - 00037144 _____ (AVAST Software) C:\windows\system32\Drivers\aswKbd.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00969560 _____ (AVAST Software) C:\windows\system32\Drivers\aswSnx.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00513496 _____ (AVAST Software) C:\windows\system32\Drivers\aswSP.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00292704 _____ (AVAST Software) C:\windows\system32\Drivers\aswVmm.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00163416 _____ (AVAST Software) C:\windows\system32\Drivers\aswStm.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00108816 _____ (AVAST Software) C:\windows\system32\Drivers\aswMonFlt.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00103064 _____ (AVAST Software) C:\windows\system32\Drivers\aswRdr2.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00074544 _____ (AVAST Software) C:\windows\system32\Drivers\aswRvrt.sys
2016-08-30 22:32 - 2014-12-17 21:44 - 00037656 _____ (AVAST Software) C:\windows\system32\Drivers\aswHwid.sys
2016-08-30 22:29 - 2016-07-13 00:00 - 00003892 _____ C:\windows\System32\Tasks\SafeZone scheduled Autoupdate 1461520116
2016-08-30 22:29 - 2014-12-17 21:50 - 00001926 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-08-30 22:29 - 2014-12-17 21:44 - 00473592 _____ (AVAST Software) C:\windows\system32\Drivers\aswsp.sys.147261055277905
2016-08-30 22:29 - 2014-12-17 21:44 - 00292704 _____ (AVAST Software) C:\windows\system32\Drivers\aswvmm.sys.147261055226307
2016-08-30 22:27 - 2014-12-17 21:44 - 00473592 _____ (AVAST Software) C:\windows\system32\Drivers\aswsp.sys.147261055079802
2016-08-30 22:27 - 2014-12-17 21:44 - 00290088 _____ (AVAST Software) C:\windows\system32\Drivers\aswvmm.sys.147261055204506
2016-08-30 22:25 - 2009-07-14 01:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-08-30 22:23 - 2015-12-03 19:29 - 00000000 ____D C:\windows\System32\Tasks\AVAST Software
2016-08-30 22:20 - 2009-07-13 23:20 - 00000000 ____D C:\windows\registration
2016-08-30 22:19 - 2014-08-24 13:49 - 00000000 ____D C:\Users\Deanna\Documents\Fax
2016-08-30 22:19 - 2012-06-16 23:26 - 00000000 ____D C:\Users\Deanna\AppData\Roaming\SoftGrid Client
2016-08-30 22:16 - 2016-01-27 00:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk
2016-08-30 22:16 - 2015-06-09 01:40 - 00000000 ___HD C:\ProgramData\CanonIJScan
2016-08-30 22:16 - 2015-06-09 01:13 - 00000000 ___HD C:\ProgramData\CanonBJ
2016-08-30 22:16 - 2015-06-09 01:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
2016-08-30 22:16 - 2015-02-01 16:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-30 22:16 - 2015-02-01 16:02 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-30 22:16 - 2015-01-30 03:34 - 00000000 ____D C:\ProgramData\Virtualized Applications
2016-08-30 22:16 - 2014-12-17 21:37 - 00000000 ____D C:\ProgramData\AVAST Software
2016-08-30 22:16 - 2014-11-22 03:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iSkysoft
2016-08-30 22:16 - 2014-05-01 22:51 - 00000000 ____D C:\ProgramData\Apple Computer
2016-08-30 22:16 - 2014-05-01 22:49 - 00000000 ____D C:\ProgramData\Apple
2016-08-30 22:16 - 2013-10-27 01:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PopCap Games
2016-08-30 22:16 - 2013-10-16 23:56 - 00000000 ____D C:\ProgramData\Oracle
