PDA

View Full Version : My computer is crippled by ransom ware



blend
2015-01-30, 19:02
It appears to be called Crypto Wall 3.0. Please help! I tried running malware bytes and ccleaner to no avail. Thanks in advance!

FRST log

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by Owner (administrator) on OWNER-PC on 30-01-2015 12:50:03
Running from K:\
Loaded Profiles: Owner (Available profiles: Owner)
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Digidesign, A Division of Avid Technology, Inc.) C:\Program Files\Digidesign\Drivers\MMERefresh.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton Security\Engine\22.1.0.9\ns.exe
(PACE Anti-Piracy, Inc.) C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
() C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
(Avid Technology, Inc.) C:\Windows\System32\M-AudioTaskBarIcon.exe
(Symantec Corporation) C:\Program Files\Norton Security\Engine\22.1.0.9\ns.exe
() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Akamai Technologies, Inc.) C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe
(Gemalto N.V.) C:\Users\Owner\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe
(Dropbox, Inc.) C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Akamai Technologies, Inc.) C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe
() C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [M-Audio Taskbar Icon] => C:\Windows\system32\M-AudioTaskBarIcon.exe [643592 2009-10-02] (Avid Technology, Inc.)
HKLM\...\Run: [SwitchBoard] => C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [DigidesignMMERefresh] => C:\Program Files\Digidesign\Drivers\MMERefresh.exe [77824 2009-08-14] (Digidesign, A Division of Avid Technology, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2007392 2014-04-01] (Wondershare)
HKLM\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-29] (Akamai Technologies, Inc.)
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [SanDiskSecureAccess_Manager.exe] => C:\Users\Owner\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe [30705792 2012-02-14] (Gemalto N.V.)
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [iCloudServices] => C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [ApplePhotoStreams] => C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [Google Update] => C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [135664 2010-05-28] (Google Inc.)
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Run: [ChromeUpdate] => C:\Users\Owner\AppData\Roaming\FrameworkUpdate\ChromeUpdate.exe
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...\Policies\Explorer: [NofolderOptions] 0
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/kfzNo0
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2405337125-3894891454-2728286072-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: No Name -> {451C804F-C205-4F03-B48E-537EC94937BF} -> No File
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security\Engine\22.1.0.9\coIEPlg.dll (Symantec Corporation)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine\22.1.0.9\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-2405337125-3894891454-2728286072-1000 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-2405337125-3894891454-2728286072-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine\22.1.0.9\coIEPlg.dll (Symantec Corporation)
DPF: {297DE2B6-509A-4B36-93C5-A65276606900} http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 - No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @ilok.com/iLokHelper,version=3.1.0.7 -> C:\Program Files\PACE Anti-Piracy\iLok\NPPaceILok.dll ( PACE Anti-Piracy, Inc)
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2405337125-3894891454-2728286072-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2405337125-3894891454-2728286072-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011-10-23]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.0.0.110\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.0.0.110\coFFPlgn [2015-01-29]

Chrome:
=======
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (Norton Identity Safe) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-10-12]
CHR Extension: (Google Wallet) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-31]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security\Engine\22.1.0.9\Exts\Chrome.crx [2014-12-19]
CHR HKLM\...\Chrome\Extension: [hchpodijgngncfjhhnhfahlggabgaghl] - No Path
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
StartMenuInternet: Google Chrome - chrome.exe

