CryptoWall 3.0

**jbrower** · 2015-02-06, 07:03

Help-

I clicked on cab66.org looking for low-level software programming issue, and got Cryptowalled 3.0 (I can give the full http link if it helps anyone).

I have attached my FRST.txt and Addition.txt files.

I have not taken any steps to remove this. I understand that I will not be able to decrypt files -- I have enough backups and just need the machine usable again.

Please let me know if you can help. Thanks.

-Jeff

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-02-2015
Ran by Administrator (administrator) on CORONA-1D800B03 on 05-02-2015 17:12:13
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: jshen & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [802816 2006-08-02] (Intel Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [696320 2006-08-02] (Intel Corporation)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [169984 2008-04-13] (Microsoft Corporation)
HKU\S-1-5-21-2000478354-261478967-1417001333-500\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torpaysolutions.com/3LUQR8

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2000478354-261478967-1417001333-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
SearchScopes: HKLM -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKU\S-1-5-21-2000478354-261478967-1417001333-500 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://mavenir1.webex.com/client/WB...ex/ieatgpc.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{AEBBF856-C9FB-422B-998A-EB650D1356E2}: [NameServer] 8.8.8.8

FireFox:
========
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [434176 2006-08-02] (Intel Corporation) [File not signed]
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [647680 2014-02-18] (Macrovision Europe Ltd.) [File not signed]
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [327680 2006-08-02] (Intel Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [937984 2006-08-02] (Intel Corporation ) [File not signed]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21419 2014-02-10] (Meetinghouse Data Communications) [File not signed]
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2317504 2005-04-19] (Realtek Semiconductor Corp.)
R2 bh560eth; C:\WINDOWS\System32\Drivers\bh560eth.sys [97776 2010-11-17] (Blackhawk)
S3 bhdtcusb; C:\WINDOWS\System32\Drivers\bh560v2u.sys [27280 2013-02-27] (Blackhawk)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [12544 2006-08-02] (Intel Corporation) [File not signed]
R2 sdiont; C:\WINDOWS\system32\drivers\sdiont.sys [4576 1999-05-24] (Spectrum Digital Inc.) [File not signed]
R3 w29n51; C:\WINDOWS\System32\DRIVERS\w29n51.sys [2206720 2006-06-29] (Intel® Corporation)
R3 XDS560; C:\WINDOWS\System32\DRIVERS\xds560.sys [25768 2013-08-20] (Blackhawk)
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [299424 2012-03-27] (Marvell)
S0 cerc6; No ImagePath
S3 DisplayLinkFilter; system32\DRIVERS\DisplayLinkFilter.sys [X]
S3 DisplayLinkUsbIo; system32\DRIVERS\DisplayLinkUsbIo_7.5.52277.0.sys [X]
S3 dlusbaudio; system32\DRIVERS\dlusbaudio.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 17:12 - 2015-02-05 17:12 - 00006399 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-02-05 17:11 - 2015-02-05 17:12 - 00000000 ____D () C:\FRST
2015-02-05 17:11 - 2015-02-05 17:11 - 01123328 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-02-05 16:22 - 2015-02-05 16:22 - 00008632 _____ () C:\HELP_DECRYPT.HTML
2015-02-05 16:22 - 2015-02-05 16:22 - 00004256 _____ () C:\HELP_DECRYPT.TXT
2015-02-05 16:22 - 2015-02-05 16:22 - 00000300 _____ () C:\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-02-05 15:49 - 2015-02-05 15:49 - 00008632 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-02-05 15:49 - 2015-02-05 15:49 - 00004256 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
2015-02-05 15:49 - 2015-02-05 15:49 - 00000300 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-01-20 23:36 - 2015-01-20 23:36 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\20150120-UAG5.2 transcoding debug session(2078055261)

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 17:12 - 2014-02-07 20:26 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-02-05 17:10 - 2014-02-18 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Skype
2015-02-05 16:48 - 2014-07-04 13:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\ATCA
2015-02-05 16:38 - 2014-02-18 13:18 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-05 16:23 - 2014-07-06 11:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Corporate
2015-02-05 16:22 - 2014-02-18 15:10 - 00000000 ____D () C:\ti
2015-02-05 16:00 - 2014-11-29 10:55 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Sig Documentation
2015-02-05 16:00 - 2014-08-02 09:48 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Textron
2015-02-05 16:00 - 2014-06-15 10:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Texas Inst
2015-02-05 16:00 - 2014-06-13 17:23 - 00000000 ____D () C:\Documents and Settings\Administrator\workspace_v5_5
2015-02-05 16:00 - 2014-02-18 13:59 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\.TI
2015-02-05 16:00 - 2014-02-18 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Skype
2015-02-05 16:00 - 2014-02-07 20:26 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-02-05 15:59 - 2014-07-14 10:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\NetVM
2015-02-05 15:59 - 2014-06-08 15:42 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\RDRTec
2015-02-05 15:59 - 2014-04-24 23:55 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\NSF
2015-02-05 15:58 - 2014-05-24 08:54 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Marketing
2015-02-05 15:58 - 2014-02-25 17:59 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Mavenir Lab
2015-02-05 15:57 - 2014-02-18 13:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\L-3 Mustang Lab
2015-02-05 15:55 - 2014-10-18 23:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\DARPA
2015-02-05 15:55 - 2014-09-10 09:58 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Gazoo
2015-02-05 15:55 - 2014-07-02 14:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\L-3
2015-02-05 15:55 - 2014-03-26 13:20 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\CIM
2015-02-05 15:55 - 2014-03-05 14:08 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Jeff Personal
2015-02-05 15:55 - 2014-02-27 17:16 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Job Applicants
2015-02-05 15:51 - 2014-07-23 15:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Advantech
2015-02-05 15:51 - 2014-02-25 18:02 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Boeing
2015-02-05 15:49 - 2014-04-27 10:40 - 00000000 ____D () C:\Audio.temp
2015-02-05 15:49 - 2014-02-18 16:07 - 00000000 ____D () C:\Documents and Settings\Administrator\.TI-trace
2015-02-05 15:49 - 2014-02-18 13:00 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Adobe
2015-02-05 15:49 - 2012-06-25 10:42 - 00000000 ____D () C:\DELL
2015-02-05 15:47 - 2012-06-25 10:41 - 01873338 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-05 13:57 - 2014-03-24 10:19 - 00000238 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-02-05 13:57 - 2012-06-25 22:33 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-05 13:57 - 2008-04-13 17:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-05 12:51 - 2014-02-07 20:26 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-02-05 12:51 - 2012-06-25 22:33 - 00032554 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-05 11:04 - 2014-05-17 22:43 - 00000600 _____ () C:\Documents and Settings\Administrator\Application Data\winscp.rnd
2015-02-04 21:52 - 2012-06-24 19:51 - 00450392 _____ () C:\WINDOWS\setupapi.log
2015-02-01 23:02 - 2014-03-02 14:36 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\CutePDF Writer

==================== Files in the root of some directories =======

2015-02-05 15:49 - 2015-02-05 15:49 - 0008632 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-02-05 15:49 - 2015-02-05 15:49 - 0000131 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.PNG
2015-02-05 15:49 - 2015-02-05 15:49 - 0004256 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
2015-02-05 15:49 - 2015-02-05 15:49 - 0000300 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2014-05-17 22:43 - 2015-02-05 11:04 - 0000600 _____ () C:\Documents and Settings\Administrator\Application Data\winscp.rnd
2015-02-05 16:00 - 2015-02-05 16:00 - 0008632 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 0000131 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-02-05 16:00 - 2015-02-05 16:00 - 0004256 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 0000300 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 0008632 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 0000131 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-02-05 16:00 - 2015-02-05 16:00 - 0004256 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 0000300 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\converter.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1412139716394125397.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1894285026724559924.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext37290307915708640.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext4646817356197714655.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext7421327649996926586.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsf3F.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsf5E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsr1F.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsr2E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nss43.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu1B.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv5A.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx67.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SCC.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SymCCIS.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

**Dakeyras** · 2015-02-06, 10:07

Hi and welcome to Safer Networking.