2016-08-30 22:16 - 2013-03-16 03:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAZ 3D
2016-08-30 22:16 - 2013-03-16 03:11 - 00000000 ____D C:\ProgramData\DAZ 3D
2016-08-30 22:16 - 2012-06-18 23:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)
2016-08-30 22:16 - 2011-10-21 23:23 - 00000000 __HDC C:\ProgramData\{37272A44-A110-4EB7-A5EF-88B2A05A08C4}
2016-08-30 22:16 - 2011-10-21 23:16 - 00000000 ____D C:\ProgramData\Adobe
2016-08-30 22:16 - 2011-10-21 23:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASUS
2016-08-30 22:14 - 2016-07-07 14:32 - 00000000 ____D C:\AdwCleaner
2016-08-30 22:14 - 2012-06-16 23:34 - 00000000 __RHD C:\MSOCache
2016-08-30 20:31 - 2015-01-29 00:13 - 00000000 ____D C:\ProgramData\Windows Genuine Advantage
2016-08-30 20:31 - 2014-12-17 21:36 - 00000000 ____D C:\Users\Deanna\Documents\Amazon Downloader Logs
2016-08-30 20:31 - 2012-06-17 03:10 - 00000000 ____D C:\ProgramData\VirtualizedApplications
2016-08-30 20:30 - 2013-10-27 01:01 - 00000000 ____D C:\ProgramData\SpinTop Games
2016-08-30 20:30 - 2013-10-27 01:01 - 00000000 ____D C:\ProgramData\PopCap Games
2016-08-30 20:30 - 2013-10-16 23:55 - 00000000 ____D C:\ProgramData\Sun
2016-08-30 20:30 - 2013-06-24 18:20 - 00000000 ____D C:\ProgramData\MR APP
2016-08-30 20:30 - 2011-10-21 22:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\User Manual
2016-08-30 20:29 - 2016-07-05 22:53 - 00000000 ____D C:\Case Invoices
2016-08-30 20:29 - 2015-09-13 03:22 - 00000000 ____D C:\AVAST Software
2016-08-30 20:29 - 2015-09-10 03:24 - 00000000 ____D C:\93dbd52bd8f07c82f3780608
2016-08-30 20:29 - 2015-06-09 01:41 - 00000000 ___HD C:\ProgramData\CanonIJMIG
2016-08-30 20:29 - 2015-06-09 01:38 - 00000000 ___HD C:\ProgramData\CanonIJQuickMenu
2016-08-30 20:29 - 2015-06-09 01:34 - 00000000 ____D C:\ProgramData\Canon IJ Network Tool
2016-08-30 20:29 - 2015-06-09 01:20 - 00000000 ____D C:\ProgramData\CanonIJWSpt
2016-08-30 20:29 - 2015-06-09 01:06 - 00000000 ____D C:\ProgramData\CanonIJPLM
2016-08-30 20:29 - 2015-01-24 02:50 - 00000000 ____D C:\ProgramData\Autodesk
2016-08-30 20:29 - 2014-12-18 18:33 - 00000000 ____D C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2016-08-30 20:29 - 2014-11-22 15:35 - 00000000 ____D C:\Data Recovery 2014-11-22 at 14.35.09
2016-08-30 20:29 - 2014-11-22 05:20 - 00000000 ____D C:\Data Recovery 2014-11-22 at 04.20.01
2016-08-30 20:29 - 2014-07-16 00:45 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2016-08-30 20:29 - 2013-10-16 23:52 - 00000000 ____D C:\ProgramData\McAfee
2016-08-30 20:29 - 2013-03-16 02:00 - 00000000 ____D C:\ProgramData\Google
2016-08-30 20:29 - 2012-06-09 18:57 - 00000000 ____D C:\ProgramData\ATI
2016-08-30 20:29 - 2011-10-21 23:23 - 00000000 ____D C:\ProgramData\Best Buy pc app
2016-08-30 20:29 - 2011-10-21 23:12 - 00000000 ____D C:\ProgramData\AMD
2016-08-18 00:44 - 2014-12-16 14:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2016-08-17 01:57 - 2012-06-14 17:58 - 00000000 ____D C:\Program Files\Lx_cats
2016-08-12 04:16 - 2009-07-14 00:45 - 00267672 _____ C:\windows\system32\FNTCACHE.DAT
2016-08-11 03:09 - 2013-07-15 03:00 - 00000000 ____D C:\windows\system32\MRT
2016-08-11 03:02 - 2012-09-01 22:11 - 147640136 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe

==================== Files in the root of some directories =======

2016-08-30 20:31 - 2016-08-30 20:31 - 0002124 _____ () C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 0003192 _____ () C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 0002124 _____ () C:\ProgramData\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 0003192 _____ () C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 3174160 _____ () C:\ProgramData\spl6bbb.tmp.id_8091818e5c3bb547_email_enc2@dr.com_.scl
2016-08-30 20:29 - 2016-08-30 20:29 - 3174160 _____ () C:\ProgramData\spldb6e.tmp.id_8091818e5c3bb547_email_enc2@dr.com_.scl

Some files in TEMP:
====================
C:\Users\Deanna\AppData\Local\Temp\8gm4jpbf.dll
C:\Users\Deanna\AppData\Local\Temp\AcDeltree.exe
C:\Users\Deanna\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Deanna\AppData\Local\Temp\libeay32.dll
C:\Users\Deanna\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Deanna\AppData\Local\Temp\msvcr120.dll
C:\Users\Deanna\AppData\Local\Temp\Quarantine.exe
C:\Users\Deanna\AppData\Local\Temp\setup.exe
C:\Users\Deanna\AppData\Local\Temp\sqlite3.dll
C:\Users\Deanna\AppData\Local\Temp\uninstall.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-05-04 03:50

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 AM

Posted 02 September 2016 - 09:51 AM

Hi NINTR :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to review your logs and come up with a reply.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 AM

Posted 02 September 2016 - 10:17 AM

Alright, thank you for waiting.

