Results 1 to 3 of 3

Thread: My computer is crippled by ransom ware

  1. 2015-01-30, 19:02 #1
    blend
    blend is offline
    Junior Member
    Join Date
    Jan 2015
    Posts
    1

    Default My computer is crippled by ransom ware

    It appears to be called Crypto Wall 3.0. Please help! I tried running malware bytes and ccleaner to no avail. Thanks in advance!

    FRST log
    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
    Ran by Owner (administrator) on OWNER-PC on 30-01-2015 12:50:03
    Running from K:\
    Loaded Profiles: Owner (Available profiles: Owner)
    Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: Chrome)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Digidesign, A Division of Avid Technology, Inc.) C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    (Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
    (Symantec Corporation) C:\Program Files\Norton Security\Engine\22.1.0.9\ns.exe
    (PACE Anti-Piracy, Inc.) C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
    () C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
    (Avid Technology, Inc.) C:\Windows\System32\M-AudioTaskBarIcon.exe
    (Symantec Corporation) C:\Program Files\Norton Security\Engine\22.1.0.9\ns.exe
    () C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
    (Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
    (Akamai Technologies, Inc.) C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe
    (Gemalto N.V.) C:\Users\Owner\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
    (Google Inc.) C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe
    (Dropbox, Inc.) C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    (Akamai Technologies, Inc.) C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe
    () C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [M-Audio Taskbar Icon] => C:\Windows\system32\M-AudioTaskBarIcon.exe [643592 2009-10-02] (Avid Technology, Inc.)
    HKLM\...\Run: [SwitchBoard] => C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM\...\Run: [] => [X]
    HKLM\...\Run: [DigidesignMMERefresh] => C:\Program Files\Digidesign\Drivers\MMERefresh.exe [77824 2009-08-14] (Digidesign, A Division of Avid Technology, Inc.)
    HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
    HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
    HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
    HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2007392 2014-04-01] (Wondershare)
    HKLM\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-29] (Akamai Technologies, Inc.)
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [SanDiskSecureAccess_Manager.exe] => C:\Users\Owner\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe [30705792 2012-02-14] (Gemalto N.V.)
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [iCloudServices] => C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [ApplePhotoStreams] => C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [Google Update] => C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [135664 2010-05-28] (Google Inc.)
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [ChromeUpdate] => C:\Users\Owner\AppData\Roaming\FrameworkUpdate\ChromeUpdate.exe
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Policies\Explorer: [NoInstrumentation] 1
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Policies\Explorer: [NofolderOptions] 0
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
    Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
    Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
    Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
    InternetURL: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/kfzNo0
    GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO: No Name -> {451C804F-C205-4F03-B48E-537EC94937BF} -> No File
    BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security\Engine\22.1.0.9\coIEPlg.dll (Symantec Corporation)
    BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
    BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    BHO: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
    BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine\22.1.0.9\coIEPlg.dll (Symantec Corporation)
    Toolbar: HKU\S-1-5-21-2405337125-3894891454-2728286072-1000 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    Toolbar: HKU\S-1-5-21-2405337125-3894891454-2728286072-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine\22.1.0.9\coIEPlg.dll (Symantec Corporation)
    DPF: {297DE2B6-509A-4B36-93C5-A65276606900} http://www.in.honda.com/rraaapps/rra...X/RraainAX.CAB
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 - No File
    Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
    Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    StartMenuInternet: IEXPLORE.EXE - iexplore.exe

    FireFox:
    ========
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
    FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF Plugin: @ilok.com/iLokHelper,version=3.1.0.7 -> C:\Program Files\PACE Anti-Piracy\iLok\NPPaceILok.dll ( PACE Anti-Piracy, Inc)
    FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
    FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Plugin HKU\S-1-5-21-2405337125-3894891454-2728286072-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKU\S-1-5-21-2405337125-3894891454-2728286072-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
    FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011-10-23]
    FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.0.0.110\coFFPlgn
    FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.0.0.110\coFFPlgn [2015-01-29]