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 DigiRefresh; C:\Program Files\Digidesign\Drivers\MMERefresh.exe [77824 2009-08-14] (Digidesign, A Division of Avid Technology, Inc.) [File not signed]
S3 digiSPTIService; C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe [159744 2009-08-14] (Digidesign, A Division of Avid Technology, Inc.) [File not signed]
S3 jswpsapi; C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe [942080 2008-02-29] (Atheros Communications, Inc.) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NS; C:\Program Files\Norton Security\Engine\22.1.0.9\NS.exe [282528 2014-12-10] (Symantec Corporation)
R2 PaceLicenseDServices; C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2932224 2011-09-08] (PACE Anti-Piracy, Inc.) [File not signed]
S3 SwitchBoard; C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
R2 WSWNDA3100; C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe [278528 2009-06-04] () [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BCMH43XX; C:\Windows\System32\DRIVERS\bcmwlhigh6.sys [1092160 2011-04-19] (Broadcom Corporation)
R1 BHDrvx86; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\BASHDefs\20141107.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation)
R1 ccSet_NS; C:\Windows\system32\drivers\NS\1601000.009\ccSetx86.sys [128728 2014-09-09] (Symantec Corporation)
R2 DigiNet; C:\Windows\System32\DRIVERS\diginet.sys [16400 2009-08-15] (Digidesign, A Division of Avid Technology, Inc.)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-08-27] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-10-12] (Symantec Corporation)
R1 IDSVix86; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\IPSDefs\20141108.001\IDSvix86.sys [476888 2014-10-10] (Symantec Corporation)
R3 iLokDrvr; C:\Windows\System32\DRIVERS\iLokDrvr.sys [22736 2013-04-11] ()
R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
S3 MAUSBFASTTRACK; C:\Windows\System32\DRIVERS\MAudioFastTrack.sys [158344 2009-10-02] (Avid Technology, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-29] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\VirusDefs\20141111.002\NAVENG.SYS [95704 2014-10-12] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Security\NortonData\22.0.0.110\Definitions\VirusDefs\20141111.002\NAVEX15.SYS [1636696 2014-10-12] (Symantec Corporation)
S3 NPF; C:\Windows\System32\DRIVERS\npf.sys [34064 2007-11-07] (CACE Technologies)
R0 SCMNdisP; C:\Windows\System32\DRIVERS\scmndisp.sys [21728 2007-01-19] (Windows (R) Codename Longhorn DDK provider)
R3 SRTSP; C:\Windows\System32\Drivers\NS\1601000.009\SRTSP.SYS [699608 2014-12-02] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NS\1601000.009\SRTSPX.SYS [36056 2014-09-09] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NS\1601000.009\SYMDS.SYS [364760 2014-09-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NS\1601000.009\SYMEFA.SYS [939224 2014-09-09] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [94424 2014-10-12] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NS\1601000.009\Ironx86.SYS [212696 2014-09-09] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NS\1601000.009\SYMNETS.SYS [420056 2014-09-09] (Symantec Corporation)
R0 TPkd; C:\Windows\system32\Drivers\TPkd.sys [94416 2013-04-11] (PACE Anti-Piracy, Inc.)
S3 WN111v2; C:\Windows\System32\DRIVERS\WN111v2v.sys [449536 2008-09-30] (Atheros Communications, Inc.)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: PGPsdkDriver -> No Registry Path.