I have not taken any steps to remove this. I understand that I will not be able to decrypt files -- I have enough backups and just need the machine usable again.

Acknowledged.

Please let me know if you can help.

Aye we may be able to eradicate the malware, if not aware support has been withdrawn for the XP Operating System. The below topic is worth bookmarking for future reference:-

Windows XP - The Elephant In The Room

Also no need to attach any logs I request, merely post them please. Anyway lets proceed as follows shall we...

Download/run Rkill:

(If one fails to work delete it and download/try another):

One, Two,Three, Four or Five

Double click on Rkill.
A command window will open then disappear upon completion, this is normal.
Post the log created, found on the desktop rkill.txt. in your next reply.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Malwarebytes Anti-Malware:

Please download the installer for Malwarebytes' Anti-Malware to your desktop.

Double-click on mbam-setup-2.0.2.1012.exe , then follow the prompts to install the program.
Select the language and click OK >> Accept the agreement.
Deselect the check-mark next to Enable the Free Trial(you may enable this when I give the all clear if you so wish) and then ensure Launch Malwarebytes' Anti-Malware is selected, then click on finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Scan Now".
The scan may take some time to finish, so please be patient.
When the scan is complete, click on Quarantine All
When disinfection is completed, a dialogue will open and you may be prompted to Restart.(See Extra Note)
Upon restart, launch Malwarebytes Antimalware and select History >> Application Logs.
Double click on the last scan done, then on Copy to Clipboard.
To submit your reply, click on Add Reply, then right click on the window and select Paste.
Submit your reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any further symptoms and or problems encountered ?
Rkill Log.
Malwarebytes Anti-Malware Log.

**jbrower** · 2015-02-06, 11:31

Dakeyras-

Thanks for your reply. Unfortunately Rkill and MBAM cannot find any sign of CrytoWall 3.0 (see logs below). I've been doing a lot of reading today (as you can imagine with all my files encrypted and the clock ticking on my $500 ransom) and it seems that 3.0 was "found" about 2 weeks ago and no removal tool can deal with it yet. I noticed some threads using the FRST logs, which is I why I initially posted those, maybe they're not helpful either.

Edit
Link to FAQ, why users post those logs: http://forums.spybot.info/showthread.php?t=288 ;-)

-Jeff

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/06/2015 03:46:26 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* System Restore Disabled

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Security Center (wscsvc) is not Running.
Startup Type set to: Disabled

* Automatic Updates (wuauserv) is not Running.
Startup Type set to: Disabled

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 02/06/2015 03:47:09 AM
Execution time: 0 hours(s), 0 minute(s), and 43 seconds(s)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/6/2015
Scan Time: 3:53:08 AM
Logfile: mbamlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.06.03
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302164
Time Elapsed: 20 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-2000478354-261478967-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, , [f7446eade2a8aa8c0041ef10d929ef11],
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, , [f7446eade2a8aa8c0041ef10d929ef11],
PUP.Optional.InstallBrain.A, HKLM\SOFTWARE\InstallIQ, , [2813918af39750e6b5d7428533d0cd33],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy, , [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\87AFE908F1594B70AD09C0F5AC38262B, , [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\9DEC804EC3F14D7DA793CFEF8625A529, , [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\C711437139784D7999B3A46D453564C5, , [d368a37897f38bab67315bf1699a8e72],

Files: 19
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Application Data\OpenCandy\9DEC804EC3F14D7DA793CFEF8625A529\sp-downloader.exe, , [97a4dc3f7c0ee35381135be719e87987],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc13.exe, , [66d5e338e8a260d6caa50adb4bb72ad6],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc14.exe, , [f4477f9c32586dc93639cf16ad5511ef],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc15.exe, , [b18a5dbe68221b1b5e119d48a65c847c],
PUP.Optional.ClientConnect, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc16.exe, , [9c9fe338f892e2544d6bc50024dd49b7],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc17.exe, , [de5dbc5fc4c658de452a27be2fd36d93],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsf3F.exe, , [fa4135e6b9d182b49fc527287d841be5],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsf5E.exe, , [ea5177a4a0ea88ae94d0b19eb0515ba5],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsr1F.exe, , [ef4ccd4efb8f181e7ee61936a75aa060],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsr2E.exe, , [2e0d77a4e6a4ce686bf970df07fa3dc3],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nss43.exe, , [9c9fc9527812072ff86cbc936b967987],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsu1B.exe, , [7bc071aa12789b9b125248070df436ca],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsv5A.exe, , [f942c457c7c3989e521266e97f82fa06],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsx67.exe, , [7ebdc15a7b0f38fe263e90bf7091be42],
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nse55\SpSetup.exe, , [cd6e1cffe7a304321a3e053fae531ae6],
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsj3A\SpSetup.exe, , [c576a8734149ab8b66f291b3e51ceb15],
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsv13\SpSetup.exe, , [80bb29f242484ee878e083c1b948c739],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\87AFE908F1594B70AD09C0F5AC38262B\bundlore_sp.exe, , [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\C711437139784D7999B3A46D453564C5\bundlore_sp.exe, , [d368a37897f38bab67315bf1699a8e72],

Physical Sectors: 0
(No malicious items detected)

(end)

**Dakeyras** · 2015-02-06, 11:51

Hi.

Thanks for your reply.

You're welcome!

I noticed some threads using the FRST logs, which is I why I initially posted those, maybe they're not helpful either.

We can indeed make use of FRST. Now you need to rescan with MBAM and have it remove all those PUPs it detected(and in turn post the new log) then proceed to the below please...

Re-scan with Farbar Recovery Scan Tool:

Double-click on FRST.exe to start FRST.
After the tool has checked for any updates and The tool is ready to use is denoted:
Under Optional Scan ensure both Drivers MD5 and Addition.txt are selected.
Now click on the Scan button/radio tab >> at the Scan completed prompt click on OK
At the next prompt denoting Addition.txt is saved in the same location FRST tool is run >> click on OK
There will now be two logs on your desktop, Addition.txt and FRST.txt. Post the contents of both in your next reply.

**jbrower** · 2015-02-06, 15:15

Dakeyras-

Below is the next MBAM log (all items quarantined). It asked me to restart, but I was scared to do that yet. I am running the FRST re-scan now, per your instructions. Thanks.

-Jeff

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/6/2015
Scan Time: 3:53:08 AM
Logfile: mbamlog2.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.06.03
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302164
Time Elapsed: 20 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-2000478354-261478967-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, Quarantined, [f7446eade2a8aa8c0041ef10d929ef11],
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, Quarantined, [f7446eade2a8aa8c0041ef10d929ef11],
PUP.Optional.InstallBrain.A, HKLM\SOFTWARE\InstallIQ, Quarantined, [2813918af39750e6b5d7428533d0cd33],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy, Quarantined, [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\87AFE908F1594B70AD09C0F5AC38262B, Quarantined, [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\9DEC804EC3F14D7DA793CFEF8625A529, Quarantined, [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\C711437139784D7999B3A46D453564C5, Quarantined, [d368a37897f38bab67315bf1699a8e72],