    Chrome:
    =======
    CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
    CHR Extension: (Norton Identity Safe) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-10-12]
    CHR Extension: (Google Wallet) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-31]
    CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security\Engine\22.1.0.9\Exts\Chrome.crx [2014-12-19]
    CHR HKLM\...\Chrome\Extension: [hchpodijgngncfjhhnhfahlggabgaghl] - No Path
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
    StartMenuInternet: Google Chrome - chrome.exe

    ========================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 DigiRefresh; C:\Program Files\Digidesign\Drivers\MMERefresh.exe [77824 2009-08-14] (Digidesign, A Division of Avid Technology, Inc.) [File not signed]
    S3 digiSPTIService; C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe [159744 2009-08-14] (Digidesign, A Division of Avid Technology, Inc.) [File not signed]
    S3 jswpsapi; C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe [942080 2008-02-29] (Atheros Communications, Inc.) [File not signed]
    R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
    R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
    R2 NS; C:\Program Files\Norton Security\Engine\22.1.0.9\NS.exe [282528 2014-12-10] (Symantec Corporation)
    R2 PaceLicenseDServices; C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2932224 2011-09-08] (PACE Anti-Piracy, Inc.) [File not signed]
    S3 SwitchBoard; C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
    R2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
    R2 WSWNDA3100; C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe [278528 2009-06-04] () [File not signed]

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S3 BCMH43XX; C:\Windows\System32\DRIVERS\bcmwlhigh6.sys [1092160 2011-04-19] (Broadcom Corporation)
    R1 BHDrvx86; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\BASHDefs\20141107.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation)
    R1 ccSet_NS; C:\Windows\system32\drivers\NS\1601000.009\ccSetx86.sys [128728 2014-09-09] (Symantec Corporation)
    R2 DigiNet; C:\Windows\System32\DRIVERS\diginet.sys [16400 2009-08-15] (Digidesign, A Division of Avid Technology, Inc.)
    R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-08-27] (Symantec Corporation)
    R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-10-12] (Symantec Corporation)
    R1 IDSVix86; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\IPSDefs\20141108.001\IDSvix86.sys [476888 2014-10-10] (Symantec Corporation)
    R3 iLokDrvr; C:\Windows\System32\DRIVERS\iLokDrvr.sys [22736 2013-04-11] ()
    R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
    S3 MAUSBFASTTRACK; C:\Windows\System32\DRIVERS\MAudioFastTrack.sys [158344 2009-10-02] (Avid Technology, Inc.)
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
    R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-29] (Malwarebytes Corporation)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
    R3 NAVENG; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\VirusDefs\20141111.002\NAVENG.SYS [95704 2014-10-12] (Symantec Corporation)
    R3 NAVEX15; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\VirusDefs\20141111.002\NAVEX15.SYS [1636696 2014-10-12] (Symantec Corporation)
    S3 NPF; C:\Windows\System32\DRIVERS\npf.sys [34064 2007-11-07] (CACE Technologies)
    R0 SCMNdisP; C:\Windows\System32\DRIVERS\scmndisp.sys [21728 2007-01-19] (Windows (R) Codename Longhorn DDK provider)
    R3 SRTSP; C:\Windows\System32\Drivers\NS\1601000.009\SRTSP.SYS [699608 2014-12-02] (Symantec Corporation)
    R1 SRTSPX; C:\Windows\system32\drivers\NS\1601000.009\SRTSPX.SYS [36056 2014-09-09] (Symantec Corporation)
    R0 SymDS; C:\Windows\System32\drivers\NS\1601000.009\SYMDS.SYS [364760 2014-09-09] (Symantec Corporation)
    R0 SymEFA; C:\Windows\System32\drivers\NS\1601000.009\SYMEFA.SYS [939224 2014-09-09] (Symantec Corporation)
    R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [94424 2014-10-12] (Symantec Corporation)
    R1 SymIRON; C:\Windows\system32\drivers\NS\1601000.009\Ironx86.SYS [212696 2014-09-09] (Symantec Corporation)
    R1 SymNetS; C:\Windows\System32\Drivers\NS\1601000.009\SYMNETS.SYS [420056 2014-09-09] (Symantec Corporation)
    R0 TPkd; C:\Windows\system32\Drivers\TPkd.sys [94416 2013-04-11] (PACE Anti-Piracy, Inc.)
    S3 WN111v2; C:\Windows\System32\DRIVERS\WN111v2v.sys [449536 2008-09-30] (Atheros Communications, Inc.)
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]

    ==================== NetSvcs (Whitelisted) ===================


    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

    NETSVC: PGPsdkDriver -> No Registry Path.