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-30 12:49 - 2015-01-30 12:50 - 00000000 ____D () C:\FRST
2015-01-28 22:39 - 2015-01-28 23:00 - 00000000 ____D () C:\AdwCleaner
2015-01-27 23:26 - 2015-01-27 23:26 - 00144624 _____ () C:\Windows\Minidump\012715-41043-01.dmp
2015-01-27 02:08 - 2015-01-27 02:08 - 00008528 _____ () C:\Users\Owner\Desktop\HELP_DECRYPT.HTML
2015-01-27 02:08 - 2015-01-27 02:08 - 00000272 _____ () C:\Users\Owner\Desktop\HELP_DECRYPT.URL
2015-01-27 02:07 - 2015-01-27 02:07 - 00008528 _____ () C:\Users\Owner\HELP_DECRYPT.HTML
2015-01-27 02:07 - 2015-01-27 02:07 - 00004204 _____ () C:\Users\Owner\HELP_DECRYPT.TXT
2015-01-27 02:07 - 2015-01-27 02:07 - 00004204 _____ () C:\Users\Owner\Desktop\HELP_DECRYPT.TXT
2015-01-27 02:07 - 2015-01-27 02:07 - 00000272 _____ () C:\Users\Owner\HELP_DECRYPT.URL
2015-01-26 23:32 - 2015-01-26 23:32 - 00008528 _____ () C:\Users\Owner\Downloads\HELP_DECRYPT.HTML
2015-01-26 23:32 - 2015-01-26 23:32 - 00004204 _____ () C:\Users\Owner\Downloads\HELP_DECRYPT.TXT
2015-01-26 23:32 - 2015-01-26 23:32 - 00000272 _____ () C:\Users\Owner\Downloads\HELP_DECRYPT.URL
2015-01-26 23:18 - 2015-01-26 23:18 - 00008528 _____ () C:\Users\Owner\Documents\HELP_DECRYPT.HTML
2015-01-26 23:18 - 2015-01-26 23:18 - 00004204 _____ () C:\Users\Owner\Documents\HELP_DECRYPT.TXT
2015-01-26 23:18 - 2015-01-26 23:18 - 00000272 _____ () C:\Users\Owner\Documents\HELP_DECRYPT.URL
2015-01-26 21:20 - 2015-01-26 21:20 - 01051393 _____ () C:\Users\Owner\Desktop\08 adlids.wma
2015-01-26 21:19 - 2015-01-26 21:20 - 01051393 _____ () C:\Users\Owner\Desktop\07 double.wma
2015-01-26 21:19 - 2015-01-26 21:19 - 04158941 _____ () C:\Users\Owner\Desktop\05 mic titans(ruff 2.0).wma
2015-01-26 21:19 - 2015-01-26 21:19 - 01051389 _____ () C:\Users\Owner\Desktop\06 lead.wma
2015-01-26 20:16 - 2015-01-26 20:16 - 00008528 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-26 20:16 - 2015-01-26 20:16 - 00008528 _____ () C:\Users\Owner\AppData\HELP_DECRYPT.HTML
2015-01-26 20:16 - 2015-01-26 20:16 - 00004204 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-26 20:16 - 2015-01-26 20:16 - 00004204 _____ () C:\Users\Owner\AppData\HELP_DECRYPT.TXT
2015-01-26 20:16 - 2015-01-26 20:16 - 00000272 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.URL
2015-01-26 20:16 - 2015-01-26 20:16 - 00000272 _____ () C:\Users\Owner\AppData\HELP_DECRYPT.URL
2015-01-26 20:15 - 2015-01-26 20:15 - 00008528 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.HTML
2015-01-26 20:15 - 2015-01-26 20:15 - 00004204 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.TXT
2015-01-26 20:15 - 2015-01-26 20:15 - 00000272 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.URL
2015-01-26 16:32 - 2015-01-26 16:32 - 03919893 _____ () C:\Users\Owner\Desktop\01 foundation(ruff).wma
2015-01-26 16:32 - 2015-01-26 16:32 - 01039441 _____ () C:\Users\Owner\Desktop\04 adlibs.wma
2015-01-26 16:32 - 2015-01-26 16:32 - 01039441 _____ () C:\Users\Owner\Desktop\03 double.wma
2015-01-26 16:32 - 2015-01-26 16:32 - 01039437 _____ () C:\Users\Owner\Desktop\02 lead.wma
2015-01-26 15:59 - 2015-01-26 20:49 - 00000000 ____D () C:\Users\Owner\Desktop\Beast From the East
2015-01-26 15:56 - 2015-01-26 22:12 - 00000000 ____D () C:\Users\Owner\Desktop\EastPack
2015-01-26 12:21 - 2015-01-26 12:21 - 69984432 _____ () C:\Users\Owner\Desktop\Fuck Everybody - BLeNd & BLuE.wav