Files: 19
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Application Data\OpenCandy\9DEC804EC3F14D7DA793CFEF8625A529\sp-downloader.exe, Quarantined, [97a4dc3f7c0ee35381135be719e87987],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc13.exe, Quarantined, [66d5e338e8a260d6caa50adb4bb72ad6],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc14.exe, Quarantined, [f4477f9c32586dc93639cf16ad5511ef],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc15.exe, Quarantined, [b18a5dbe68221b1b5e119d48a65c847c],
PUP.Optional.ClientConnect, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc16.exe, Quarantined, [9c9fe338f892e2544d6bc50024dd49b7],
PUP.Optional.OpenCandy, C:\RECYCLER\S-1-5-21-2000478354-261478967-1417001333-500\Dc17.exe, Quarantined, [de5dbc5fc4c658de452a27be2fd36d93],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsf3F.exe, Quarantined, [fa4135e6b9d182b49fc527287d841be5],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsf5E.exe, Quarantined, [ea5177a4a0ea88ae94d0b19eb0515ba5],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsr1F.exe, Quarantined, [ef4ccd4efb8f181e7ee61936a75aa060],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsr2E.exe, Quarantined, [2e0d77a4e6a4ce686bf970df07fa3dc3],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nss43.exe, Quarantined, [9c9fc9527812072ff86cbc936b967987],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsu1B.exe, Quarantined, [7bc071aa12789b9b125248070df436ca],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsv5A.exe, Quarantined, [f942c457c7c3989e521266e97f82fa06],
PUP.Optional.SearchProtect.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsx67.exe, Quarantined, [7ebdc15a7b0f38fe263e90bf7091be42],
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nse55\SpSetup.exe, Quarantined, [cd6e1cffe7a304321a3e053fae531ae6],
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsj3A\SpSetup.exe, Quarantined, [c576a8734149ab8b66f291b3e51ceb15],
PUP.Optional.Conduit.A, C:\Documents and Settings\Administrator\Local Settings\Temp\nsv13\SpSetup.exe, Quarantined, [80bb29f242484ee878e083c1b948c739],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\87AFE908F1594B70AD09C0F5AC38262B\bundlore_sp.exe, Quarantined, [d368a37897f38bab67315bf1699a8e72],
PUP.Optional.OpenCandy, C:\Documents and Settings\Administrator\Application Data\OpenCandy\C711437139784D7999B3A46D453564C5\bundlore_sp.exe, Quarantined, [d368a37897f38bab67315bf1699a8e72],

Physical Sectors: 0
(No malicious items detected)

(end)

**jbrower** · 2015-02-06, 15:25

Dakeyras-

Here are the new FRST logs.

-Jeff

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-02-2015
Ran by Administrator (administrator) on CORONA-1D800B03 on 06-02-2015 08:16:18
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: jshen & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [802816 2006-08-02] (Intel Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [696320 2006-08-02] (Intel Corporation)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [169984 2008-04-13] (Microsoft Corporation)
HKLM\...\Run: [SpyHunter Security Suite] => C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [6463360 2015-02-05] (Enigma Software Group USA, LLC.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-11-21] (Malwarebytes Corporation)
HKU\S-1-5-21-2000478354-261478967-1417001333-500\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torpaysolutions.com/3LUQR8

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2000478354-261478967-1417001333-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://mavenir1.webex.com/client/WB...ex/ieatgpc.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [434176 2006-08-02] (Intel Corporation) [File not signed]
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [647680 2014-02-18] (Macrovision Europe Ltd.) [File not signed]
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [327680 2006-08-02] (Intel Corporation) [File not signed]
S2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [937984 2006-08-02] (Intel Corporation ) [File not signed]
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [770944 2015-02-05] (Enigma Software Group USA, LLC.)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21419 2014-02-10] (Meetinghouse Data Communications) [File not signed]
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2317504 2005-04-19] (Realtek Semiconductor Corp.)
R2 bh560eth; C:\WINDOWS\System32\Drivers\bh560eth.sys [97776 2010-11-17] (Blackhawk)
S3 bhdtcusb; C:\WINDOWS\System32\Drivers\bh560v2u.sys [27280 2013-02-27] (Blackhawk)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2015-02-05] (Enigma Software Group USA, LLC.)
S3 EsgScanner; C:\WINDOWS\System32\DRIVERS\EsgScanner.sys [19984 2015-02-05] ()
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [114904 2015-02-06] (Malwarebytes Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [12544 2006-08-02] (Intel Corporation) [File not signed]
R2 sdiont; C:\WINDOWS\system32\drivers\sdiont.sys [4576 1999-05-24] (Spectrum Digital Inc.) [File not signed]
U0 tmgagl; C:\WINDOWS\System32\drivers\rcom.sys [52440 2015-02-06] (Malwarebytes Corporation)
R3 w29n51; C:\WINDOWS\System32\DRIVERS\w29n51.sys [2206720 2006-06-29] (Intel® Corporation)
R3 XDS560; C:\WINDOWS\System32\DRIVERS\xds560.sys [25768 2013-08-20] (Blackhawk)
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [299424 2012-03-27] (Marvell)
S0 cerc6; No ImagePath
S3 DisplayLinkFilter; system32\DRIVERS\DisplayLinkFilter.sys [X]
S3 DisplayLinkUsbIo; system32\DRIVERS\DisplayLinkUsbIo_7.5.52277.0.sys [X]
S3 dlusbaudio; system32\DRIVERS\dlusbaudio.sys [X]
U1 WS2IFSL; No ImagePath