Let me start off by giving you my condoleances for your loss, it's never easy to lose a family member.

Now, as for your current situation, unfortunately I don't have good news. Like you've been told already, you were hit with a Ransomware dubbed CryptoMix, and redirected to its support thread by quietman.

http://www.bleepingcomputer.com/forums/t/625286/need-help-please-someone-help-me-stop-this-encryption-virus-of-some-kind/#entry4075021

From the support thread, we can see that there is currently no way to decrypt the files encrypted by CryptoMix for free (without paying the ransom) so sadly, there's nothing more we can do here to assist you. What I can do however is help you clean the ransom notes left behind by CryptoMix and also remove the startup entries for them so they won't open everytime you restart your computer. Meanwhile, what I suggest you to do is to back up all the encrypted files somewhere safe (on an external hard drive, USB, etc.) and keep them. In the future, it's possible that someone come up with a way to decrypt these files for free.
 

I don't understand where these keep coming from! I can't take this anymore! I've been hit by three of these! I don't use my computer for much other than a little bit of internet browsing and some email.


Ransomware are delivered via multiple attack vectors, mostly emails with malicious attachments, Exploit Kits, Social Engineering, etc. I don't know how CryptoMix is being delivered to users, nor does the article linked by quietman in your last thread states it. If you want to know how to protect yourself from such infections, you should read quietman's guide on the best security practices.

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

At the end of this thread, I'll see post my own recommendations to protect yourself against Ransomware.

For now, let's clean these ransom notes and their startups using FRST. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    CreateRestorePoint:
    
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.HTML [2016-08-30] ()
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.TXT [2016-08-30] ()
    
    ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001] => http=127.0.0.1:16110;https=127.0.0.1:16110
    ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:16110;https=127.0.0.1:16110
    
    FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
    FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
    
    C:\93dbd52bd8f07c82f3780608
    C:\ProgramData\Best Buy pc app
    C:\Users\Deanna\AppData\Local\{830F824D-FD13-483E-A5DB-79C1F82CE7B8}
    2016-08-30 13:16 - 2016-08-30 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{78D9EE5A-EC83-47B2-98F3-B8BF31E0105A}
    2016-08-29 21:30 - 2016-08-29 21:30 - 00000000 ____D C:\Users\Deanna\AppData\Local\{7B5FCB9E-7C2A-4B30-A547-06DE8CF62C16}
    2016-08-29 21:12 - 2016-08-29 21:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2B675941-3A31-4406-82E3-762A86CB855A}
    2016-08-29 02:38 - 2016-08-29 02:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{94C28713-753E-401B-A229-6AFE506E629D}
    2016-08-28 12:04 - 2016-08-28 12:04 - 00000000 ____D C:\Users\Deanna\AppData\Local\{F34080EE-59B2-43CA-8F58-F660E516B9E3}
    2016-08-27 21:38 - 2016-08-27 21:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0ADFBD61-5228-4F88-B2F0-2AE2A20D08EF}
    2016-08-19 12:14 - 2016-08-19 12:14 - 00000000 ____D C:\Users\Deanna\AppData\Local\{E7AF2430-702B-4A80-A669-B2F186173587}
    2016-08-18 13:05 - 2016-08-18 13:05 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BE9DC55A-A733-44B0-B1DA-483540760FFE}
    2016-08-17 11:42 - 2016-08-17 11:42 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C2124D09-6EC7-4BED-AC6C-68B1EB99E6EB}
    2016-08-16 19:12 - 2016-08-16 19:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{40F0B3AA-20B1-4014-B417-EBB470036DB3}
    2016-08-16 02:41 - 2016-08-16 02:41 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C4748EF6-3C8D-4896-91BA-02EE60C0339D}
    2016-08-15 13:21 - 2016-08-15 13:21 - 00000000 ____D C:\Users\Deanna\AppData\Local\{A6610531-5D36-4F71-9BE8-CAB8B5867F13}
    2016-08-14 15:36 - 2016-08-14 15:36 - 00000000 ____D C:\Users\Deanna\AppData\Local\{DF3BCF99-81FA-491B-B079-CA738B5FAE49}
    2016-08-13 15:51 - 2016-08-13 15:51 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D622B1B3-2F91-4B03-95E1-9DF299E325AC}
    2016-08-13 01:57 - 2016-08-13 01:57 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0B88B512-2E9E-41D6-9DCF-76BCEBB2D7D3}
    2016-08-12 13:16 - 2016-08-12 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BC24E0F1-FDDE-4236-909D-958AC7B2AB21}
    2016-08-11 13:35 - 2016-08-11 13:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D44BD246-DF72-43DF-A434-FE947B58DC60}
    2016-08-10 21:09 - 2016-08-10 21:09 - 00000000 ____D C:\Users\Deanna\AppData\Local\{45311FE5-0C99-4804-8576-07BF9B44CC2D}
    2016-08-10 01:37 - 2016-08-10 01:37 - 00000000 ____D C:\Users\Deanna\AppData\Local\{538D4AB4-518B-4D59-8D96-316FA253278E}
    2016-08-09 13:17 - 2016-08-09 13:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AAE5150-8DB5-4540-A392-1A6427FCEA78}
    2016-08-08 13:27 - 2016-08-08 13:27 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C50BE185-CA2F-466F-92B2-A4F019D1FDC6}
    2016-08-07 14:17 - 2016-08-07 14:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{3D976413-2094-40AE-98C1-E55440890DF8}
    2016-08-07 02:03 - 2016-08-07 02:03 - 00000000 ____D C:\Users\Deanna\AppData\Local\{05C49673-8046-4305-B205-4EBAB34A63D0}
    2016-08-06 04:25 - 2016-08-06 04:25 - 00000000 ____D C:\Users\Deanna\AppData\Local\{713B0D39-4C04-4AAF-B981-13B2CD00B320}
    2016-08-05 12:01 - 2016-08-05 12:01 - 00000000 ____D C:\Users\Deanna\AppData\Local\{B2F7674D-0D2E-4626-BF6E-838BC199F358}
    2016-08-04 23:47 - 2016-08-04 23:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AF20376-D011-4068-89CD-FC8350AF6384}
    2016-08-04 03:35 - 2016-08-04 03:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2458C204-1F93-4E44-900E-340DEA1BE546}
    2016-08-03 04:47 - 2016-08-03 04:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{60D9F90F-7469-4BDB-88A5-C6528D5C5CF6}
    2016-08-02 13:47 - 2016-08-02 13:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{5147390D-8766-41F9-9CD2-616022A47037}
    2016-08-01 19:23 - 2016-08-01 19:23 - 00000000 ____D C:\Users\Deanna\AppData\Local\{FD93E5BC-4272-4FC3-BCEC-45476584E8AD}
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\HELP_DECRYPT_YOUR_FILES.HTML
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 NINTR