    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-01-30 12:49 - 2015-01-30 12:50 - 00000000 ____D () C:\FRST
    2015-01-28 22:39 - 2015-01-28 23:00 - 00000000 ____D () C:\AdwCleaner
    2015-01-27 23:26 - 2015-01-27 23:26 - 00144624 _____ () C:\Windows\Minidump\012715-41043-01.dmp
    2015-01-27 02:08 - 2015-01-27 02:08 - 00008528 _____ () C:\Users\Owner\Desktop\HELP_DECRYPT.HTML
    2015-01-27 02:08 - 2015-01-27 02:08 - 00000272 _____ () C:\Users\Owner\Desktop\HELP_DECRYPT.URL
    2015-01-27 02:07 - 2015-01-27 02:07 - 00008528 _____ () C:\Users\Owner\HELP_DECRYPT.HTML
    2015-01-27 02:07 - 2015-01-27 02:07 - 00004204 _____ () C:\Users\Owner\HELP_DECRYPT.TXT
    2015-01-27 02:07 - 2015-01-27 02:07 - 00004204 _____ () C:\Users\Owner\Desktop\HELP_DECRYPT.TXT
    2015-01-27 02:07 - 2015-01-27 02:07 - 00000272 _____ () C:\Users\Owner\HELP_DECRYPT.URL
    2015-01-26 23:32 - 2015-01-26 23:32 - 00008528 _____ () C:\Users\Owner\Downloads\HELP_DECRYPT.HTML
    2015-01-26 23:32 - 2015-01-26 23:32 - 00004204 _____ () C:\Users\Owner\Downloads\HELP_DECRYPT.TXT
    2015-01-26 23:32 - 2015-01-26 23:32 - 00000272 _____ () C:\Users\Owner\Downloads\HELP_DECRYPT.URL
    2015-01-26 23:18 - 2015-01-26 23:18 - 00008528 _____ () C:\Users\Owner\Documents\HELP_DECRYPT.HTML
    2015-01-26 23:18 - 2015-01-26 23:18 - 00004204 _____ () C:\Users\Owner\Documents\HELP_DECRYPT.TXT
    2015-01-26 23:18 - 2015-01-26 23:18 - 00000272 _____ () C:\Users\Owner\Documents\HELP_DECRYPT.URL
    2015-01-26 21:20 - 2015-01-26 21:20 - 01051393 _____ () C:\Users\Owner\Desktop\08 adlids.wma
    2015-01-26 21:19 - 2015-01-26 21:20 - 01051393 _____ () C:\Users\Owner\Desktop\07 double.wma
    2015-01-26 21:19 - 2015-01-26 21:19 - 04158941 _____ () C:\Users\Owner\Desktop\05 mic titans(ruff 2.0).wma
    2015-01-26 21:19 - 2015-01-26 21:19 - 01051389 _____ () C:\Users\Owner\Desktop\06 lead.wma
    2015-01-26 20:16 - 2015-01-26 20:16 - 00008528 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.HTML
    2015-01-26 20:16 - 2015-01-26 20:16 - 00008528 _____ () C:\Users\Owner\AppData\HELP_DECRYPT.HTML
    2015-01-26 20:16 - 2015-01-26 20:16 - 00004204 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.TXT
    2015-01-26 20:16 - 2015-01-26 20:16 - 00004204 _____ () C:\Users\Owner\AppData\HELP_DECRYPT.TXT
    2015-01-26 20:16 - 2015-01-26 20:16 - 00000272 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.URL
    2015-01-26 20:16 - 2015-01-26 20:16 - 00000272 _____ () C:\Users\Owner\AppData\HELP_DECRYPT.URL
    2015-01-26 20:15 - 2015-01-26 20:15 - 00008528 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.HTML
    2015-01-26 20:15 - 2015-01-26 20:15 - 00004204 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.TXT
    2015-01-26 20:15 - 2015-01-26 20:15 - 00000272 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.URL
    2015-01-26 16:32 - 2015-01-26 16:32 - 03919893 _____ () C:\Users\Owner\Desktop\01 foundation(ruff).wma
    2015-01-26 16:32 - 2015-01-26 16:32 - 01039441 _____ () C:\Users\Owner\Desktop\04 adlibs.wma
    2015-01-26 16:32 - 2015-01-26 16:32 - 01039441 _____ () C:\Users\Owner\Desktop\03 double.wma
    2015-01-26 16:32 - 2015-01-26 16:32 - 01039437 _____ () C:\Users\Owner\Desktop\02 lead.wma
    2015-01-26 15:59 - 2015-01-26 20:49 - 00000000 ____D () C:\Users\Owner\Desktop\Beast From the East
    2015-01-26 15:56 - 2015-01-26 22:12 - 00000000 ____D () C:\Users\Owner\Desktop\EastPack
    2015-01-26 12:21 - 2015-01-26 12:21 - 69984432 _____ () C:\Users\Owner\Desktop\Fuck Everybody - BLeNd & BLuE.wav