========================== Drivers MD5 =======================

C:\WINDOWS\System32\DRIVERS\ACPI.sys 8FD99680A539792A30E97944FDAECF17
C:\WINDOWS\System32\DRIVERS\ACPIEC.sys 9859C0F6936E723E4892D7141B1327D5
C:\WINDOWS\System32\drivers\aec.sys 8BED39E3C35D6A489438B8141717A557
C:\WINDOWS\System32\DRIVERS\AegisP.sys 15E655BAA989444F56787EF558823643
C:\WINDOWS\System32\drivers\afd.sys 1E44BC1E83D8FD2305F8D452DB109CF9
C:\WINDOWS\System32\drivers\ALCXWDM.SYS 95AA37BEC6C72C277C2CAEAEE736DD2D
C:\WINDOWS\System32\DRIVERS\arp1394.sys B5B8A80875C1DEDEDA8B02765642C32F
C:\WINDOWS\System32\DRIVERS\asyncmac.sys B153AFFAC761E7F5FCFA822B9C4E97BC
C:\WINDOWS\System32\DRIVERS\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\System32\DRIVERS\atmarpc.sys 9916C1225104BA14794209CFA8012159
C:\WINDOWS\System32\DRIVERS\audstub.sys D9F724AA26C010A217C97606B160ED68
C:\WINDOWS\system32\Drivers\Beep.sys DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\System32\Drivers\bh560eth.sys 5A24D15648ABF9036B8A4480B4F30CAE
C:\WINDOWS\System32\Drivers\bh560v2u.sys DF9A535D87BE3E903398E40425193249
C:\WINDOWS\system32\Drivers\cbidf2k.sys 90A673FC8E12A79AFBED2576F6A7AAF9
C:\WINDOWS\system32\Drivers\Cdaudio.sys C1B486A7658353D33A10CC15211A873B
C:\WINDOWS\system32\Drivers\Cdfs.sys C885B02847F5D2FD45A24E219ED93B32
C:\WINDOWS\System32\DRIVERS\cdrom.sys 1F4260CC5B42272D71F79E570A27A4FE
C:\WINDOWS\System32\DRIVERS\CmBatt.sys 0F6C187D38D98F8DF904589A5F94D411
C:\WINDOWS\System32\DRIVERS\compbatt.sys 6E4C9F21F0FAE8940661144F41B13203
C:\WINDOWS\System32\DRIVERS\disk.sys 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\System32\drivers\dmboot.sys D992FE1274BDE0F84AD826ACAE022A41
C:\WINDOWS\System32\drivers\dmio.sys 7C824CF7BBDE77D95C08005717A95F6F
C:\WINDOWS\System32\drivers\dmload.sys E9317282A63CA4D188C0DF5E09C6AC5F
C:\WINDOWS\System32\drivers\DMusic.sys 8A208DFCF89792A484E76C40E5F50B45
C:\WINDOWS\System32\drivers\drmkaud.sys 8F5FCFF8E8848AFAC920905FBD9D33C8
C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys 881419B3D7BF48E53249FF16B00F976F
C:\WINDOWS\System32\DRIVERS\EsgScanner.sys 01CE484FF6D70A39479BC6D619DE7ED6
C:\WINDOWS\system32\Drivers\Fastfat.sys 38D332A6D56AF32635675F132548343E
C:\WINDOWS\system32\Drivers\Fdc.sys 92CDD60B6730B9F50F6A1A0C1F8CDC81
C:\WINDOWS\system32\Drivers\Fips.sys D45926117EB9FA946A6AF572FBE1CAA3
C:\WINDOWS\system32\Drivers\Flpydisk.sys 9D27E7B80BFCDF1CDD9B555862D5E7F0
C:\WINDOWS\System32\DRIVERS\fltMgr.sys B2CF4B0786F8212CB92ED2B50C6DB6B0
C:\WINDOWS\system32\Drivers\Fs_Rec.sys 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A
C:\WINDOWS\System32\DRIVERS\ftdisk.sys 6AC26732762483366C3969C9E4D2259D
C:\WINDOWS\System32\DRIVERS\msgpc.sys 0A02C63C8B144BD8C86B103DEE7C86A2
C:\WINDOWS\System32\DRIVERS\hidusb.sys CCF82C5EC8A7326C3066DE870C06DAF1
C:\WINDOWS\System32\Drivers\HTTP.sys F80A415EF82CD06FFAF0D971528EAD38
C:\WINDOWS\System32\DRIVERS\i8042prt.sys 4A0B06AA8943C1E332520F7440C0AA30
C:\WINDOWS\System32\DRIVERS\imapi.sys 083A052659F5310DD8B6A6CB05EDCF8E
C:\WINDOWS\System32\DRIVERS\intelide.sys B5466A9250342A7AA0CD1FBA13420678
C:\WINDOWS\System32\DRIVERS\intelppm.sys 8C953733D8F36EB2133F5BB58808B66B
C:\WINDOWS\System32\DRIVERS\Ip6Fw.sys 3BB22519A194418D5FEC05D800A19AD0
C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys 731F22BA402EE4B62748ADAF6363C182
C:\WINDOWS\System32\DRIVERS\ipinip.sys B87AB476DCF76E72010632B5550955F5
C:\WINDOWS\System32\DRIVERS\ipnat.sys CC748EA12C6EFFDE940EE98098BF96BB
C:\WINDOWS\System32\DRIVERS\ipsec.sys 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\System32\DRIVERS\irenum.sys C93C9FF7B04D772627A3646D89F7BF89
C:\WINDOWS\System32\DRIVERS\isapnp.sys 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\System32\DRIVERS\kbdclass.sys 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\System32\drivers\kmixer.sys 692BCF44383D056AED41B045A323D378
C:\WINDOWS\system32\Drivers\KSecDD.sys B467646C54CC746128904E1654C750C1
C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys 8E2E9CCD873ABF180F48BCAEEEBE347D
C:\WINDOWS\system32\Drivers\mnmdd.sys 4AE068242760A1FB6E1A44BF4E16AFA6
C:\WINDOWS\system32\Drivers\Modem.sys DFCBAD3CEC1C5F964962AE10E0BCC8E1
C:\WINDOWS\System32\DRIVERS\mouclass.sys 35C9E97194C8CFB8430125F8DBC34D04
C:\WINDOWS\System32\DRIVERS\mouhid.sys B1C303E17FB9D46E87A98E4BA6769685
C:\WINDOWS\system32\Drivers\MountMgr.sys A80B9A0BAD1B73637DBCBBA7DF72D3FD
C:\WINDOWS\System32\DRIVERS\mrxdav.sys 11D42BB6206F33FBB3BA0288D3EF81BD
C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\WINDOWS\system32\Drivers\Msfs.sys C941EA2454BA8350021D774DAF0F1027
C:\WINDOWS\System32\drivers\MSKSSRV.sys D1575E71568F4D9E14CA56B7B0453BF1
C:\WINDOWS\System32\drivers\MSPCLOCK.sys 325BB26842FC7CCC1FCCE2C457317F3E
C:\WINDOWS\System32\drivers\MSPQM.sys BAD59648BA099DA4A17680B39730CB3D
C:\WINDOWS\System32\DRIVERS\mssmbios.sys AF5F4F3F14A8EA2C26DE30F7A1E17136
C:\WINDOWS\system32\Drivers\Mup.sys DE6A75F5C270E756C5508D94B6CF68F5
C:\WINDOWS\system32\Drivers\NDIS.sys 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\System32\DRIVERS\ndistapi.sys 0109C4F3850DFBAB279542515386AE22
C:\WINDOWS\System32\DRIVERS\ndisuio.sys F927A4434C5028758A842943EF1A3849
C:\WINDOWS\System32\DRIVERS\ndiswan.sys EDC1531A49C80614B2CFDA43CA8659AB
C:\WINDOWS\system32\Drivers\NDProxy.sys 2F597BB467E05B1FE3830EABD821B8E0
C:\WINDOWS\System32\DRIVERS\netbios.sys 5D81CF9A2F1A3A756B66CF684911CDF0
C:\WINDOWS\System32\DRIVERS\netbt.sys 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\System32\DRIVERS\nic1394.sys E9E47CFB2D461FA0FC75B7A74C6383EA
C:\WINDOWS\System32\drivers\npf.sys 25401B0C9576C8456B3E0BBD74FF0771
C:\WINDOWS\system32\Drivers\Npfs.sys 3182D64AE053D6FB034F44B6DEF8034A
C:\WINDOWS\system32\Drivers\Ntfs.sys 78A08DD6A8D65E697C18E1DB01C5CDCA
C:\WINDOWS\system32\Drivers\Null.sys 73C1E1F395918BC2C6DD67AF7591A3AD
C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys B305F3FAD35083837EF46A0BBCE2FC57
C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys C99B3415198D1AAB7227F2C88FD664B9
C:\WINDOWS\System32\DRIVERS\ohci1394.sys CA33832DF41AFB202EE7AEB05145922F
C:\WINDOWS\system32\Drivers\Parport.sys 5575FAF8F97CE5E713D108C2A58D7C7C
C:\WINDOWS\system32\Drivers\PartMgr.sys BEB3BA25197665D82EC7065B724171C6
C:\WINDOWS\system32\Drivers\ParVdm.sys 70E98B3FD8E963A6A46A2E6247E0BEA1
C:\WINDOWS\System32\DRIVERS\pci.sys A219903CCF74233761D92BEF471A07B1
C:\WINDOWS\system32\Drivers\PCIIde.sys CCF5F451BB1A5A2A522A76E670000FF0
C:\WINDOWS\System32\DRIVERS\pcmcia.sys 9E89EF60E9EE05E3F2EEF2DA7397F1C1
C:\WINDOWS\System32\DRIVERS\raspptp.sys EFEEC01B1D3CF84F16DDD24D9D9D8F99
C:\WINDOWS\System32\DRIVERS\psched.sys 09298EC810B07E5D582CB3A3F9255424
C:\WINDOWS\System32\DRIVERS\ptilink.sys 80D317BD1C3DBC5D4FE7B1678C60CADD
C:\WINDOWS\System32\DRIVERS\rasacd.sys FE0D99D6F31E4FAD8159F690D68DED9C
C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 11B4A627BC9614B885C4969BFA5FF8A6
C:\WINDOWS\System32\DRIVERS\raspppoe.sys 5BC962F2654137C9909C3D4603587DEE
C:\WINDOWS\System32\DRIVERS\raspti.sys FDBB1D60066FCFBB7452FD8F9829B242
C:\WINDOWS\System32\DRIVERS\rdbss.sys 7AD224AD1A1437FE28D89CF22B17780A
C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 4912D5B403614CE99C28420F75353332
C:\WINDOWS\System32\DRIVERS\rdpdr.sys 15CABD0F7C00C47C70124907916AF3F1
C:\WINDOWS\system32\Drivers\RDPWD.sys 43AF5212BD8FB5BA6EED9754358BD8F7
C:\WINDOWS\System32\DRIVERS\redbook.sys F828DD7E1419B6653894A8F97A0094C5
C:\WINDOWS\System32\DRIVERS\s24trans.sys 2862ADB14481AC28F98105FF33A99EB0
C:\WINDOWS\System32\DRIVERS\sdbus.sys 8D04819A3CE51B9EB47E5689B44D43C4
C:\WINDOWS\system32\drivers\sdiont.sys 545B28FFFCD55EAC34635626504AD21C
C:\WINDOWS\System32\DRIVERS\secdrv.sys ==> MD5 is legit
C:\WINDOWS\system32\Drivers\Serial.sys CCA207A8896D4C6A0C9CE29A4AE411A7
C:\WINDOWS\system32\Drivers\Sfloppy.sys 8E6B8C671615D126FDC553D1E2DE5562
C:\WINDOWS\System32\drivers\splitter.sys AB8B92451ECB048A4D1DE7C3FFCB4A9F
C:\WINDOWS\System32\DRIVERS\sr.sys 76BB022C2FB6902FD5BDD4F78FC13A5D
C:\WINDOWS\System32\DRIVERS\srv.sys 47DDFC2F003F7F9F0592C6874962A2E7
C:\WINDOWS\System32\DRIVERS\swenum.sys 3941D127AEF12E93ADDF6FE6EE027E0F
C:\WINDOWS\System32\drivers\swmidi.sys 8CE882BCC6CF8A62F2B2323D95CB3D01
C:\WINDOWS\System32\drivers\sysaudio.sys 8B83F3ED0F1688B4958F77CD6D2BF290
C:\WINDOWS\System32\DRIVERS\tcpip.sys 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\system32\Drivers\TDPIPE.sys 6471A66807F5E104E4885F5B67349397
C:\WINDOWS\system32\Drivers\TDTCP.sys C56B6D0402371CF3700EB322EF3AAF61
C:\WINDOWS\System32\DRIVERS\termdd.sys 88155247177638048422893737429D9E
C:\WINDOWS\System32\drivers\rcom.sys C97E0F487690FB0C7221168465982810
C:\WINDOWS\system32\Drivers\Udfs.sys 5787B80C2E3C5E2F56C2A233D91FA2C9
C:\WINDOWS\System32\DRIVERS\update.sys 402DDC88356B1BAC0EE3DD1580C76A31
C:\WINDOWS\System32\drivers\usbaudio.sys 65898A183FBF1D1F7759D5CCB364DCD4
C:\WINDOWS\System32\DRIVERS\usbccgp.sys 1B611611C28D2DF25BC057D79C6F13FC
C:\WINDOWS\System32\DRIVERS\usbehci.sys 4BAC8DF07F1D8434FC640E677A62204E
C:\WINDOWS\System32\DRIVERS\usbhub.sys 1AB3CDDE553B6E064D2E754EFE20285C
C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS A32426D9B14A089EAA1D922E0C5801A9
C:\WINDOWS\System32\DRIVERS\usbuhci.sys 26496F9DEE2D787FC3E61AD54821FFE6
C:\WINDOWS\System32\drivers\vga.sys 0D3A8FAFCEACD8B7625CD549757A7DF1
C:\WINDOWS\system32\Drivers\VolSnap.sys 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\System32\DRIVERS\w29n51.sys 68EB5BC07781A36A63633541C11E1AD6
C:\WINDOWS\System32\DRIVERS\wanarp.sys E20B95BAEDB550F32DD489265C1DA1F6
C:\WINDOWS\System32\drivers\wdmaud.sys 6768ACF64B18196494413695F0C3A00F
C:\WINDOWS\System32\DRIVERS\xds560.sys 925A3AF5583C5C5CE5EB22F2BF0A6993
C:\WINDOWS\System32\DRIVERS\yk51x86.sys 87F126D0F8DC176B282924DF0417075E

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-06 08:16 - 2015-02-06 08:16 - 00016730 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-02-06 07:59 - 2015-02-06 07:59 - 00052440 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\rcom.sys
2015-02-06 03:50 - 2015-02-06 03:53 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-06 03:50 - 2015-02-06 03:52 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-06 03:50 - 2015-02-06 03:52 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-06 03:50 - 2015-02-06 03:52 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-06 03:50 - 2015-02-06 03:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-02-06 03:50 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-06 03:50 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-06 03:49 - 2015-02-06 03:49 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Administrator\Desktop\mbam-setup-2.0.2.1012.exe
2015-02-06 03:46 - 2015-02-06 03:47 - 00002972 _____ () C:\Documents and Settings\Administrator\Desktop\Rkill.txt
2015-02-06 03:45 - 2015-02-06 03:46 - 01943800 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Administrator\Desktop\rkill.exe
2015-02-05 17:56 - 2015-02-05 17:56 - 00000935 _____ () C:\Documents and Settings\Administrator\Desktop\SpyHunter.lnk
2015-02-05 17:56 - 2015-02-05 17:56 - 00000000 ____D () C:\Documents and Settings\Administrator\Start Menu\Programs\SpyHunter
2015-02-05 17:56 - 2015-02-05 17:56 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Enigma Software Group
2015-02-05 17:55 - 2015-02-05 17:56 - 00000000 ____D () C:\sh4ldr
2015-02-05 17:53 - 2015-02-05 17:53 - 00019984 _____ () C:\WINDOWS\system32\Drivers\EsgScanner.sys
2015-02-05 17:53 - 2015-02-05 17:53 - 00000000 ____D () C:\WINDOWS\LastGood
2015-02-05 17:52 - 2015-02-05 17:52 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-02-05 17:51 - 2015-02-05 17:51 - 03044736 _____ (Enigma Software Group USA, LLC.) C:\Documents and Settings\Administrator\Desktop\SpyHunter-Installer.exe
2015-02-05 17:13 - 2015-02-05 17:13 - 00022480 _____ () C:\Documents and Settings\Administrator\Desktop\Addition_1.txt
2015-02-05 17:12 - 2015-02-05 17:13 - 00019613 _____ () C:\Documents and Settings\Administrator\Desktop\FRST_1.txt
2015-02-05 17:11 - 2015-02-06 08:16 - 00000000 ____D () C:\FRST
2015-02-05 17:11 - 2015-02-05 17:11 - 01123328 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-02-05 16:22 - 2015-02-05 16:22 - 00008632 _____ () C:\HELP_DECRYPT.HTML
2015-02-05 16:22 - 2015-02-05 16:22 - 00004256 _____ () C:\HELP_DECRYPT.TXT
2015-02-05 16:22 - 2015-02-05 16:22 - 00000300 _____ () C:\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-02-05 15:49 - 2015-02-05 15:49 - 00008632 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-02-05 15:49 - 2015-02-05 15:49 - 00004256 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
2015-02-05 15:49 - 2015-02-05 15:49 - 00000300 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-01-20 23:36 - 2015-01-20 23:36 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\20150120-UAG5.2 transcoding debug session(2078055261)