NINTR
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 September 2016 - 01:26 PM

Thank you for your sympathy. It's been a very hard year.

 

So I tried doing like you said, but I don't think I did it right. Seems to computer locked up at some point halfway through, but I believe this may have been a simple error. Is there a particular place where I need to save this fixlist.txt? I saved it in the download folder which is where FRST is saved.

 

I had most of my stuff that was encrypted backed up on an external harddrive that was disconnected, so it's not like I lost anything huge. I learned from the last time to always back my stuff up. Until a decrypter is created, I'll just leave the files on the computer. I just don't understand where they keep coming from. I think I may have visited a weird site right before it hit that gave me an odd pop up that stated I needed to sign in to my administrator account. Of course I didn't do it, and closed out of the pop-up, but apparently the damage had already been done, unfortunately. :(


Edited by NINTR, 02 September 2016 - 01:30 PM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 AM

Posted 02 September 2016 - 01:27 PM

I usually recommend to move both the FRST.exe executable and the fixlist.txt on the desktop for ease of access. When you say the computer locked up, do you mean that you weren't able to move the mouse, press on Ctrl/Alt/Del or anything else?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 NINTR

NINTR
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 September 2016 - 02:12 PM

I usually recommend to move both the FRST.exe executable and the fixlist.txt on the desktop for ease of access. When you say the computer locked up, do you mean that you weren't able to move the mouse, press on Ctrl/Alt/Del or anything else?

 

Yes, that's exactly what happened, but I was away from the computer when it happened, so all I know is the screen went to sleep and then I couldn't get it to come back up in spite of the computer still being on. No amount of wiggling the mouse, clicking or Ctrl/Alt/Del would get it to come up.

I just attempted to run FRST again, and it seems to be getting hung up in the "Creating Restore Point" section of the Fix. I can still move the mouse, but it won't go past it and anything else I try to click on will not work. Perhaps I just need to give it more time to work its way past that part of the Fix. I will try it again later on tonight when I am done running errands and I will let you know what happens. Thanks. :)



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 AM

Posted 02 September 2016 - 02:13 PM

Yes, please give it more time, and if when you comeback it's still hung at that stage, we'll remove that line from the fix :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 NINTR

NINTR
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 03 September 2016 - 01:57 AM