    2015-01-25 13:08 - 2015-01-25 13:08 - 00008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
    2015-01-25 13:08 - 2015-01-25 13:08 - 00004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
    2015-01-25 13:08 - 2015-01-25 13:08 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
    2015-01-25 12:58 - 2015-01-25 12:58 - 00000416 ____H () C:\ProgramData\@system3.att
    2015-01-25 12:57 - 2015-01-27 23:27 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\FrameworkUpdate
    2015-01-25 12:57 - 2015-01-25 12:57 - 00000680 _____ () C:\ProgramData\@system.temp
    2015-01-25 12:57 - 2015-01-25 12:57 - 00000480 ____H () C:\Users\Owner\AppData\Roaming\麽鎒駓覜
    2015-01-25 12:56 - 2015-01-29 20:18 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
    2015-01-18 20:54 - 2015-01-18 20:54 - 04362175 _____ () C:\Users\Owner\Desktop\03 deticated vs.wma
    2015-01-18 20:54 - 2015-01-18 20:54 - 04344253 _____ () C:\Users\Owner\Desktop\04 deticated track.wma
    2015-01-18 20:54 - 2015-01-18 20:54 - 04308391 _____ () C:\Users\Owner\Desktop\01 wop track vs.wma
    2015-01-18 20:54 - 2015-01-18 20:54 - 04290457 _____ () C:\Users\Owner\Desktop\02 wop track.wma
    2015-01-18 19:11 - 2015-01-18 19:11 - 04158975 _____ () C:\Users\Owner\Desktop\08 libs.wma
    2015-01-18 19:10 - 2015-01-18 19:10 - 04158985 _____ () C:\Users\Owner\Downloads\05 mic..ruff.wma
    2015-01-16 12:13 - 2015-01-16 12:13 - 08284750 _____ () C:\Users\Owner\Downloads\10 Track 10.m4a
    2015-01-16 12:13 - 2015-01-16 12:13 - 08284750 _____ () C:\Users\Owner\Desktop\10 Track 10.m4a
    2015-01-16 12:13 - 2015-01-16 12:12 - 08710643 _____ () C:\Users\Owner\Desktop\08 Track 08.m4a
    2015-01-16 12:13 - 2015-01-16 12:12 - 08654135 _____ () C:\Users\Owner\Desktop\06 Track 06.m4a
    2015-01-16 12:13 - 2015-01-16 12:12 - 08463095 _____ () C:\Users\Owner\Desktop\07 Track 07.m4a
    2015-01-16 12:13 - 2015-01-16 12:12 - 08064379 _____ () C:\Users\Owner\Desktop\09 Track 09.m4a
    2015-01-16 12:13 - 2015-01-16 12:11 - 08644945 _____ () C:\Users\Owner\Desktop\04 Track 04.m4a
    2015-01-16 12:13 - 2015-01-16 12:09 - 06653981 _____ () C:\Users\Owner\Desktop\02 Track 02.m4a
    2015-01-16 12:12 - 2015-01-16 12:12 - 08710643 _____ () C:\Users\Owner\Downloads\08 Track 08.m4a
    2015-01-16 12:12 - 2015-01-16 12:12 - 08654135 _____ () C:\Users\Owner\Downloads\06 Track 06.m4a
    2015-01-16 12:12 - 2015-01-16 12:12 - 08463095 _____ () C:\Users\Owner\Downloads\07 Track 07.m4a
    2015-01-16 12:12 - 2015-01-16 12:12 - 08064379 _____ () C:\Users\Owner\Downloads\09 Track 09.m4a
    2015-01-16 12:11 - 2015-01-16 12:11 - 08644945 _____ () C:\Users\Owner\Downloads\04 Track 04.m4a
    2015-01-16 12:09 - 2015-01-16 12:09 - 06653981 _____ () C:\Users\Owner\Downloads\02 Track 02.m4a
    2015-01-16 12:08 - 2015-01-16 12:08 - 04601149 _____ () C:\Users\Owner\Desktop\05 ill keys ft. blend.wma
    2015-01-16 12:08 - 2015-01-16 12:08 - 04272469 _____ () C:\Users\Owner\Desktop\01 off da hook ft d.original.wma
    2015-01-16 12:08 - 2014-12-18 21:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
    2015-01-16 12:08 - 2014-12-18 20:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
    2015-01-16 12:08 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
    2015-01-16 12:08 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
    2015-01-16 12:08 - 2014-12-11 12:47 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
    2015-01-16 12:08 - 2014-12-05 22:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
    2015-01-15 13:24 - 2015-01-15 13:22 - 35675456 _____ () C:\Users\Owner\Desktop\08 Gangsta Rap.wav