2015-01-25 13:08 - 2015-01-25 13:08 - 00008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-25 13:08 - 2015-01-25 13:08 - 00004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-25 13:08 - 2015-01-25 13:08 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-25 12:58 - 2015-01-25 12:58 - 00000416 ____H () C:\ProgramData\@system3.att
2015-01-25 12:57 - 2015-01-27 23:27 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\FrameworkUpdate
2015-01-25 12:57 - 2015-01-25 12:57 - 00000680 _____ () C:\ProgramData\@system.temp
2015-01-25 12:57 - 2015-01-25 12:57 - 00000480 ____H () C:\Users\Owner\AppData\Roaming\麽鎒駓覜
2015-01-25 12:56 - 2015-01-29 20:18 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2015-01-18 20:54 - 2015-01-18 20:54 - 04362175 _____ () C:\Users\Owner\Desktop\03 deticated vs.wma
2015-01-18 20:54 - 2015-01-18 20:54 - 04344253 _____ () C:\Users\Owner\Desktop\04 deticated track.wma
2015-01-18 20:54 - 2015-01-18 20:54 - 04308391 _____ () C:\Users\Owner\Desktop\01 wop track vs.wma
2015-01-18 20:54 - 2015-01-18 20:54 - 04290457 _____ () C:\Users\Owner\Desktop\02 wop track.wma
2015-01-18 19:11 - 2015-01-18 19:11 - 04158975 _____ () C:\Users\Owner\Desktop\08 libs.wma
2015-01-18 19:10 - 2015-01-18 19:10 - 04158985 _____ () C:\Users\Owner\Downloads\05 mic..ruff.wma
2015-01-16 12:13 - 2015-01-16 12:13 - 08284750 _____ () C:\Users\Owner\Downloads\10 Track 10.m4a
2015-01-16 12:13 - 2015-01-16 12:13 - 08284750 _____ () C:\Users\Owner\Desktop\10 Track 10.m4a
2015-01-16 12:13 - 2015-01-16 12:12 - 08710643 _____ () C:\Users\Owner\Desktop\08 Track 08.m4a
2015-01-16 12:13 - 2015-01-16 12:12 - 08654135 _____ () C:\Users\Owner\Desktop\06 Track 06.m4a
2015-01-16 12:13 - 2015-01-16 12:12 - 08463095 _____ () C:\Users\Owner\Desktop\07 Track 07.m4a
2015-01-16 12:13 - 2015-01-16 12:12 - 08064379 _____ () C:\Users\Owner\Desktop\09 Track 09.m4a
2015-01-16 12:13 - 2015-01-16 12:11 - 08644945 _____ () C:\Users\Owner\Desktop\04 Track 04.m4a
2015-01-16 12:13 - 2015-01-16 12:09 - 06653981 _____ () C:\Users\Owner\Desktop\02 Track 02.m4a
2015-01-16 12:12 - 2015-01-16 12:12 - 08710643 _____ () C:\Users\Owner\Downloads\08 Track 08.m4a
2015-01-16 12:12 - 2015-01-16 12:12 - 08654135 _____ () C:\Users\Owner\Downloads\06 Track 06.m4a
2015-01-16 12:12 - 2015-01-16 12:12 - 08463095 _____ () C:\Users\Owner\Downloads\07 Track 07.m4a
2015-01-16 12:12 - 2015-01-16 12:12 - 08064379 _____ () C:\Users\Owner\Downloads\09 Track 09.m4a
2015-01-16 12:11 - 2015-01-16 12:11 - 08644945 _____ () C:\Users\Owner\Downloads\04 Track 04.m4a
2015-01-16 12:09 - 2015-01-16 12:09 - 06653981 _____ () C:\Users\Owner\Downloads\02 Track 02.m4a
2015-01-16 12:08 - 2015-01-16 12:08 - 04601149 _____ () C:\Users\Owner\Desktop\05 ill keys ft. blend.wma
2015-01-16 12:08 - 2015-01-16 12:08 - 04272469 _____ () C:\Users\Owner\Desktop\01 off da hook ft d.original.wma
2015-01-16 12:08 - 2014-12-18 21:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-16 12:08 - 2014-12-18 20:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-16 12:08 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-01-16 12:08 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-16 12:08 - 2014-12-11 12:47 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-16 12:08 - 2014-12-05 22:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-15 13:24 - 2015-01-15 13:22 - 35675456 _____ () C:\Users\Owner\Desktop\08 Gangsta Rap.wav

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-30 12:23 - 2010-05-28 13:22 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2405337125-3894891454-2728286072-1000UA.job
2015-01-30 12:05 - 2013-02-24 12:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-30 11:52 - 2011-10-09 23:00 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-30 11:51 - 2010-05-28 12:16 - 02096154 _____ () C:\Windows\WindowsUpdate.log
2015-01-30 10:52 - 2011-10-09 23:00 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-30 02:23 - 2010-05-28 13:22 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2405337125-3894891454-2728286072-1000Core.job
2015-01-29 19:32 - 2009-07-13 23:34 - 00022528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-29 19:32 - 2009-07-13 23:34 - 00022528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-29 19:27 - 2014-09-29 21:37 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-29 19:26 - 2014-10-12 14:19 - 00010975 _____ () C:\Windows\setupact.log
2015-01-29 19:26 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-29 19:11 - 2010-05-28 12:22 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-28 22:56 - 2014-09-04 13:48 - 00001433 _____ () C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
2015-01-28 22:55 - 2014-10-12 23:33 - 00019276 _____ () C:\Windows\PFRO.log
2015-01-27 23:26 - 2014-11-07 16:58 - 258957678 _____ () C:\Windows\MEMORY.DMP
2015-01-27 23:26 - 2013-03-17 11:53 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs
2015-01-27 23:26 - 2010-06-02 21:55 - 00000000 ____D () C:\Windows\Minidump
2015-01-27 15:05 - 2013-02-24 12:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-01-27 15:05 - 2013-02-24 12:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-01-27 12:42 - 2012-02-16 16:58 - 00000000 ____D () C:\Users\Owner\AppData\Local\CrashDumps
2015-01-27 10:56 - 2010-05-29 13:17 - 00000000 ____D () C:\Users\Owner\AppData\Local\Apple Computer
2015-01-27 02:07 - 2010-05-28 12:18 - 00000000 ____D () C:\Users\Owner
2015-01-26 23:47 - 2014-09-29 21:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-26 23:47 - 2014-09-29 21:37 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-26 23:47 - 2014-03-14 16:45 - 00001080 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-26 23:45 - 2010-05-29 12:41 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Digidesign
2015-01-26 23:38 - 2014-10-09 17:39 - 00000000 ___RD () C:\Users\Owner\Dropbox
2015-01-26 23:32 - 2012-02-14 15:17 - 00000000 ____D () C:\Users\Owner\Downloads\Windows 7 Ultimate (32 Bit)
2015-01-26 23:32 - 2011-01-19 14:08 - 00000000 ____D () C:\Users\Owner\Downloads\W138SS
2015-01-26 23:32 - 2011-01-19 14:08 - 00000000 ____D () C:\Users\Owner\Downloads\__MACOSX
2015-01-26 23:20 - 2012-02-21 20:34 - 00000000 ____D () C:\Users\Owner\Downloads\Auto-Tune_EFX2_RTAS_PC_v2.0.1d
2015-01-26 23:18 - 2013-09-01 10:19 - 00000000 ____D () C:\Users\Owner\Desktop\Wav Discovering the Medium Within
2015-01-26 23:09 - 2013-01-27 13:24 - 00000000 ____D () C:\Users\Owner\Desktop\Videos and Songs
2015-01-26 22:59 - 2014-03-13 17:40 - 00000000 ____D () C:\Users\Owner\Desktop\The Foundation
2015-01-26 22:49 - 2014-10-11 15:23 - 00000000 ____D () C:\Users\Owner\Desktop\Pics
2015-01-26 22:19 - 2013-09-01 09:17 - 00000000 ____D () C:\Users\Owner\Desktop\Mp3 Discovering the Medium Within
2015-01-26 22:05 - 2014-10-09 17:38 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Dropbox
2015-01-26 22:00 - 2014-09-28 10:00 - 00000000 ____D () C:\Users\Owner\Desktop\Lil Bibby- Free Crack 2
2015-01-26 21:59 - 2014-08-27 17:25 - 00000000 ____D () C:\Users\Owner\Desktop\Leezee
2015-01-26 21:58 - 2014-07-12 14:28 - 00000000 ____D () C:\Users\Owner\Desktop\JULY 11th Utica NY
2015-01-26 21:50 - 2010-08-04 17:37 - 00000000 ____D () C:\Users\Owner\Desktop\Instrumentals
2015-01-26 21:23 - 2014-03-13 17:37 - 00000000 ____D () C:\Users\Owner\Desktop\Ding Do 2014
2015-01-26 21:03 - 2013-05-16 10:05 - 00000000 ____D () C:\Users\Owner\Desktop\Blue Shit 2013
2015-01-26 20:55 - 2014-03-13 17:44 - 00000000 ____D () C:\Users\Owner\Desktop\BLeNd 2014
2015-01-26 20:46 - 2013-01-27 11:23 - 00000000 ____D () C:\Users\Owner\Desktop\ALBUMS
2015-01-26 20:16 - 2013-09-16 23:30 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\SanDisk
2015-01-26 20:16 - 2013-01-24 19:07 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Product_RM
2015-01-26 20:16 - 2011-02-28 17:16 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Mozilla
2015-01-26 20:16 - 2011-02-20 18:05 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Sony
2015-01-26 20:16 - 2010-05-29 12:36 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\PACE Anti-Piracy
2015-01-26 20:16 - 2010-05-29 12:34 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Structure
2015-01-26 20:15 - 2013-03-24 19:13 - 00000000 ____D () C:\Users\Owner\AppData\Local\LogiShrd
2015-01-26 20:15 - 2012-08-18 20:12 - 00000000 ____D () C:\Users\Owner\AppData\Local\HP
2015-01-26 20:15 - 2010-05-29 14:58 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Adobe
2015-01-26 20:15 - 2010-05-29 13:17 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Apple Computer
2015-01-26 20:15 - 2010-05-28 13:22 - 00000000 ____D () C:\Users\Owner\AppData\Local\Google
2015-01-26 20:15 - 2010-05-02 21:26 - 00000000 ___HD () C:\Users\Owner\AppData\Local\UTl9VOMd
2015-01-26 20:14 - 2011-11-09 21:17 - 00000000 ____D () C:\Users\Owner\AppData\Local\Akamai
2015-01-26 20:14 - 2011-01-19 14:12 - 00000000 ____D () C:\Users\Owner\AppData\Local\Adobe
2015-01-26 20:14 - 2010-05-29 11:48 - 00000000 ____D () C:\The C.O Dot
2015-01-26 20:14 - 2009-01-19 17:35 - 00000000 ___HD () C:\Users\Owner\AppData\Local\9SziSh01Q0A
2015-01-25 13:08 - 2014-07-12 13:30 - 00000000 ____D () C:\ProgramData\Wondershare Video Converter Pro
2015-01-25 13:08 - 2010-05-29 12:36 - 00000000 ____D () C:\ProgramData\PACE Anti-Piracy
2015-01-25 13:07 - 2013-03-24 19:10 - 00000000 ____D () C:\ProgramData\LogiShrd
2015-01-25 13:07 - 2012-02-03 16:59 - 00000000 ____D () C:\ProgramData\Norton
2015-01-25 13:07 - 2010-05-29 13:16 - 00000000 ____D () C:\ProgramData\Apple Computer
2015-01-25 13:06 - 2014-03-13 02:20 - 00000000 ____D () C:\ProgramData\82AC
2015-01-25 13:06 - 2010-07-28 12:45 - 00000000 ____D () C:\PFiles
2015-01-25 12:58 - 2014-11-09 19:28 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-16 17:23 - 2013-07-12 02:00 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-16 17:15 - 2010-05-28 12:44 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Files in the root of some directories =======

2015-01-26 20:16 - 2015-01-26 20:16 - 0008528 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-26 20:16 - 2015-01-26 20:16 - 0045558 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-26 20:16 - 2015-01-26 20:16 - 0004204 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-26 20:16 - 2015-01-26 20:16 - 0000272 _____ () C:\Users\Owner\AppData\Roaming\HELP_DECRYPT.URL
2015-01-25 12:57 - 2015-01-25 12:57 - 0000480 ____H () C:\Users\Owner\AppData\Roaming\麽鎒駓覜
2015-01-26 20:15 - 2015-01-26 20:15 - 0008528 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.HTML
2015-01-26 20:15 - 2015-01-26 20:15 - 0045558 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.PNG
2015-01-26 20:15 - 2015-01-26 20:15 - 0004204 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.TXT
2015-01-26 20:15 - 2015-01-26 20:15 - 0000272 _____ () C:\Users\Owner\AppData\Local\HELP_DECRYPT.URL
2015-01-25 12:57 - 2015-01-25 12:57 - 0000680 _____ () C:\ProgramData\@system.temp
2015-01-25 12:58 - 2015-01-25 12:58 - 0000416 ____H () C:\ProgramData\@system3.att
2015-01-25 13:08 - 2015-01-25 13:08 - 0008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-25 13:08 - 2015-01-25 13:08 - 0045651 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-25 13:08 - 2015-01-25 13:08 - 0004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-25 13:08 - 2015-01-25 13:08 - 0000272 _____ () C:\ProgramData\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Users\Owner\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcsefm_.dll
C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-26 09:31

==================== End Of Log ============================


aswMBR log

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2015-01-30 12:52:56
-----------------------------
12:52:56.055 OS Version: Windows 6.1.7601 Service Pack 1
12:52:56.055 Number of processors: 2 586 0x602
12:52:56.070 ComputerName: OWNER-PC UserName: Owner
12:53:01.468 Initialize success
12:53:01.484 VM: initialized successfully
12:53:01.484 VM: Amd CPU supported
12:53:05.699 Disk 0 \Device\Harddisk0\DR0 -> \Device\0000006a
12:53:05.699 Disk 0 Vendor: SAMSUNG_ ZM10 Size: 152587MB BusType: 3
12:53:05.699 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\0000006c
12:53:05.715 Disk 1 Vendor: ST375052 CC44 Size: 715404MB BusType: 3
12:53:05.808 Disk 1 MBR read successfully
12:53:05.808 Disk 1 MBR scan
12:53:05.808 Disk 1 Windows 7 default MBR code
12:53:05.824 Disk 1 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
12:53:05.840 Disk 1 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 25167872
12:53:05.840 Disk 1 default boot code
12:53:05.840 Disk 1 Partition 3 00 07 HPFS/NTFS NTFS 703014 MB offset 25372672
12:53:05.855 Disk 1 scanning sectors +1465145344
12:53:06.167 Disk 1 scanning C:\Windows\system32\drivers
12:53:15.480 Service scanning
12:53:32.032 Modules scanning
12:53:32.032 Disk 1 trace - called modules:
12:53:32.063 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
12:53:32.079 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x86b5f7b8]
12:53:32.079 3 CLASSPNP.SYS[8c5a459e] -> nt!IofCallDriver -> [0x86a89660]
12:53:32.094 5 ACPI.sys[837733d4] -> nt!IofCallDriver -> \Device\0000006c[0x85b74b10]
12:53:32.094 Disk 1 statistics 75331/0/0 @ 4.81 MB/s
12:53:32.110 Scan finished successfully
12:53:54.839 Disk 1 MBR has been saved successfully to "K:\MBR.dat"
12:53:54.855 The log file has been saved successfully to "K:\aswMBR.txt"

Juliet
2015-01-31, 00:23
Well, I have good news, I have bad news.

We can remove the infection but, not the damage.
What files/folders that have been encrypted I cannot fix.

It's possible some files/folders can be recovered.....which ones I can't say.
If your interested in trying:

recovery with the use of Previous Versions or ShadowExplorer may be possible. File recovery software may also be an option if the infection does not securely delete the original files.

http://i.imgur.com/y3MMIrs.png Previous Versions

Right-click the file/folder and click Properties.
Click Previous Versions.
This tab will list all copies of the file and the date they were backed up.
To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
If you wish to restore the selected file and replace the existing one, click Restore.
If you wish to view the contents of the file before restoring, click Open.


http://i.imgur.com/MzmiIl9.gif ShadowExplorer

Please download ShadowExplorer (http://www.shadowexplorer.com/uploads/ShadowExplorer-0.9-portable.zip) and save the file to your Desktop.
Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract.
Right-Click ShadowExplorer.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
You will see a drop-down menu with the shadow copies of all partitions and disks present.
Click C:\ from the drop-down menu.
To the right, pick a date prior to the infection from the drop-down menu.
To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.





http://i.imgur.com/J8xQM97.png File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

http://i.imgur.com/fSA1TL4.png R-Studio (http://www.r-studio.com/)
http://i.imgur.com/C08PZmH.png[/img Photorec (http://www.cgsecurity.org/wiki/PhotoRec)
[img]http://i.imgur.com/uc6sByo.png (http://www.piriform.com/recuva/builds) Recuva (http://www.piriform.com/recuva/builds)


~~~

Try the above, then continue with the fix.

Please download and save the fixlist.txt to your desktop (In your case Running from K:\)
Save it as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

(At the bottom of this page 1-30-2015.txt)

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

12001

Juliet
2015-02-05, 12:37
Due to lack of feedback this topic is closed.