So I've tried it twice more over the course of the day and neither try was successful. It still gets hung up on "Creating a Restore Point" and won't go any further. After about 15 minutes of the green bar not moving, the computer itself freezes up, unable to move mouse, etc. Any ideas as to why this is happening? I copied and pasted the above text correctly. I've used FRST at least 10 times over the past year to get rid of these things, so I don't know why it's struggling this time.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 AM

Posted 03 September 2016 - 06:38 AM

There's probably an issue with the Shadow Volume Copy service and Windows cannot create a restore point. Let's try without that instruction.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.HTML [2016-08-30] ()
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.TXT [2016-08-30] ()
    
    ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001] => http=127.0.0.1:16110;https=127.0.0.1:16110
    ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:16110;https=127.0.0.1:16110
    
    FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
    FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
    
    C:\93dbd52bd8f07c82f3780608
    C:\ProgramData\Best Buy pc app
    C:\Users\Deanna\AppData\Local\{830F824D-FD13-483E-A5DB-79C1F82CE7B8}
    2016-08-30 13:16 - 2016-08-30 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{78D9EE5A-EC83-47B2-98F3-B8BF31E0105A}
    2016-08-29 21:30 - 2016-08-29 21:30 - 00000000 ____D C:\Users\Deanna\AppData\Local\{7B5FCB9E-7C2A-4B30-A547-06DE8CF62C16}
    2016-08-29 21:12 - 2016-08-29 21:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2B675941-3A31-4406-82E3-762A86CB855A}
    2016-08-29 02:38 - 2016-08-29 02:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{94C28713-753E-401B-A229-6AFE506E629D}
    2016-08-28 12:04 - 2016-08-28 12:04 - 00000000 ____D C:\Users\Deanna\AppData\Local\{F34080EE-59B2-43CA-8F58-F660E516B9E3}
    2016-08-27 21:38 - 2016-08-27 21:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0ADFBD61-5228-4F88-B2F0-2AE2A20D08EF}
    2016-08-19 12:14 - 2016-08-19 12:14 - 00000000 ____D C:\Users\Deanna\AppData\Local\{E7AF2430-702B-4A80-A669-B2F186173587}
    2016-08-18 13:05 - 2016-08-18 13:05 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BE9DC55A-A733-44B0-B1DA-483540760FFE}
    2016-08-17 11:42 - 2016-08-17 11:42 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C2124D09-6EC7-4BED-AC6C-68B1EB99E6EB}
    2016-08-16 19:12 - 2016-08-16 19:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{40F0B3AA-20B1-4014-B417-EBB470036DB3}
    2016-08-16 02:41 - 2016-08-16 02:41 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C4748EF6-3C8D-4896-91BA-02EE60C0339D}
    2016-08-15 13:21 - 2016-08-15 13:21 - 00000000 ____D C:\Users\Deanna\AppData\Local\{A6610531-5D36-4F71-9BE8-CAB8B5867F13}
    2016-08-14 15:36 - 2016-08-14 15:36 - 00000000 ____D C:\Users\Deanna\AppData\Local\{DF3BCF99-81FA-491B-B079-CA738B5FAE49}
    2016-08-13 15:51 - 2016-08-13 15:51 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D622B1B3-2F91-4B03-95E1-9DF299E325AC}
    2016-08-13 01:57 - 2016-08-13 01:57 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0B88B512-2E9E-41D6-9DCF-76BCEBB2D7D3}
    2016-08-12 13:16 - 2016-08-12 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BC24E0F1-FDDE-4236-909D-958AC7B2AB21}
    2016-08-11 13:35 - 2016-08-11 13:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D44BD246-DF72-43DF-A434-FE947B58DC60}
    2016-08-10 21:09 - 2016-08-10 21:09 - 00000000 ____D C:\Users\Deanna\AppData\Local\{45311FE5-0C99-4804-8576-07BF9B44CC2D}
    2016-08-10 01:37 - 2016-08-10 01:37 - 00000000 ____D C:\Users\Deanna\AppData\Local\{538D4AB4-518B-4D59-8D96-316FA253278E}
    2016-08-09 13:17 - 2016-08-09 13:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AAE5150-8DB5-4540-A392-1A6427FCEA78}
    2016-08-08 13:27 - 2016-08-08 13:27 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C50BE185-CA2F-466F-92B2-A4F019D1FDC6}
    2016-08-07 14:17 - 2016-08-07 14:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{3D976413-2094-40AE-98C1-E55440890DF8}
    2016-08-07 02:03 - 2016-08-07 02:03 - 00000000 ____D C:\Users\Deanna\AppData\Local\{05C49673-8046-4305-B205-4EBAB34A63D0}
    2016-08-06 04:25 - 2016-08-06 04:25 - 00000000 ____D C:\Users\Deanna\AppData\Local\{713B0D39-4C04-4AAF-B981-13B2CD00B320}
    2016-08-05 12:01 - 2016-08-05 12:01 - 00000000 ____D C:\Users\Deanna\AppData\Local\{B2F7674D-0D2E-4626-BF6E-838BC199F358}
    2016-08-04 23:47 - 2016-08-04 23:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AF20376-D011-4068-89CD-FC8350AF6384}
    2016-08-04 03:35 - 2016-08-04 03:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2458C204-1F93-4E44-900E-340DEA1BE546}
    2016-08-03 04:47 - 2016-08-03 04:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{60D9F90F-7469-4BDB-88A5-C6528D5C5CF6}
    2016-08-02 13:47 - 2016-08-02 13:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{5147390D-8766-41F9-9CD2-616022A47037}
    2016-08-01 19:23 - 2016-08-01 19:23 - 00000000 ____D C:\Users\Deanna\AppData\Local\{FD93E5BC-4272-4FC3-BCEC-45476584E8AD}
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\HELP_DECRYPT_YOUR_FILES.TXT
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.HTML
    2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\HELP_DECRYPT_YOUR_FILES.HTML
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 NINTR