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-01-30 12:23 - 2010-05-28 13:22 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2405337125-3894891454-2728286072-1000UA.job
    2015-01-30 12:05 - 2013-02-24 12:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-01-30 11:52 - 2011-10-09 23:00 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-01-30 11:51 - 2010-05-28 12:16 - 02096154 _____ () C:\Windows\WindowsUpdate.log
    2015-01-30 10:52 - 2011-10-09 23:00 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-01-30 02:23 - 2010-05-28 13:22 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2405337125-3894891454-2728286072-1000Core.job
    2015-01-29 19:32 - 2009-07-13 23:34 - 00022528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-01-29 19:32 - 2009-07-13 23:34 - 00022528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-01-29 19:27 - 2014-09-29 21:37 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2015-01-29 19:26 - 2014-10-12 14:19 - 00010975 _____ () C:\Windows\setupact.log
    2015-01-29 19:26 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-01-29 19:11 - 2010-05-28 12:22 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
    2015-01-28 22:56 - 2014-09-04 13:48 - 00001433 _____ () C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
    2015-01-28 22:55 - 2014-10-12 23:33 - 00019276 _____ () C:\Windows\PFRO.log
    2015-01-27 23:26 - 2014-11-07 16:58 - 258957678 _____ () C:\Windows\MEMORY.DMP
    2015-01-27 23:26 - 2013-03-17 11:53 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs
    2015-01-27 23:26 - 2010-06-02 21:55 - 00000000 ____D () C:\Windows\Minidump
    2015-01-27 15:05 - 2013-02-24 12:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
    2015-01-27 15:05 - 2013-02-24 12:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
    2015-01-27 12:42 - 2012-02-16 16:58 - 00000000 ____D () C:\Users\Owner\AppData\Local\CrashDumps
    2015-01-27 10:56 - 2010-05-29 13:17 - 00000000 ____D () C:\Users\Owner\AppData\Local\Apple Computer
    2015-01-27 02:07 - 2010-05-28 12:18 - 00000000 ____D () C:\Users\Owner
    2015-01-26 23:47 - 2014-09-29 21:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2015-01-26 23:47 - 2014-09-29 21:37 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
    2015-01-26 23:47 - 2014-03-14 16:45 - 00001080 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2015-01-26 23:45 - 2010-05-29 12:41 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Digidesign
    2015-01-26 23:38 - 2014-10-09 17:39 - 00000000 ___RD () C:\Users\Owner\Dropbox
    2015-01-26 23:32 - 2012-02-14 15:17 - 00000000 ____D () C:\Users\Owner\Downloads\Windows 7 Ultimate (32 Bit)
    2015-01-26 23:32 - 2011-01-19 14:08 - 00000000 ____D () C:\Users\Owner\Downloads\W138SS
    2015-01-26 23:32 - 2011-01-19 14:08 - 00000000 ____D () C:\Users\Owner\Downloads\__MACOSX
    2015-01-26 23:20 - 2012-02-21 20:34 - 00000000 ____D () C:\Users\Owner\Downloads\Auto-Tune_EFX2_RTAS_PC_v2.0.1d
    2015-01-26 23:18 - 2013-09-01 10:19 - 00000000 ____D () C:\Users\Owner\Desktop\Wav Discovering the Medium Within
    2015-01-26 23:09 - 2013-01-27 13:24 - 00000000 ____D () C:\Users\Owner\Desktop\Videos and Songs
    2015-01-26 22:59 - 2014-03-13 17:40 - 00000000 ____D () C:\Users\Owner\Desktop\The Foundation
    2015-01-26 22:49 - 2014-10-11 15:23 - 00000000 ____D () C:\Users\Owner\Desktop\Pics