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-06 08:16 - 2014-02-07 20:26 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-02-06 08:15 - 2014-02-18 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Skype
2015-02-06 07:59 - 2012-06-24 19:42 - 00000000 ____D () C:\WINDOWS\twain_32
2015-02-06 02:58 - 2012-06-24 19:54 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-06 02:58 - 2012-06-24 19:54 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2015-02-05 18:27 - 2012-06-25 10:42 - 00001607 _____ () C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
2015-02-05 18:27 - 2012-06-25 10:42 - 00001599 _____ () C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk
2015-02-05 18:27 - 2012-06-25 10:42 - 00001507 _____ () C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2015-02-05 18:26 - 2014-02-07 20:26 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2015-02-05 18:25 - 2014-09-10 09:58 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Gazoo
2015-02-05 17:53 - 2012-06-24 19:51 - 00451428 _____ () C:\WINDOWS\setupapi.log
2015-02-05 16:48 - 2014-07-04 13:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\ATCA
2015-02-05 16:38 - 2014-02-18 13:18 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-05 16:23 - 2014-07-06 11:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Corporate
2015-02-05 16:22 - 2014-02-18 15:10 - 00000000 ____D () C:\ti
2015-02-05 16:00 - 2014-11-29 10:55 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Sig Documentation
2015-02-05 16:00 - 2014-08-02 09:48 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Textron
2015-02-05 16:00 - 2014-06-15 10:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Texas Inst
2015-02-05 16:00 - 2014-06-13 17:23 - 00000000 ____D () C:\Documents and Settings\Administrator\workspace_v5_5
2015-02-05 16:00 - 2014-02-18 13:59 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\.TI
2015-02-05 16:00 - 2014-02-18 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Skype
2015-02-05 16:00 - 2014-02-07 20:26 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-02-05 15:59 - 2014-07-14 10:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\NetVM
2015-02-05 15:59 - 2014-06-08 15:42 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\RDRTec
2015-02-05 15:59 - 2014-04-24 23:55 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\NSF
2015-02-05 15:58 - 2014-05-24 08:54 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Marketing
2015-02-05 15:58 - 2014-02-25 17:59 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Mavenir Lab
2015-02-05 15:57 - 2014-02-18 13:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\L-3 Mustang Lab
2015-02-05 15:55 - 2014-10-18 23:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\DARPA
2015-02-05 15:55 - 2014-07-02 14:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\L-3
2015-02-05 15:55 - 2014-03-26 13:20 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\CIM
2015-02-05 15:55 - 2014-03-05 14:08 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Jeff Personal
2015-02-05 15:55 - 2014-02-27 17:16 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Job Applicants
2015-02-05 15:51 - 2014-07-23 15:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Advantech
2015-02-05 15:51 - 2014-02-25 18:02 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Boeing
2015-02-05 15:49 - 2014-04-27 10:40 - 00000000 ____D () C:\Audio.temp
2015-02-05 15:49 - 2014-02-18 16:07 - 00000000 ____D () C:\Documents and Settings\Administrator\.TI-trace
2015-02-05 15:49 - 2014-02-18 13:00 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Adobe
2015-02-05 15:49 - 2012-06-25 10:42 - 00000000 ____D () C:\DELL
2015-02-05 15:47 - 2012-06-25 10:41 - 01873338 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-05 13:57 - 2014-03-24 10:19 - 00000238 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-02-05 13:57 - 2012-06-25 22:33 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-05 13:57 - 2008-04-13 17:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-05 12:51 - 2014-02-07 20:26 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-02-05 12:51 - 2012-06-25 22:33 - 00032554 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-05 11:04 - 2014-05-17 22:43 - 00000600 _____ () C:\Documents and Settings\Administrator\Application Data\winscp.rnd
2015-02-01 23:02 - 2014-03-02 14:36 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\CutePDF Writer

==================== Files in the root of some directories =======

2015-02-05 15:49 - 2015-02-05 15:49 - 0008632 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-02-05 15:49 - 2015-02-05 15:49 - 0000131 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.PNG
2015-02-05 15:49 - 2015-02-05 15:49 - 0004256 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
2015-02-05 15:49 - 2015-02-05 15:49 - 0000300 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2014-05-17 22:43 - 2015-02-05 11:04 - 0000600 _____ () C:\Documents and Settings\Administrator\Application Data\winscp.rnd
2015-02-05 16:00 - 2015-02-05 16:00 - 0008632 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 0000131 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-02-05 16:00 - 2015-02-05 16:00 - 0004256 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 0000300 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 0008632 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 0000131 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-02-05 16:00 - 2015-02-05 16:00 - 0004256 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 0000300 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\converter.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1412139716394125397.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1894285026724559924.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext37290307915708640.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext4646817356197714655.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext7421327649996926586.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\SCC.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SymCCIS.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 05-02-2015
Ran by Administrator at 2015-02-06 08:18:08
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.44 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Blackhawk Emulation Device Drivers for Windows - v1.13.03.25 (HKLM\...\D1130325-1130-4000-9C10-A4F62C0C66D4) (Version: 1.13.03.25 - Blackhawk)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
Code Composer Studio 5.5.0 (HKLM\...\Code Composer Studio 5.5.0) (Version: 5.5.0.00077 - Texas Instruments)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
ExtraPuTTY 0.27-RC1 (HKLM\...\ExtraPuTTY) (Version: 0.27:v1 - ExtraPuTTY)
Intel(R) PROSet/Wireless Software (HKLM\...\ProInst) (Version: 10.50.0000 - Intel Corporation)
IPC 1.22.03.23 (HKLM\...\286EA45-12CF-C74C-BF50-A5D20DEC3322) (Version: 1.22.03.23 - Texas Instruments)
IPC 1.24.03.32 (HKLM\...\75761F1-E8DF-9130-5CFD-A4D9D6B189C7) (Version: 1.24.03.32 - Texas Instruments)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
mCore (Version: 7.05.0000 - Intel Corporation) Hidden
mDrWiFi (Version: 7.05.0000 - Intel Corporation) Hidden
mHelp (Version: 7.05.0000 - Intel) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Office Project Professional 2003 (HKLM\...\{903B0409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Office Visio Professional 2003 (HKLM\...\{90510409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.3216.5614 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
mIWA (Version: 7.05.0000 - Intel Corporation) Hidden
mLogView (Version: 7.05.0000 - Intel Corporation) Hidden
mMHouse (Version: 7.05.0000 - Intel Corporation) Hidden
mPfMgr (Version: 7.05.0000 - Intel Corporation) Hidden
mPfWiz (Version: 7.05.0000 - Intel Corporation) Hidden
mProSafe (Version: 9.00.0000 - Intel) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
mWlsSafe (Version: 7.05.0000 - Intel) Hidden
mXML (Version: 7.05.0000 - Intel Corporation) Hidden
mZConfig (Version: 7.05.0000 - Intel Corporation) Hidden
Programmer's Notepad (HKLM\...\{52CF142B-7B0E-41E7-98F5-B834122523E7}_is1) (Version: 2.3.4.2350 - Simon Steele)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version: - )
Skype™ 6.20 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
SpyHunter 4 (HKLM\...\SpyHunter) (Version: 4.18.9.4384 - Enigma Software Group, LLC)
SYS/BIOS 6.33.06.50 (HKLM\...\AEEF52B-CAE0-8988-8458-437F1412B8E7) (Version: 6.33.06.50 - Texas Instruments)
TI BIOS Multicore SDK (HKLM\...\BIOS-MCSDK-2_01_02_06) (Version: 2.1.2.6 - Texas Instruments)
TI Emulators (HKLM\...\TI Emulators 5.1.232.0) (Version: 5.1.232.0 - Texas Instruments)
ti.mathlib (HKLM\...\08292447-1685-4FD9-BBE3-CCBBF48436A0) (Version: 3.0.1.1 - Texas Instruments)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Driver Package - EWA Technologies, Inc. (XDS560) TI_Emulators (11/02/2011 3.0.0.1) (HKLM\...\493E55AC2C50E157B700A12975E4532D3E246F44) (Version: 11/02/2011 3.0.0.1 - EWA Technologies, Inc.)
Windows Driver Package - FTDI CDM Driver Package - Bus/D2XX Driver (03/18/2011 2.08.14) (HKLM\...\ACBD450607B9A261AF1F694FAE00A92218E1F94B) (Version: 03/18/2011 2.08.14 - FTDI)
Windows Driver Package - FTDI CDM Driver Package - VCP Driver (03/18/2011 2.08.14) (HKLM\...\6DBBE862580281438868BCDD37A84E63A0FBB067) (Version: 03/18/2011 2.08.14 - FTDI)
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00) (HKLM\...\5C5B7D0E17DB046F04E146771F4F63E878CE1CCE) (Version: 10/22/2009 2.06.00 - FTDI)
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00) (HKLM\...\BD48187675B513535F6EEDD3BCC36B20969ACF34) (Version: 10/22/2009 2.06.00 - FTDI)
Windows Driver Package - Marvell (yukonwxp) Net (03/23/2012 11.45.4.3) (HKLM\...\70A458849756B2201F4810305D27C8CA7BF998F9) (Version: 03/23/2012 11.45.4.3 - Marvell)
Windows Driver Package - Spectrum Digital (sdusb2em) SDUSBEmulators (03/25/2011 6.0.999.2) (HKLM\...\22794B1D2C0BB36E523BAF6ED24EF94EB1A84443) (Version: 03/25/2011 6.0.999.2 - Spectrum Digital)
Windows Driver Package - Spectrum Digital (sdusb2em) SDUSBEmulators (12/05/2008 6.0.999.0) (HKLM\...\12E480B8B522F8B0DB54C0A03B90FCB00B96CD3D) (Version: 12/05/2008 6.0.999.0 - Spectrum Digital)
Windows Driver Package - Texas Instruments Incorporated (usbser) Ports (04/21/2009 5.1.2600.0) (HKLM\...\95395462375D9A29E54B3082BE6D3CAA7CEFD7BA) (Version: 04/21/2009 5.1.2600.0 - Texas Instruments Incorporated)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
WinRAR 5.01 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
WinSCP 5.5.3 (HKLM\...\winscp3_is1) (Version: 5.5.3 - Martin Prikryl)
Wireshark 1.10.5 (32-bit) (HKLM\...\Wireshark) (Version: 1.10.5 - The Wireshark developer community, http://www.wireshark.org)
XDCtools 3.23.04.60 (HKLM\...\788E834-A2A0-492F-57D6-8AD6DE3A7A92) (Version: 3.23.04.60 - Texas Instruments)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

ATTENTION: System Restore is disabled.
14-11-2014 00:20:54 System Checkpoint
15-11-2014 01:03:43 System Checkpoint
16-11-2014 01:38:44 System Checkpoint
17-11-2014 02:22:24 System Checkpoint
18-11-2014 02:40:48 System Checkpoint
19-11-2014 03:10:31 System Checkpoint
20-11-2014 03:35:01 System Checkpoint
21-11-2014 04:13:43 System Checkpoint
22-11-2014 04:14:16 System Checkpoint
23-11-2014 05:14:19 System Checkpoint
24-11-2014 06:14:20 System Checkpoint
25-11-2014 03:00:13 Software Distribution Service 3.0
26-11-2014 03:16:55 System Checkpoint
29-11-2014 11:50:57 System Checkpoint
02-12-2014 22:22:09 System Checkpoint
03-12-2014 22:56:01 System Checkpoint
04-12-2014 23:24:34 System Checkpoint
06-12-2014 23:55:03 System Checkpoint
07-12-2014 23:56:28 System Checkpoint
08-12-2014 14:41:13 Installed DisplayLink Core Software
10-12-2014 00:10:33 System Checkpoint
11-12-2014 00:55:55 System Checkpoint
12-12-2014 01:57:05 System Checkpoint
13-12-2014 02:44:05 System Checkpoint
14-12-2014 03:38:04 System Checkpoint
15-12-2014 04:38:09 System Checkpoint
16-12-2014 05:03:28 System Checkpoint
17-12-2014 05:34:04 System Checkpoint
18-12-2014 05:34:21 System Checkpoint
19-12-2014 07:56:01 System Checkpoint
19-12-2014 23:22:17 Removed DisplayLink Core Software
21-12-2014 00:13:12 System Checkpoint
22-12-2014 00:34:33 System Checkpoint
23-12-2014 01:41:13 System Checkpoint
24-12-2014 01:47:30 System Checkpoint
25-12-2014 01:47:43 System Checkpoint
26-12-2014 02:47:43 System Checkpoint
27-12-2014 03:47:43 System Checkpoint
28-12-2014 04:47:43 System Checkpoint
29-12-2014 13:15:58 System Checkpoint
06-01-2015 00:38:45 System Checkpoint
07-01-2015 01:23:15 System Checkpoint
08-01-2015 02:59:52 System Checkpoint
10-01-2015 00:32:26 System Checkpoint
11-01-2015 01:30:48 System Checkpoint
12-01-2015 02:22:23 System Checkpoint
13-01-2015 09:50:38 System Checkpoint
14-01-2015 10:17:02 System Checkpoint
16-01-2015 23:19:15 System Checkpoint
17-01-2015 23:19:49 System Checkpoint
18-01-2015 23:42:14 System Checkpoint
20-01-2015 00:33:21 System Checkpoint
21-01-2015 01:11:48 System Checkpoint
22-01-2015 02:11:28 System Checkpoint
23-01-2015 03:06:01 System Checkpoint
24-01-2015 03:53:30 System Checkpoint
25-01-2015 04:53:29 System Checkpoint
26-01-2015 05:53:32 System Checkpoint
28-01-2015 16:38:11 System Checkpoint
29-01-2015 20:17:17 System Checkpoint
31-01-2015 00:02:15 System Checkpoint
01-02-2015 00:40:49 System Checkpoint
02-02-2015 00:50:39 System Checkpoint
03-02-2015 12:03:47 System Checkpoint
04-02-2015 12:13:30 System Checkpoint
05-02-2015 12:13:37 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-13 17:00 - 2008-04-13 17:00 - 00000734 ____N C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) ==============

2006-08-02 02:24 - 2006-08-02 02:24 - 00348160 _____ () C:\Program Files\Intel\Wireless\Bin\IntStngs.dll
2014-03-02 14:33 - 2013-10-23 15:23 - 00089136 _____ () C:\WINDOWS\system32\cpwmon2k.dll
2006-08-02 02:24 - 2006-08-02 02:24 - 00348160 _____ () C:\Program Files\Intel\Wireless\bin\IntStngs.dll
2008-04-13 17:00 - 2008-04-13 17:00 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2008-04-13 17:00 - 2008-04-13 17:00 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2006-06-23 15:07 - 2006-06-23 15:07 - 01167360 _____ () C:\Program Files\Intel\Wireless\Bin\acAuth.dll
2006-08-02 02:26 - 2006-08-02 02:26 - 00118784 _____ () C:\Program Files\Intel\Wireless\Bin\IWMSPROV.DLL

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Registry Areas =====================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2000478354-261478967-1417001333-500\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background

==================== Accounts: =============================

Administrator (S-1-5-21-2000478354-261478967-1417001333-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-2000478354-261478967-1417001333-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-2000478354-261478967-1417001333-1000 - Limited - Disabled)
jshen (S-1-5-21-2000478354-261478967-1417001333-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\jshen
SUPPORT_388945a0 (S-1-5-21-2000478354-261478967-1417001333-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: Video Controller (VGA Compatible)
Description: Video Controller (VGA Compatible)
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Video Controller
Description: Video Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Mass Storage Controller
Description: Mass Storage Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Modem
Description: PCI Modem
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/30/2015 11:17:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x07d8d518.
Processing media-specific event for [iexplore.exe!ws!]

Error: (01/19/2015 03:03:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x06ffac10.
Processing media-specific event for [iexplore.exe!ws!]

Error: (12/02/2014 11:57:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0xf259d4b4.
Processing media-specific event for [iexplore.exe!ws!]

Error: (11/24/2014 03:49:22 PM) (Source: MsiInstaller) (EventID: 1013) (User: CORONA-1D800B03)
Description: Product: DisplayLink Core Software -- Before installing DisplayLink Core software and drivers, please install up-to-date OEM drivers for your PC's graphics hardware. Please refer to the DisplayLink Core documentation for further information.

Error: (11/16/2014 09:41:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x04fda3d1.
Processing media-specific event for [iexplore.exe!ws!]

Error: (10/25/2014 11:16:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x51d94343.
Processing media-specific event for [iexplore.exe!ws!]

Error: (10/22/2014 00:49:17 AM) (Source: Microsoft Office 11) (EventID: 1000) (User: )
Description: Faulting application winword.exe, version 11.0.5604.0, stamp 3f314a2f, faulting module winword.exe, version 11.0.5604.0, stamp 3f314a2f, debug? 0, fault address 0x0004492e.

Error: (10/22/2014 00:41:18 AM) (Source: Microsoft Office 11) (EventID: 1000) (User: )
Description: Faulting application winword.exe, version 11.0.5604.0, stamp 3f314a2f, faulting module winword.exe, version 11.0.5604.0, stamp 3f314a2f, debug? 0, fault address 0x0004492e.

Error: (10/11/2014 11:20:57 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x088ec580.
Processing media-specific event for [iexplore.exe!ws!]

Error: (10/07/2014 02:21:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module flash32_12_0_0_44.ocx, version 12.0.0.44, fault address 0x001d336b.
Processing media-specific event for [iexplore.exe!ws!]

System errors:
=============
Error: (02/05/2015 09:51:20 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).

Error: (02/05/2015 09:44:21 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The SpyHunter 4 Service service terminated unexpectedly. It has done this 1 time(s).

Error: (02/05/2015 01:57:46 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.107 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/29/2015 09:45:19 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.107 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/23/2015 11:50:01 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.5.237 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/22/2015 09:02:36 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.107 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/21/2015 11:07:55 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.4 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/20/2015 08:07:07 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.4 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/19/2015 09:29:47 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.107 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/18/2015 09:38:40 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.4 for the Network Card with network address 0015004B0B74 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Microsoft Office Sessions:
=========================
Error: (01/30/2015 11:17:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.007d8d518

Error: (01/19/2015 03:03:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.006ffac10

Error: (12/02/2014 11:57:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.0f259d4b4

Error: (11/24/2014 03:49:22 PM) (Source: MsiInstaller) (EventID: 1013) (User: CORONA-1D800B03)
Description: Product: DisplayLink Core Software -- Before installing DisplayLink Core software and drivers, please install up-to-date OEM drivers for your PC's graphics hardware. Please refer to the DisplayLink Core documentation for further information.(NULL)(NULL)(NULL)

Error: (11/16/2014 09:41:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.004fda3d1

Error: (10/25/2014 11:16:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.051d94343

Error: (10/22/2014 00:49:17 AM) (Source: Microsoft Office 11) (EventID: 1000) (User: )
Description: winword.exe11.0.5604.03f314a2fwinword.exe11.0.5604.03f314a2f00004492e

Error: (10/22/2014 00:41:18 AM) (Source: Microsoft Office 11) (EventID: 1000) (User: )
Description: winword.exe11.0.5604.03f314a2fwinword.exe11.0.5604.03f314a2f00004492e

Error: (10/11/2014 11:20:57 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.0088ec580

Error: (10/07/2014 02:21:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702flash32_12_0_0_44.ocx12.0.0.44001d336b

==================== Memory info ===========================

Processor: Intel(R) Pentium(R) M processor 1.86GHz
Percentage of memory in use: 59%
Total physical RAM: 1014.42 MB
Available physical RAM: 410.68 MB
Total Pagefile: 2444.96 MB
Available Pagefile: 1565.86 MB
Total Virtual: 2047.88 MB
Available Virtual: 1926.11 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.6 GB) (Free:93.58 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 111.6 GB) (Disk ID: 1E6C7F98)
Partition 1: (Active) - (Size=111.6 GB) - (Type=07 NTFS)

==================== End Of Log ============================

**Dakeyras** · 2015-02-06, 22:23

Hi.

It asked me to restart, but I was scared to do that yet.

Fine to do so if you have not and more so because otherwise it will hinder the instructions and custom script below.

Do you recognise the below currently residing in your My Documents folder ?

20150120-UAG5.2 transcoding debug session(2078055261)

Also can you confirm that a Anti-Virus program is not installed at present ?

Enable disabled items with SCU

Your FRST log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup" to stop something from running. While this is normally OK, it is possible that you have disabled something that will affect how we clean your machine.

Click on Start >> Run... and type in msconfig then click on OK.
Once the GUI(graphical user interface) for the System Configuration Utility has loaded:-

Click on the Services tab and select Enable All
Now click on the Startup tab and select Enable All

Now click on Apply >> Close >> Restart

Note: Ensure you do allow your machine to reboot.

Uninstall Software:

Please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

SpyHunter 4 <-- This was once deemed rogue software. Also in my humble opinion it is utter dross and a waste of installtion space.

To do so, click once on the above to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Custom FRST Script:

Please download the attached fixlist.txt(see below) and save to the desktop.

Attachment 12027

Now double-click on FRST.exe to start FRST.
Then click on the Fix button/radio tab >> at the Fix completed prompt click on OK
Your machine should now automatically reboot itself.
Post the contents of the newly created Fixlog in your next reply.

Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.

**jbrower** · 2015-02-06, 23:26

Dakeyras-

> Fine to do so if you have not and more so because otherwise it will
> hinder the instructions and custom script below.

Ok.

> Do you recognise the below currently residing in your My Documents folder ?
>
> 20150120-UAG5.2 transcoding debug session(2078055261)

Yes.

> Also can you confirm that a Anti-Virus program is not installed at present ?

None.

> Your FRST log shows that MSConfig is running at startup. This
> indicates that you may be using "diagnostic startup" rather than
> "normal startup" to stop something from running. While this is normally
> OK, it is possible that you have disabled something that will affect
> how we clean your machine.

I have fixed this -- MSConfig shows nothing at startup.

> Note: Ensure you do allow your machine to reboot.

Yes I have done so.

> Uninstall Software:

> SpyHunter 4 <-- This was once deemed rogue software. Also in
> my humble opinion it is utter dross and a waste of installtion space.
>
> To do so, click once on the above to highlight and then click on
> the Remove button.

I have done that, but seems it's not fully gone. It leaves a splash screen, which if I try to close, asks "are you sure you want to leave the installer?". If I answer no, it just seems to hang around on that splash screen and not want to do anything else. If I answer yes it quits, but in either case it still shows in Add/Remove Programs.

> Custom FRST Script
>
> Please download the attached fixlist.txt (see below) and save to the desktop.

Ok I'm doing this now, will report back shortly. If there is any way of "force removing" SpyHunter, please let me know. Thanks.

-Jeff

**jbrower** · 2015-02-07, 03:56

Dakeyras-

Here is the fixlog:

EmptyTemp: => Removed 1.8 GB temporary data.

The system needed a reboot.

==== End of Fixlog 18:11:39 ====

I can't find any sign of CryptoWall after reboot -- no popups, text boxes, etc. The system seems stable and running cleanly. How can I verify this?

Thanks.

-Jeff

Ps. I managed to remove SpyHunter... there is a "no thanks" link in the Splash display, in size 3 font in one corner :-)

**Dakeyras** · 2015-02-07, 14:09

Hi.

I have fixed this -- MSConfig shows nothing at startup.

Good and not a problem.

I managed to remove SpyHunter... there is a "no thanks" link in the Splash display, in size 3 font in one corner :-)

Acknowledged.

I can't find any sign of CryptoWall after reboot -- no popups, text boxes, etc. The system seems stable and running cleanly. How can I verify this?

A good sign, the malware removal process as a whole is not completed as of yet and I will be able to ascertain further after reviewing the requested logs below etc.

Here is the fixlog:

Hmmm the output is rather slim please check again. Also post a new FRST log for my review and carry out the below also.

Note: Post all requested logs separately please as in one post per log, that way it will make it a tad easier for myself to review all, thank you.

Scan with aswMBR:

Please download aswMBR to your desktop.

Alternate downloads are here and here.

Double-click on aswMBR.exe to launch the application.
If a prompt stating: The computer supports "Virtualization Technology" appears >> select Yes
When prompted with: The application can use the Avast! Free Antivirus for scanning >> select Yes
The Avast! virus definitions database will automatically be downloaded. Be patient this make take some time depending on the speed of your Internet Connection.
Once it has downloaded >> ensure the option next to AV scan: >> QuickScan is selected only. It should be by default.
Now click on the Scan button to start the scan.
On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Click on Exit.

Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Scan with FSS:

Please download Farbar Service Scanner and save to your desktop.

Double-click FSS.exe to start the program.
Select all available options.
Then click on the Scan tab.
When the scan is complete, it will produce a log named FSS.txt.
Post the contents in your next reply.

Thread: CryptoWall 3.0

Thread Tools

Display

CryptoWall 3.0

Posting Permissions