NINTR
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 03 September 2016 - 01:14 PM

Alright, I will give that a try soon. Thanks for helping. I really appreciate it. :)



#11 NINTR

NINTR
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 04 September 2016 - 12:46 PM

So I ran the FRST scan last night, and it managed to remove everything (so it seems) but it got hung up for over an hour on "Fix in progress... deleting TempFile/InternetFile..." or something to that effect. After shutting it down and rebooting it, a number of the HELP_DECRYPT_YOUR_FILES things were gone, and none of them launched when I started up the computer. However, there are still quite a few of them left in some locations, such as my Pictures folder. Really unsure as to why the FRST keeps getting stuck and not progressing.



#12 NINTR

NINTR
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 04 September 2016 - 01:42 PM

Here is the Fixlog.txt that FRST seemed to have created after I shut down and rebooted the computer.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016
Ran by Deanna (04-09-2016 01:40:18) Run:6
Running from C:\Users\Deanna\Desktop
Loaded Profiles: Deanna (Available Profiles: Deanna)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.HTML [2016-08-30] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.TXT [2016-08-30] ()

ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001] => http=127.0.0.1:16110;https=127.0.0.1:16110
ProxyServer: [S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:16110;https=127.0.0.1:16110

FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]
FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll [No File]

C:\93dbd52bd8f07c82f3780608
C:\ProgramData\Best Buy pc app
C:\Users\Deanna\AppData\Local\{830F824D-FD13-483E-A5DB-79C1F82CE7B8}
2016-08-30 13:16 - 2016-08-30 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{78D9EE5A-EC83-47B2-98F3-B8BF31E0105A}
2016-08-29 21:30 - 2016-08-29 21:30 - 00000000 ____D C:\Users\Deanna\AppData\Local\{7B5FCB9E-7C2A-4B30-A547-06DE8CF62C16}
2016-08-29 21:12 - 2016-08-29 21:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2B675941-3A31-4406-82E3-762A86CB855A}
2016-08-29 02:38 - 2016-08-29 02:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{94C28713-753E-401B-A229-6AFE506E629D}
2016-08-28 12:04 - 2016-08-28 12:04 - 00000000 ____D C:\Users\Deanna\AppData\Local\{F34080EE-59B2-43CA-8F58-F660E516B9E3}
2016-08-27 21:38 - 2016-08-27 21:38 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0ADFBD61-5228-4F88-B2F0-2AE2A20D08EF}
2016-08-19 12:14 - 2016-08-19 12:14 - 00000000 ____D C:\Users\Deanna\AppData\Local\{E7AF2430-702B-4A80-A669-B2F186173587}
2016-08-18 13:05 - 2016-08-18 13:05 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BE9DC55A-A733-44B0-B1DA-483540760FFE}
2016-08-17 11:42 - 2016-08-17 11:42 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C2124D09-6EC7-4BED-AC6C-68B1EB99E6EB}
2016-08-16 19:12 - 2016-08-16 19:12 - 00000000 ____D C:\Users\Deanna\AppData\Local\{40F0B3AA-20B1-4014-B417-EBB470036DB3}
2016-08-16 02:41 - 2016-08-16 02:41 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C4748EF6-3C8D-4896-91BA-02EE60C0339D}
2016-08-15 13:21 - 2016-08-15 13:21 - 00000000 ____D C:\Users\Deanna\AppData\Local\{A6610531-5D36-4F71-9BE8-CAB8B5867F13}
2016-08-14 15:36 - 2016-08-14 15:36 - 00000000 ____D C:\Users\Deanna\AppData\Local\{DF3BCF99-81FA-491B-B079-CA738B5FAE49}
2016-08-13 15:51 - 2016-08-13 15:51 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D622B1B3-2F91-4B03-95E1-9DF299E325AC}
2016-08-13 01:57 - 2016-08-13 01:57 - 00000000 ____D C:\Users\Deanna\AppData\Local\{0B88B512-2E9E-41D6-9DCF-76BCEBB2D7D3}
2016-08-12 13:16 - 2016-08-12 13:16 - 00000000 ____D C:\Users\Deanna\AppData\Local\{BC24E0F1-FDDE-4236-909D-958AC7B2AB21}
2016-08-11 13:35 - 2016-08-11 13:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{D44BD246-DF72-43DF-A434-FE947B58DC60}
2016-08-10 21:09 - 2016-08-10 21:09 - 00000000 ____D C:\Users\Deanna\AppData\Local\{45311FE5-0C99-4804-8576-07BF9B44CC2D}
2016-08-10 01:37 - 2016-08-10 01:37 - 00000000 ____D C:\Users\Deanna\AppData\Local\{538D4AB4-518B-4D59-8D96-316FA253278E}
2016-08-09 13:17 - 2016-08-09 13:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AAE5150-8DB5-4540-A392-1A6427FCEA78}
2016-08-08 13:27 - 2016-08-08 13:27 - 00000000 ____D C:\Users\Deanna\AppData\Local\{C50BE185-CA2F-466F-92B2-A4F019D1FDC6}
2016-08-07 14:17 - 2016-08-07 14:17 - 00000000 ____D C:\Users\Deanna\AppData\Local\{3D976413-2094-40AE-98C1-E55440890DF8}
2016-08-07 02:03 - 2016-08-07 02:03 - 00000000 ____D C:\Users\Deanna\AppData\Local\{05C49673-8046-4305-B205-4EBAB34A63D0}
2016-08-06 04:25 - 2016-08-06 04:25 - 00000000 ____D C:\Users\Deanna\AppData\Local\{713B0D39-4C04-4AAF-B981-13B2CD00B320}
2016-08-05 12:01 - 2016-08-05 12:01 - 00000000 ____D C:\Users\Deanna\AppData\Local\{B2F7674D-0D2E-4626-BF6E-838BC199F358}
2016-08-04 23:47 - 2016-08-04 23:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{1AF20376-D011-4068-89CD-FC8350AF6384}
2016-08-04 03:35 - 2016-08-04 03:35 - 00000000 ____D C:\Users\Deanna\AppData\Local\{2458C204-1F93-4E44-900E-340DEA1BE546}
2016-08-03 04:47 - 2016-08-03 04:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{60D9F90F-7469-4BDB-88A5-C6528D5C5CF6}
2016-08-02 13:47 - 2016-08-02 13:47 - 00000000 ____D C:\Users\Deanna\AppData\Local\{5147390D-8766-41F9-9CD2-616022A47037}
2016-08-01 19:23 - 2016-08-01 19:23 - 00000000 ____D C:\Users\Deanna\AppData\Local\{FD93E5BC-4272-4FC3-BCEC-45476584E8AD}
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00003192 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:31 - 2016-08-30 20:31 - 00002124 _____ C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:30 - 2016-08-30 20:30 - 00003192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:30 - 2016-08-30 20:30 - 00002124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00003192 _____ C:\HELP_DECRYPT_YOUR_FILES.TXT
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\Users\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\ProgramData\HELP_DECRYPT_YOUR_FILES.HTML
2016-08-30 20:29 - 2016-08-30 20:29 - 00002124 _____ C:\HELP_DECRYPT_YOUR_FILES.HTML

EmptyTemp:
*****************

Processes closed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
HKU\S-1-5-21-492531289-1107910523-2460122450-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-492531289-1107910523-2460122450-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
"HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0" => key removed successfully
C:\93dbd52bd8f07c82f3780608 => moved successfully
C:\ProgramData\Best Buy pc app => moved successfully
C:\Users\Deanna\AppData\Local\{830F824D-FD13-483E-A5DB-79C1F82CE7B8} => moved successfully
C:\Users\Deanna\AppData\Local\{78D9EE5A-EC83-47B2-98F3-B8BF31E0105A} => moved successfully
C:\Users\Deanna\AppData\Local\{7B5FCB9E-7C2A-4B30-A547-06DE8CF62C16} => moved successfully
C:\Users\Deanna\AppData\Local\{2B675941-3A31-4406-82E3-762A86CB855A} => moved successfully
C:\Users\Deanna\AppData\Local\{94C28713-753E-401B-A229-6AFE506E629D} => moved successfully
C:\Users\Deanna\AppData\Local\{F34080EE-59B2-43CA-8F58-F660E516B9E3} => moved successfully
C:\Users\Deanna\AppData\Local\{0ADFBD61-5228-4F88-B2F0-2AE2A20D08EF} => moved successfully
C:\Users\Deanna\AppData\Local\{E7AF2430-702B-4A80-A669-B2F186173587} => moved successfully
C:\Users\Deanna\AppData\Local\{BE9DC55A-A733-44B0-B1DA-483540760FFE} => moved successfully
C:\Users\Deanna\AppData\Local\{C2124D09-6EC7-4BED-AC6C-68B1EB99E6EB} => moved successfully
C:\Users\Deanna\AppData\Local\{40F0B3AA-20B1-4014-B417-EBB470036DB3} => moved successfully
C:\Users\Deanna\AppData\Local\{C4748EF6-3C8D-4896-91BA-02EE60C0339D} => moved successfully
C:\Users\Deanna\AppData\Local\{A6610531-5D36-4F71-9BE8-CAB8B5867F13} => moved successfully
C:\Users\Deanna\AppData\Local\{DF3BCF99-81FA-491B-B079-CA738B5FAE49} => moved successfully
C:\Users\Deanna\AppData\Local\{D622B1B3-2F91-4B03-95E1-9DF299E325AC} => moved successfully
C:\Users\Deanna\AppData\Local\{0B88B512-2E9E-41D6-9DCF-76BCEBB2D7D3} => moved successfully
C:\Users\Deanna\AppData\Local\{BC24E0F1-FDDE-4236-909D-958AC7B2AB21} => moved successfully
C:\Users\Deanna\AppData\Local\{D44BD246-DF72-43DF-A434-FE947B58DC60} => moved successfully
C:\Users\Deanna\AppData\Local\{45311FE5-0C99-4804-8576-07BF9B44CC2D} => moved successfully
C:\Users\Deanna\AppData\Local\{538D4AB4-518B-4D59-8D96-316FA253278E} => moved successfully
C:\Users\Deanna\AppData\Local\{1AAE5150-8DB5-4540-A392-1A6427FCEA78} => moved successfully
C:\Users\Deanna\AppData\Local\{C50BE185-CA2F-466F-92B2-A4F019D1FDC6} => moved successfully
C:\Users\Deanna\AppData\Local\{3D976413-2094-40AE-98C1-E55440890DF8} => moved successfully
C:\Users\Deanna\AppData\Local\{05C49673-8046-4305-B205-4EBAB34A63D0} => moved successfully
C:\Users\Deanna\AppData\Local\{713B0D39-4C04-4AAF-B981-13B2CD00B320} => moved successfully
C:\Users\Deanna\AppData\Local\{B2F7674D-0D2E-4626-BF6E-838BC199F358} => moved successfully
C:\Users\Deanna\AppData\Local\{1AF20376-D011-4068-89CD-FC8350AF6384} => moved successfully
C:\Users\Deanna\AppData\Local\{2458C204-1F93-4E44-900E-340DEA1BE546} => moved successfully
C:\Users\Deanna\AppData\Local\{60D9F90F-7469-4BDB-88A5-C6528D5C5CF6} => moved successfully
C:\Users\Deanna\AppData\Local\{5147390D-8766-41F9-9CD2-616022A47037} => moved successfully
C:\Users\Deanna\AppData\Local\{FD93E5BC-4272-4FC3-BCEC-45476584E8AD} => moved successfully
C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\Deanna\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\Users\Deanna\Documents\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\Users\Deanna\Desktop\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\Users\Deanna\AppData\Roaming\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\Users\Deanna\AppData\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\HELP_DECRYPT_YOUR_FILES.TXT => moved successfully
C:\Users\Public\Documents\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\Users\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\ProgramData\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully
C:\HELP_DECRYPT_YOUR_FILES.HTML => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8393924 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 884866342 B
Java, Flash, Steam htmlcache => 185706 B
Windows/system/drivers => 196062236 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 111097 B
systemprofile32 => 66356 B
LocalService => 0 B
NetworkService => 413738 B



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 AM

Posted 04 September 2016 - 01:58 PM

Good :) Please download RansomNoteCleaner by demonslay and run it.

http://www.bleepingcomputer.com/forums/t/617257/ransomnotecleaner-remove-ransom-notes-left-behind/

Check the "CryptoMix" box and click on Confirm. Once the search is done, review the files found to make sure they are all ransom notes (which means, you don't need them) and click on the Confirm for Deletion button.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 AM

Posted 07 September 2016 - 07:16 AM

Hi NINTR,

Are you still with me? Did you follow the instructions in my previous post?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 NINTR

NINTR
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 07 September 2016 - 01:33 PM

My apologies for the delay. I thought I had replied to this. I was unable to download the RansomNoteCleaner, as my computer seems to be blocking it. It thinks it is a dangerous file and won't allow it. Not sure how to get past it. :/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users