    2015-01-26 22:19 - 2013-09-01 09:17 - 00000000 ____D () C:\Users\Owner\Desktop\Mp3 Discovering the Medium Within
    2015-01-26 22:05 - 2014-10-09 17:38 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Dropbox
    2015-01-26 22:00 - 2014-09-28 10:00 - 00000000 ____D () C:\Users\Owner\Desktop\Lil Bibby- Free Crack 2
    2015-01-26 21:59 - 2014-08-27 17:25 - 00000000 ____D () C:\Users\Owner\Desktop\Leezee
    2015-01-26 21:58 - 2014-07-12 14:28 - 00000000 ____D () C:\Users\Owner\Desktop\JULY 11th Utica NY
    2015-01-26 21:50 - 2010-08-04 17:37 - 00000000 ____D () C:\Users\Owner\Desktop\Instrumentals
    2015-01-26 21:23 - 2014-03-13 17:37 - 00000000 ____D () C:\Users\Owner\Desktop\Ding Do 2014
    2015-01-26 21:03 - 2013-05-16 10:05 - 00000000 ____D () C:\Users\Owner\Desktop\Blue Shit 2013
    2015-01-26 20:55 - 2014-03-13 17:44 - 00000000 ____D () C:\Users\Owner\Desktop\BLeNd 2014
    2015-01-26 20:46 - 2013-01-27 11:23 - 00000000 ____D () C:\Users\Owner\Desktop\ALBUMS
    2015-01-26 20:16 - 2013-09-16 23:30 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\SanDisk
    2015-01-26 20:16 - 2013-01-24 19:07 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Product_RM
    2015-01-26 20:16 - 2011-02-28 17:16 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Mozilla
    2015-01-26 20:16 - 2011-02-20 18:05 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Sony
    2015-01-26 20:16 - 2010-05-29 12:36 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\PACE Anti-Piracy
    2015-01-26 20:16 - 2010-05-29 12:34 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Structure
    2015-01-26 20:15 - 2013-03-24 19:13 - 00000000 ____D () C:\Users\Owner\AppData\Local\LogiShrd
    2015-01-26 20:15 - 2012-08-18 20:12 - 00000000 ____D () C:\Users\Owner\AppData\Local\HP
    2015-01-26 20:15 - 2010-05-29 14:58 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Adobe
    2015-01-26 20:15 - 2010-05-29 13:17 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Apple Computer
    2015-01-26 20:15 - 2010-05-28 13:22 - 00000000 ____D () C:\Users\Owner\AppData\Local\Google
    2015-01-26 20:15 - 2010-05-02 21:26 - 00000000 ___HD () C:\Users\Owner\AppData\Local\UTl9VOMd
    2015-01-26 20:14 - 2011-11-09 21:17 - 00000000 ____D () C:\Users\Owner\AppData\Local\Akamai
    2015-01-26 20:14 - 2011-01-19 14:12 - 00000000 ____D () C:\Users\Owner\AppData\Local\Adobe
    2015-01-26 20:14 - 2010-05-29 11:48 - 00000000 ____D () C:\The C.O Dot
    2015-01-26 20:14 - 2009-01-19 17:35 - 00000000 ___HD () C:\Users\Owner\AppData\Local\9SziSh01Q0A
    2015-01-25 13:08 - 2014-07-12 13:30 - 00000000 ____D () C:\ProgramData\Wondershare Video Converter Pro
    2015-01-25 13:08 - 2010-05-29 12:36 - 00000000 ____D () C:\ProgramData\PACE Anti-Piracy
    2015-01-25 13:07 - 2013-03-24 19:10 - 00000000 ____D () C:\ProgramData\LogiShrd
    2015-01-25 13:07 - 2012-02-03 16:59 - 00000000 ____D () C:\ProgramData\Norton
    2015-01-25 13:07 - 2010-05-29 13:16 - 00000000 ____D () C:\ProgramData\Apple Computer
    2015-01-25 13:06 - 2014-03-13 02:20 - 00000000 ____D () C:\ProgramData\82AC
    2015-01-25 13:06 - 2010-07-28 12:45 - 00000000 ____D () C:\PFiles
    2015-01-25 12:58 - 2014-11-09 19:28 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
    2015-01-16 17:23 - 2013-07-12 02:00 - 00000000 ____D () C:\Windows\system32\MRT
    2015-01-16 17:15 - 2010-05-28 12:44 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

    ==================== Files in the root of some directories =======

    2015-01-26 20:16 - 2015-01-26 20:16 - 0008528 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.HTML
    2015-01-26 20:16 - 2015-01-26 20:16 - 0045558 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.PNG
    2015-01-26 20:16 - 2015-01-26 20:16 - 0004204 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.TXT
    2015-01-26 20:16 - 2015-01-26 20:16 - 0000272 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.URL
    2015-01-25 12:57 - 2015-01-25 12:57 - 0000480 ____H () C:\Users\Owner\AppData\Roaming\麽鎒駓覜
    2015-01-26 20:15 - 2015-01-26 20:15 - 0008528 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.HTML
    2015-01-26 20:15 - 2015-01-26 20:15 - 0045558 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.PNG
    2015-01-26 20:15 - 2015-01-26 20:15 - 0004204 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.TXT
    2015-01-26 20:15 - 2015-01-26 20:15 - 0000272 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.URL
    2015-01-25 12:57 - 2015-01-25 12:57 - 0000680 _____ () C:\ProgramData\@system.temp
    2015-01-25 12:58 - 2015-01-25 12:58 - 0000416 ____H () C:\ProgramData\@system3.att
    2015-01-25 13:08 - 2015-01-25 13:08 - 0008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
    2015-01-25 13:08 - 2015-01-25 13:08 - 0045651 _____ () C:\ProgramData\HELP_DECRYPT.PNG
    2015-01-25 13:08 - 2015-01-25 13:08 - 0004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
    2015-01-25 13:08 - 2015-01-25 13:08 - 0000272 _____ () C:\ProgramData\HELP_DECRYPT.URL

    Some content of TEMP:
    ====================
    C:\Users\Owner\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcsefm_.dll
    C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
    C:\Users\Owner\AppData\Local\Temp\sqlite3.dll


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-01-26 09:31

    ==================== End Of Log ============================

    aswMBR log
    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2015-01-30 12:52:56
    -----------------------------
    12:52:56.055 OS Version: Windows 6.1.7601 Service Pack 1
    12:52:56.055 Number of processors: 2 586 0x602
    12:52:56.070 ComputerName: OWNER-PC UserName: Owner
    12:53:01.468 Initialize success
    12:53:01.484 VM: initialized successfully
    12:53:01.484 VM: Amd CPU supported
    12:53:05.699 Disk 0 \Device\Harddisk0\DR0 -> \Device\0000006a
    12:53:05.699 Disk 0 Vendor: SAMSUNG_ ZM10 Size: 152587MB BusType: 3
    12:53:05.699 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\0000006c
    12:53:05.715 Disk 1 Vendor: ST375052 CC44 Size: 715404MB BusType: 3
    12:53:05.808 Disk 1 MBR read successfully
    12:53:05.808 Disk 1 MBR scan
    12:53:05.808 Disk 1 Windows 7 default MBR code
    12:53:05.824 Disk 1 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
    12:53:05.840 Disk 1 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 25167872
    12:53:05.840 Disk 1 default boot code
    12:53:05.840 Disk 1 Partition 3 00 07 HPFS/NTFS NTFS 703014 MB offset 25372672
    12:53:05.855 Disk 1 scanning sectors +1465145344
    12:53:06.167 Disk 1 scanning C:\Windows\system32\drivers
    12:53:15.480 Service scanning
    12:53:32.032 Modules scanning
    12:53:32.032 Disk 1 trace - called modules:
    12:53:32.063 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
    12:53:32.079 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x86b5f7b8]
    12:53:32.079 3 CLASSPNP.SYS[8c5a459e] -> nt!IofCallDriver -> [0x86a89660]
    12:53:32.094 5 ACPI.sys[837733d4] -> nt!IofCallDriver -> \Device\0000006c[0x85b74b10]
    12:53:32.094 Disk 1 statistics 75331/0/0 @ 4.81 MB/s
    12:53:32.110 Scan finished successfully
    12:53:54.839 Disk 1 MBR has been saved successfully to "K:\MBR.dat"
    12:53:54.855 The log file has been saved successfully to "K:\aswMBR.txt"

  2. 2015-01-31, 00:23 #2
    Juliet
    Juliet is offline
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Well, I have good news, I have bad news.

    We can remove the infection but, not the damage.
    What files/folders that have been encrypted I cannot fix.

    It's possible some files/folders can be recovered.....which ones I can't say.
    If your interested in trying:

    recovery with the use of Previous Versions or ShadowExplorer may be possible. File recovery software may also be an option if the infection does not securely delete the original files.

    Previous Versions
    • Right-click the file/folder and click Properties.
    • Click Previous Versions.
    • This tab will list all copies of the file and the date they were backed up.
    • To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
    • If you wish to restore the selected file and replace the existing one, click Restore.
    • If you wish to view the contents of the file before restoring, click Open.

    ShadowExplorer
    • Please download ShadowExplorer and save the file to your Desktop.
    • Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract.
    • Right-ClickShadowExplorer.exe and select Run as administrator to run the programme.
    • You will see a drop-down menu with the shadow copies of all partitions and disks present.
    • Click C:\ from the drop-down menu.
    • To the right, pick a date prior to the infection from the drop-down menu.
    • To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.




    File Recovery Software
    File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.


    ~~~

    Try the above, then continue with the fix.

    Please download and save the fixlist.txt to your desktop (In your case Running from K:\)
    Save it as fixlist.txt

    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

    (At the bottom of this page 1-30-2015.txt)

    Open FRST/FRST64 and press the Fix button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    Attachment 12001
    Last edited by Juliet; 2015-01-31 at 00:30.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
  3. 2015-02-05, 12:37 #3
    Juliet
    Juliet is offline
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Due to lack of feedback this topic is closed.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules