TechSpot

Cryptowall 3.0 on W8

By Neal Young
May 8, 2015
  1. Daughters laptop was/is infected with Cryptowall 3. I have downloaded and scanned with FRST and did a 'fix'. It rebooted to 'fix' more of the infected folder and items. When it started back up I was planning to rescan to continue cleaning but not it just shuts down, sometimes I get an overheating error. The FRST app is gone. It restarts before I can download it again. I was able to pull the 'fixlog' to another laptop. Any help would be great.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================

    [​IMG] I'm assuming you're aware of this:
    http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
    We can fairly easily remove infection itself though.

    [​IMG] You shouldn't run any fixes by yourself if you're not sure what you're doing.

    [​IMG] Can you post content of your "fixlist"?

    [​IMG] What Windows version is it?
     
  3. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    - Yes, I am aware of the decryption mess.
    - Lesson learned, I will await instructions and have NOW read the instructions...
    - next post will be the fixlist data
    -Windows 8.1.
     
  4. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
    Ran by Neal at 2015-05-08 08:48:53 Run:1
    Running from C:\Users\Neal\Desktop
    Loaded Profiles: Neal (Available profiles: Neal & Sean & Noelle & Administrator)
    Boot Mode: Safe Mode (with Networking)
    ==============================================

    Content of fixlist:
    *****************
    Start
    HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [Onics] => regsvr32.exe C:\Users\Neal\AppData\Local\Onics\jtqwehqk.dll
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [udsfurd] => rundll32 "C:\Users\Neal\AppData\Local\udsfurd.dll",udsfurd
    2015-05-05 14:18 - 2015-05-05 14:18 - 0001353 _____ () C:\Program Files\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:17 - 2015-05-05 14:17 - 0001353 _____ () C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt
    2015-05-07 15:51 - 2015-05-07 15:51 - 0221184 _____ ( ) C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
    2015-05-07 15:54 - 2015-05-07 15:54 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-07 15:54 - 2015-05-07 15:54 - 0045557 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
    2015-05-07 15:54 - 2015-05-07 15:54 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-07 15:54 - 2015-05-07 15:54 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt
    2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
    2015-05-05 14:14 - 2015-05-05 14:14 - 0000752 _____ () C:\Users\Neal\AppData\Roaming\key.dat
    2015-05-07 15:52 - 2015-05-07 15:52 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
    2015-05-05 14:14 - 2015-05-07 14:06 - 0553922 _____ () C:\Users\Neal\AppData\Roaming\log.html
    2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
    2015-05-05 14:14 - 2015-05-05 14:13 - 0458240 _____ (PGWARE LLC) C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    2015-05-07 15:52 - 2015-05-07 15:52 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2014-07-11 14:14 - 2015-05-05 14:21 - 0000916 _____ () C:\ProgramData\CyberlinkOutput.txt.ezz
    2015-05-07 15:53 - 2015-05-07 15:53 - 0008602 _____ () C:\ProgramData\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 0045557 _____ () C:\ProgramData\HELP_DECRYPT.PNG
    2015-05-07 15:53 - 2015-05-07 15:53 - 0004244 _____ () C:\ProgramData\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 0000284 _____ () C:\ProgramData\HELP_DECRYPT.URL
    2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\ProgramData\HELP_TO_SAVE_FILES.txt
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Public\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Public\Documents\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Noelle\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Noelle\AppData\Local\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Noelle\AppData\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\Downloads\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\Documents\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\HELP_DECRYPT.HTML
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Public\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Public\Documents\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Noelle\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Noelle\AppData\Local\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Noelle\AppData\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\Downloads\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\Documents\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\HELP_DECRYPT.TXT
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Public\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Public\Documents\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Noelle\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Noelle\AppData\Local\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Noelle\AppData\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\Downloads\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\Documents\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\HELP_DECRYPT.URL
    2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\HELP_DECRYPT.URL
    2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.HTML
    2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Default\HELP_DECRYPT.HTML
    2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Default\Documents\HELP_DECRYPT.HTML
    2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Default User\Documents\HELP_DECRYPT.HTML
    2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.TXT
    2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Default\HELP_DECRYPT.TXT
    2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Default\Documents\HELP_DECRYPT.TXT
    2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Default User\Documents\HELP_DECRYPT.TXT
    2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.URL
    2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Default\HELP_DECRYPT.URL
    2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Default\Documents\HELP_DECRYPT.URL
    2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Default User\Documents\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default\AppData\Local\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default\AppData\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default User\AppData\Local\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default User\AppData\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\ProgramData\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default\AppData\Local\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default\AppData\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default User\AppData\Local\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default User\AppData\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\ProgramData\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default\AppData\Local\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default\AppData\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default User\AppData\Local\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default User\AppData\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.URL
    2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\ProgramData\HELP_DECRYPT.URL
    2015-05-07 15:52 - 2015-05-07 15:52 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2015-05-07 15:52 - 2015-05-07 15:52 - 00051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
    2015-05-07 15:51 - 2015-05-07 15:51 - 00221184 _____ ( ) C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
    2015-05-07 15:51 - 2015-05-07 15:51 - 00000000 ___HD () C:\a9e1cbaf
    2015-05-07 15:46 - 2015-05-08 08:20 - 00000264 _____ () C:\Users\Neal\Desktop\Search.txt
    2015-05-07 15:41 - 2015-05-07 15:42 - 00035104 _____ () C:\Users\Neal\Desktop\Addition.txt
    2015-05-07 15:34 - 2015-05-08 08:21 - 00000000 _____ () C:\Users\Neal\Desktop\FRST.txt
    2015-05-07 15:33 - 2015-05-07 15:33 - 02102272 _____ (Farbar) C:\Users\Neal\Desktop\FRST64.exe
    2015-05-07 15:23 - 2015-05-07 15:24 - 00035152 _____ () C:\Users\Neal\Downloads\Addition.txt
    2015-05-07 15:19 - 2015-05-08 08:21 - 00000000 ____D () C:\FRST
    2015-05-07 15:19 - 2015-05-07 15:24 - 00039680 _____ () C:\Users\Neal\Downloads\FRST.txt
    2015-05-07 15:19 - 2015-05-07 15:19 - 02102272 _____ (Farbar) C:\Users\Neal\Downloads\FRST64.exe
    2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\Users\Public\Documents\HELP_TO_SAVE_FILES.txt
    2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt
    2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\Users\Neal\AppData\HELP_TO_SAVE_FILES.txt
    2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\ProgramData\HELP_TO_SAVE_FILES.txt
    2015-05-07 14:00 - 2015-05-07 14:00 - 00000512 _____ () C:\Users\Neal\Documents\RECOVERY_FILE.TXT
    2015-05-07 11:46 - 2015-05-07 11:46 - 00000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\Desktop\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\AppData\Roaming\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\AppData\Local\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\AppData\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\Desktop\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\AppData\Roaming\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\AppData\Local\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\AppData\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:21 - 2015-05-05 14:21 - 00001353 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:21 - 2015-05-05 14:21 - 00001353 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:18 - 2015-05-05 14:18 - 00001353 _____ () C:\Program Files\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:17 - 2015-05-05 14:17 - 00001353 _____ () C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:14 - 2015-05-07 14:06 - 00553922 _____ () C:\Users\Neal\AppData\Roaming\log.html
    2015-05-05 14:14 - 2015-05-05 14:14 - 00000752 _____ () C:\Users\Neal\AppData\Roaming\key.dat
    2015-05-05 14:14 - 2015-05-05 14:13 - 00458240 _____ (PGWARE LLC) C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    2015-05-05 02:15 - 2015-05-05 02:15 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\WildTangent
    2015-05-05 01:50 - 2015-05-07 15:54 - 00000000 ____D () C:\Users\Neal\.jpi_cache
    2015-05-05 01:50 - 2015-05-07 15:54 - 00000000 ____D () C:\Users\Neal\.java
    2015-05-04 22:12 - 2015-05-04 22:12 - 00000000 ____D () C:\Users\Noelle\Documents\New folder
    2015-05-03 15:12 - 2015-05-03 15:12 - 00008602 _____ () C:\Users\Noelle\Documents\HELP_DECRYPT.HTML
    2015-05-03 15:12 - 2015-05-03 15:12 - 00004244 _____ () C:\Users\Noelle\Documents\HELP_DECRYPT.TXT
    2015-05-03 15:12 - 2015-05-03 15:12 - 00000284 _____ () C:\Users\Noelle\Documents\HELP_DECRYPT.URL
    2015-05-03 14:56 - 2015-05-03 15:19 - 00000000 ____D () C:\Users\Neal\AppData\Local\toteke
    2015-05-05 14:18 - 2015-05-05 14:18 - 0001353 _____ () C:\Program Files\HELP_TO_SAVE_FILES.txt
    2015-05-05 14:17 - 2015-05-05 14:17 - 0001353 _____ () C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt
    2015-05-07 15:51 - 2015-05-07 15:51 - 0221184 _____ ( ) C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
    2015-05-07 15:54 - 2015-05-07 15:54 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-07 15:54 - 2015-05-07 15:54 - 0045557 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
    2015-05-07 15:54 - 2015-05-07 15:54 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-07 15:54 - 2015-05-07 15:54 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt
    2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
    2015-05-05 14:14 - 2015-05-05 14:14 - 0000752 _____ () C:\Users\Neal\AppData\Roaming\key.dat
    2015-05-07 15:52 - 2015-05-07 15:52 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
    2015-05-05 14:14 - 2015-05-07 14:06 - 0553922 _____ () C:\Users\Neal\AppData\Roaming\log.html
    2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
    2015-05-05 14:14 - 2015-05-05 14:13 - 0458240 _____ (PGWARE LLC) C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    2015-05-07 15:52 - 2015-05-07 15:52 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2014-07-11 14:14 - 2015-05-05 14:21 - 0000916 _____ () C:\ProgramData\CyberlinkOutput.txt.ezz
    2015-05-07 15:53 - 2015-05-07 15:53 - 0008602 _____ () C:\ProgramData\HELP_DECRYPT.HTML
    2015-05-07 15:53 - 2015-05-07 15:53 - 0045557 _____ () C:\ProgramData\HELP_DECRYPT.PNG
    2015-05-07 15:53 - 2015-05-07 15:53 - 0004244 _____ () C:\ProgramData\HELP_DECRYPT.TXT
    2015-05-07 15:53 - 2015-05-07 15:53 - 0000284 _____ () C:\ProgramData\HELP_DECRYPT.URL
    2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\ProgramData\HELP_TO_SAVE_FILES.txt
    end

    *****************

    "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Onics => value deleted successfully.
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\udsfurd => value deleted successfully.
    C:\Program Files\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja => Moved successfully.
    C:\Users\Neal\AppData\Roaming\key.dat => Moved successfully.
    C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe => Moved successfully.
    C:\Users\Neal\AppData\Roaming\log.html => Moved successfully.
    C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3 => Moved successfully.
    C:\Users\Neal\AppData\Roaming\rkdvuiw.exe => Moved successfully.
    C:\Users\Neal\AppData\Local\udsfurd.dll => Moved successfully.
    C:\ProgramData\CyberlinkOutput.txt.ezz => Moved successfully.
    C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
    C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
    C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.
    C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.
    C:\ProgramData\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Public\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Public\Documents\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Noelle\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Noelle\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Noelle\AppData\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\Downloads\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\Documents\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\Desktop\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\HELP_DECRYPT.HTML => Moved successfully.
    C:\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Public\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Public\Documents\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Noelle\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Noelle\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Noelle\AppData\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\Downloads\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\Documents\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\Desktop\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\HELP_DECRYPT.TXT => Moved successfully.
    C:\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Public\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Public\Documents\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Noelle\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Noelle\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Noelle\AppData\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\Downloads\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\Documents\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\Desktop\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\HELP_DECRYPT.URL => Moved successfully.
    C:\HELP_DECRYPT.URL => Moved successfully.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
    C:\Users\Neal\AppData\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Default\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Default\Documents\HELP_DECRYPT.HTML => Moved successfully.
    "C:\Users\Default User\Documents\HELP_DECRYPT.HTML" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
    C:\Users\Neal\AppData\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Default\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Default\Documents\HELP_DECRYPT.TXT => Moved successfully.
    "C:\Users\Default User\Documents\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
    C:\Users\Neal\AppData\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Default\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Default\Documents\HELP_DECRYPT.URL => Moved successfully.
    "C:\Users\Default User\Documents\HELP_DECRYPT.URL" => File/Directory not found.
    C:\Users\Default\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Default\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Default\AppData\HELP_DECRYPT.HTML => Moved successfully.
    "C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
    "C:\Users\Default User\AppData\Local\HELP_DECRYPT.HTML" => File/Directory not found.
    "C:\Users\Default User\AppData\HELP_DECRYPT.HTML" => File/Directory not found.
    C:\Users\Administrator\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Administrator\Documents\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Administrator\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Administrator\AppData\HELP_DECRYPT.HTML => Moved successfully.
    "C:\ProgramData\HELP_DECRYPT.HTML" => File/Directory not found.
    C:\Users\Default\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Default\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Default\AppData\HELP_DECRYPT.TXT => Moved successfully.
    "C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\Users\Default User\AppData\Local\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\Users\Default User\AppData\HELP_DECRYPT.TXT" => File/Directory not found.
    C:\Users\Administrator\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Administrator\Documents\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Administrator\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Administrator\AppData\HELP_DECRYPT.TXT => Moved successfully.
    "C:\ProgramData\HELP_DECRYPT.TXT" => File/Directory not found.
    C:\Users\Default\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Default\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Default\AppData\HELP_DECRYPT.URL => Moved successfully.
    "C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
    "C:\Users\Default User\AppData\Local\HELP_DECRYPT.URL" => File/Directory not found.
    "C:\Users\Default User\AppData\HELP_DECRYPT.URL" => File/Directory not found.
    C:\Users\Administrator\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Administrator\Documents\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Administrator\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Administrator\AppData\HELP_DECRYPT.URL => Moved successfully.
    "C:\ProgramData\HELP_DECRYPT.URL" => File/Directory not found.
    "C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe" => File/Directory not found.
    C:\a9e1cbaf => Moved successfully.
    C:\Users\Neal\Desktop\Search.txt => Moved successfully.
    C:\Users\Neal\Desktop\Addition.txt => Moved successfully.
    C:\Users\Neal\Desktop\FRST.txt => Moved successfully.
    C:\Users\Neal\Desktop\FRST64.exe => Moved successfully.
    C:\Users\Neal\Downloads\Addition.txt => Moved successfully.

    "C:\FRST" directory move:

    Could not move "C:\FRST" directory. => Scheduled to move on reboot.

    C:\Users\Neal\Downloads\FRST.txt => Moved successfully.
    C:\Users\Neal\Downloads\FRST64.exe => Moved successfully.
    C:\Users\Public\Documents\HELP_TO_SAVE_FILES.txt => Moved successfully.
    "C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    C:\Users\Neal\AppData\HELP_TO_SAVE_FILES.txt => Moved successfully.
    "C:\ProgramData\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    C:\Users\Neal\Documents\RECOVERY_FILE.TXT => Moved successfully.
    "C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja" => File/Directory not found.
    C:\Users\Default\Desktop\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Default\AppData\Roaming\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Default\AppData\Local\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Default\AppData\HELP_TO_SAVE_FILES.txt => Moved successfully.
    "C:\Users\Default User\Desktop\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Default User\AppData\Roaming\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Default User\AppData\Local\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Default User\AppData\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt => Moved successfully.
    "C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt => Moved successfully.
    "C:\Program Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\log.html" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\key.dat" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
    C:\Users\Noelle\AppData\Roaming\WildTangent => Moved successfully.
    C:\Users\Neal\.jpi_cache => Moved successfully.
    C:\Users\Neal\.java => Moved successfully.
    C:\Users\Noelle\Documents\New folder => Moved successfully.
    C:\Users\Noelle\Documents\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Noelle\Documents\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Noelle\Documents\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\AppData\Local\toteke => Moved successfully.
    "C:\Program Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\key.dat" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\log.html" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
    "C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
    "C:\ProgramData\CyberlinkOutput.txt.ezz" => File/Directory not found.
    "C:\ProgramData\HELP_DECRYPT.HTML" => File/Directory not found.
    "C:\ProgramData\HELP_DECRYPT.PNG" => File/Directory not found.
    "C:\ProgramData\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\ProgramData\HELP_DECRYPT.URL" => File/Directory not found.
    "C:\ProgramData\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
     
  5. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Also, I have it booting in Safe with Networking.
    Thanks much!
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    NOTE 1. Use another working computer to download Farbar Recovery Scan Tool. Use USB flash drive to transfer it from good computer to the bad one.
    NOTE 2. Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. To access Advanced Boot Options start and shut down computer TWICE. On third start you should see Advanced Boot Options.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note:
      Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  7. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2015 01
    Ran by SYSTEM on MININT-8MKEEIN on 08-05-2015 10:52:55
    Running from f:\
    Platform: Windows 8.1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-08-19] (IDT, Inc.)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-24] (Synaptics Incorporated)
    HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491632 2012-09-10] (CyberLink Corp.)
    HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [93296 2012-07-13] (CyberLink Corp.)
    HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [581024 2012-09-07] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1342008 2012-09-14] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\qttask.exe [77824 2014-08-18] (Apple Computer, Inc.)
    HKLM-x32\...\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
    HKLM-x32\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    Winlogon\Notify\udsfurd-x32: C:\Users\Neal\AppData\Local\udsfurd.dll [X]
    HKLM\...\Policies\Explorer\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
    HKU\Administrator\...\Run: [Power2GoExpress8] => C:\Program Files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe [1707632 2012-09-10] (CyberLink Corp.)
    HKU\Administrator\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-10-28] (Microsoft Corporation)
    HKU\Neal\...\Run: [AVNworks] => C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe [192512 2015-05-02] (Fullerene)
    HKU\Neal\...\Run: [Ogics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll
    HKU\Neal\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    HKU\Neal\...\Run: [a9e1cba] => C:\a9e1cbaf\a9e1cbaf.exe
    HKU\Neal\...\Run: [a9e1cbaf] => C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
    HKU\Noelle\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Bubbles.scr [788480 2014-10-28] (Microsoft Corporation)
    HKU\Sean\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-10-28] (Microsoft Corporation)
    Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt [2015-05-05] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe [2015-05-07] ( )
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-03] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-03] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-03] ()
    InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.)
    S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
    S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [373312 2015-04-14] (WildTangent)
    S2 HPConnectedRemote; C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35744 2012-10-12] (Hewlett-Packard)
    S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-09-11] (Microsoft Corporation)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-19] (Advanced Micro Devices)
    S3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [91648 2012-08-21] (Advanced Micro Devices)
    S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
    S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [269968 2012-07-03] (Realtek Semiconductor Corp.)
    S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-08-24] (Synaptics Incorporated)
    S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [43832 2012-08-24] (Synaptics Incorporated)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
    S3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-07 12:19 - 2015-05-08 05:50 - 00000000 ____D () C:\FRST
    2015-05-07 11:06 - 2015-05-07 11:06 - 00000000 ____D () C:\Windows\pss
    2015-05-05 11:10 - 2015-05-07 12:53 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
    2015-05-04 23:17 - 2015-05-07 12:53 - 00000000 ____D () C:\ProgramData\BlueStacks
    2015-05-04 19:12 - 2015-05-04 19:12 - 00000000 ____D () C:\Users\Noelle\Documents\julius caesar
    2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\Onics
    2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\AVNworks
    2015-04-17 06:45 - 2015-04-17 06:45 - 00000000 ____D () C:\Windows\System32\appraiser
    2015-04-14 16:50 - 2015-03-23 13:59 - 07476032 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2015-04-14 16:50 - 2015-03-23 13:59 - 01733952 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
    2015-04-14 16:50 - 2015-03-23 13:59 - 00360480 _____ (Microsoft Corporation) C:\Windows\System32\sechost.dll
    2015-04-14 16:50 - 2015-03-23 13:58 - 01498872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
    2015-04-14 16:50 - 2015-03-23 13:45 - 00257216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sechost.dll
    2015-04-14 16:50 - 2015-03-19 20:12 - 00246272 _____ (Microsoft Corporation) C:\Windows\System32\microsoft-windows-system-events.dll
    2015-04-14 16:50 - 2015-03-19 20:10 - 00285184 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
    2015-04-14 16:50 - 2015-03-19 20:10 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
    2015-04-14 16:50 - 2015-03-19 19:17 - 00411648 _____ (Microsoft Corporation) C:\Windows\System32\tracerpt.exe
    2015-04-14 16:50 - 2015-03-19 18:41 - 00369152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tracerpt.exe
    2015-04-14 16:50 - 2015-03-19 18:40 - 00950784 _____ (Microsoft Corporation) C:\Windows\System32\tdh.dll
    2015-04-14 16:50 - 2015-03-19 18:16 - 00749568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
    2015-04-14 16:50 - 2015-03-14 00:20 - 01385256 _____ (Microsoft Corporation) C:\Windows\System32\msctf.dll
    2015-04-14 16:50 - 2015-03-14 00:13 - 01124352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
    2015-04-14 16:50 - 2015-03-12 20:32 - 24980480 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2015-04-14 16:50 - 2015-03-12 19:50 - 06025216 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2015-04-14 16:50 - 2015-03-12 19:42 - 19695616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2015-04-14 16:50 - 2015-03-12 19:00 - 14397440 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2015-04-14 16:50 - 2015-03-12 18:58 - 00259072 _____ (Microsoft Corporation) C:\Windows\System32\pku2u.dll
    2015-04-14 16:50 - 2015-03-12 18:49 - 04305408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2015-04-14 16:50 - 2015-03-12 18:37 - 00208896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
    2015-04-14 16:50 - 2015-02-20 15:49 - 00780800 _____ (Microsoft Corporation) C:\Windows\System32\lsm.dll
    2015-04-14 16:49 - 2015-03-22 14:45 - 00227328 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
    2015-04-14 16:49 - 2015-03-22 14:09 - 01111552 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
    2015-04-14 16:49 - 2015-03-22 14:09 - 00957440 _____ (Microsoft Corporation) C:\Windows\System32\appraiser.dll
    2015-04-14 16:49 - 2015-03-22 14:09 - 00769024 _____ (Microsoft Corporation) C:\Windows\System32\invagent.dll
    2015-04-14 16:49 - 2015-03-22 14:09 - 00726528 _____ (Microsoft Corporation) C:\Windows\System32\generaltel.dll
    2015-04-14 16:49 - 2015-03-22 14:09 - 00419328 _____ (Microsoft Corporation) C:\Windows\System32\devinv.dll
    2015-04-14 16:49 - 2015-03-22 14:09 - 00030720 _____ (Microsoft Corporation) C:\Windows\System32\acmigration.dll
    2015-04-14 16:49 - 2015-03-14 00:54 - 00133256 _____ (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2015-04-14 16:49 - 2015-03-13 17:56 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\wups.dll
    2015-04-14 16:49 - 2015-03-13 17:56 - 00052224 _____ (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2015-04-14 16:49 - 2015-03-13 17:51 - 00015360 _____ (Microsoft Corporation) C:\Windows\System32\wu.upgrade.ps.dll
    2015-04-14 16:49 - 2015-03-13 17:37 - 00267264 _____ (Microsoft Corporation) C:\Windows\System32\WinSetupUI.dll
    2015-04-14 16:49 - 2015-03-13 17:14 - 00027136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2015-04-14 16:49 - 2015-03-13 16:22 - 03678720 _____ (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2015-04-14 16:49 - 2015-03-13 16:12 - 00140288 _____ (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2015-04-14 16:49 - 2015-03-13 16:12 - 00035840 _____ (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2015-04-14 16:49 - 2015-03-13 16:09 - 00200192 _____ (Microsoft Corporation) C:\Windows\System32\storewuauth.dll
    2015-04-14 16:49 - 2015-03-13 16:08 - 00408064 _____ (Microsoft Corporation) C:\Windows\System32\WUSettingsProvider.dll
    2015-04-14 16:49 - 2015-03-13 16:08 - 00095744 _____ (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2015-04-14 16:49 - 2015-03-13 16:06 - 02373632 _____ (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2015-04-14 16:49 - 2015-03-13 16:06 - 00891392 _____ (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2015-04-14 16:49 - 2015-03-13 16:02 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2015-04-14 16:49 - 2015-03-13 16:02 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2015-04-14 16:49 - 2015-03-13 15:59 - 00721920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2015-04-14 16:49 - 2015-03-13 15:59 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2015-04-14 16:49 - 2015-03-12 20:08 - 00584192 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2015-04-14 16:49 - 2015-03-12 20:07 - 02886144 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2015-04-14 16:49 - 2015-03-12 19:53 - 00816128 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2015-04-14 16:49 - 2015-03-12 19:28 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2015-04-14 16:49 - 2015-03-12 19:26 - 00092160 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2015-04-14 16:49 - 2015-03-12 19:22 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2015-04-14 16:49 - 2015-03-12 19:17 - 01032704 _____ (Microsoft Corporation) C:\Windows\System32\inetcomm.dll
    2015-04-14 16:49 - 2015-03-12 19:16 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2015-04-14 16:49 - 2015-03-12 19:08 - 00720384 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2015-04-14 16:49 - 2015-03-12 19:07 - 00801280 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2015-04-14 16:49 - 2015-03-12 18:50 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
    2015-04-14 16:49 - 2015-03-12 18:45 - 02358784 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2015-04-14 16:49 - 2015-03-12 18:44 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2015-04-14 16:49 - 2015-03-12 18:34 - 12825600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2015-04-14 16:49 - 2015-03-12 18:33 - 01548288 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2015-04-14 16:49 - 2015-03-12 18:22 - 00800768 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
    2015-04-14 16:49 - 2015-03-12 18:20 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2015-04-14 16:49 - 2015-03-12 18:16 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2015-04-14 16:49 - 2015-03-12 18:14 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
    2015-04-14 16:49 - 2015-03-04 02:25 - 00377152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\clfs.sys
    2015-04-14 16:49 - 2015-03-03 19:04 - 00075264 _____ (Microsoft Corporation) C:\Windows\System32\clfsw32.dll
    2015-04-14 16:49 - 2015-03-03 18:19 - 00058880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\clfsw32.dll
    2015-04-14 16:49 - 2015-02-24 00:32 - 00991552 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\http.sys
    2015-04-14 16:49 - 2014-12-02 15:09 - 00192000 _____ (Microsoft Corporation) C:\Windows\System32\aepic.dll
    2015-04-08 09:05 - 2015-04-08 09:06 - 00000000 ___SD () C:\Windows\System32\GWX
    2015-04-08 09:05 - 2015-04-08 09:05 - 00000000 ___SD () C:\Windows\SysWOW64\GWX

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-08 06:17 - 2014-09-11 13:13 - 01818681 _____ () C:\Windows\WindowsUpdate.log
    2015-05-08 05:50 - 2014-03-18 01:54 - 00055204 _____ () C:\Windows\PFRO.log
    2015-05-08 05:49 - 2014-09-11 13:28 - 00000000 ____D () C:\users\Neal
    2015-05-08 05:48 - 2014-09-11 13:28 - 00000000 ____D () C:\users\Noelle
    2015-05-08 05:48 - 2014-09-11 13:28 - 00000000 ____D () C:\users\Administrator
    2015-05-08 05:48 - 2013-08-22 05:36 - 00000000 __RHD () C:\users\Default
    2015-05-07 12:54 - 2014-12-22 17:58 - 00000000 ____D () C:\Users\Neal\Documents\CyberLink
    2015-05-07 12:54 - 2014-11-05 11:25 - 00000000 ____D () C:\Users\Neal\Desktop\noelle
    2015-05-07 12:54 - 2014-09-30 12:50 - 00000000 ____D () C:\Users\Neal\Desktop\Master bath
    2015-05-07 12:54 - 2014-09-27 05:39 - 00000000 ____D () C:\Users\Neal\Desktop\RN Liscense
    2015-05-07 12:54 - 2014-09-13 11:40 - 00000000 ____D () C:\Users\Neal\Desktop\Hurst Review
    2015-05-07 12:54 - 2014-09-03 05:33 - 00000000 ____D () C:\Users\Neal\Desktop\STVE
    2015-05-07 12:54 - 2014-08-17 22:43 - 00000000 ____D () C:\Users\Neal\Desktop\General Sciencev2-MP3
    2015-05-07 12:54 - 2014-08-17 21:52 - 00000000 ____D () C:\Users\Neal\.javaws
    2015-05-07 12:53 - 2014-09-11 16:09 - 00000000 __SHD () C:\Recovery
    2015-05-07 12:53 - 2014-09-11 13:17 - 00000000 ____D () C:\ProgramData\AMD
    2015-05-07 12:53 - 2014-09-11 13:16 - 00000000 ____D () C:\ProgramData\Package Cache
    2015-05-07 12:53 - 2014-09-08 04:29 - 00000000 ____D () C:\ProgramData\lx_Cats
    2015-05-07 12:53 - 2014-08-18 17:50 - 00000000 ____D () C:\ProgramData\QuickTime
    2015-05-07 12:53 - 2014-08-18 10:14 - 00000000 ____D () C:\ProgramData\Mozilla
    2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\ATI
    2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\ATI
    2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\AMD
    2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\ProgramData\ATI
    2015-05-07 12:53 - 2014-07-11 11:24 - 00000000 ____D () C:\ProgramData\Norton
    2015-05-07 12:53 - 2014-07-11 11:16 - 00000000 ____D () C:\ProgramData\CyberLink
    2015-05-07 12:53 - 2014-07-11 11:00 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Downloaded Installations
    2015-05-07 12:53 - 2014-07-11 10:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Synaptics
    2015-05-07 12:53 - 2014-07-11 10:56 - 00000000 ____D () C:\ProgramData\Synaptics
    2015-05-07 12:53 - 2014-07-11 10:53 - 00000000 ____D () C:\ProgramData\Qualcomm Atheros
    2015-05-07 12:53 - 2014-07-11 10:52 - 00000000 ____D () C:\ProgramData\Apple
    2015-05-07 12:53 - 2012-10-29 18:18 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\FFSJ
    2015-05-07 12:53 - 2012-10-29 18:16 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Hewlett-Packard
    2015-05-07 12:53 - 2012-10-29 18:16 - 00000000 ____D () C:\ProgramData\WildTangent
    2015-05-07 12:53 - 2012-10-29 18:10 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
    2015-05-07 12:53 - 2012-10-29 18:06 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Windows Live
    2015-05-07 12:53 - 2012-10-29 18:06 - 00000000 ____D () C:\ProgramData\Microsoft SkyDrive
    2015-05-07 12:53 - 2012-10-29 17:58 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\hpqLog
    2015-05-07 12:53 - 2012-10-29 17:58 - 00000000 ____D () C:\ProgramData\install_clap
    2015-05-07 12:53 - 2012-10-29 17:55 - 00000000 ___HD () C:\Users\Administrator\Documents\hp.system.package.metadata
    2015-05-07 12:53 - 2012-08-03 16:02 - 00000000 __RHD () C:\SYSTEM.SAV
    2015-05-07 12:53 - 2012-08-03 16:02 - 00000000 ____D () C:\SWSetup
    2015-05-07 12:53 - 2012-08-03 14:29 - 00000000 ____D () C:\ProgramData\PRICache
    2015-05-07 12:53 - 2012-08-03 14:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
    2015-05-07 12:52 - 2014-09-11 15:59 - 00000000 ____D () C:\inetpub
    2015-05-07 12:52 - 2014-09-11 13:12 - 00000000 ____D () C:\AMD
    2015-05-07 12:52 - 2014-08-18 11:51 - 00000000 ___HD () C:\$SysReset
    2015-05-07 11:06 - 2013-08-22 06:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-05-07 11:00 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\sru
    2015-05-07 10:59 - 2014-09-11 14:08 - 00000000 __RDO () C:\Users\Neal\OneDrive
    2015-05-07 10:58 - 2013-08-22 06:46 - 00422594 _____ () C:\Windows\setupact.log
    2015-05-07 10:54 - 2012-10-29 18:07 - 00000000 ___RD () C:\Users\Administrator\SkyDrive
    2015-05-07 10:25 - 2014-09-08 16:54 - 00007332 _____ () C:\Users\Neal\Desktop\double barn doors.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:47 - 00009396 _____ () C:\Users\Neal\Desktop\tile size.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:45 - 00005972 _____ () C:\Users\Neal\Desktop\barn door.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:38 - 00006772 _____ () C:\Users\Neal\Desktop\imagesCAVYFP72.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:35 - 00009460 _____ () C:\Users\Neal\Desktop\imagesCA7CH076.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:30 - 00007556 _____ () C:\Users\Neal\Desktop\imagesCASKJVS5.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:22 - 00008660 _____ () C:\Users\Neal\Desktop\stone shower.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:19 - 00072372 _____ () C:\Users\Neal\Desktop\Nice-Rustic-Wooden-Look-in-Western-Style-Bathroom-Interior.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:14 - 00021940 _____ () C:\Users\Neal\Desktop\stoneshowers3.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:13 - 00126212 _____ () C:\Users\Neal\Desktop\shower-designs_stone.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:11 - 00145892 _____ () C:\Users\Neal\Desktop\bathroom-natural-cream-small-bathroom-renovation-idea-with-cream-stone-wall-colorful-border-and-shower-nice-small-bathroom-renovation-ideas-972x650.jpg.ezz
    2015-05-07 10:25 - 2014-09-08 16:06 - 00042676 _____ () C:\Users\Neal\Desktop\thumb4_wlshower.jpg.ezz
    2015-05-07 10:25 - 2014-08-17 20:39 - 10782340 _____ () C:\Users\Neal\Documents\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
    2015-05-07 10:25 - 2014-08-17 20:35 - 24867156 _____ () C:\Users\Neal\Desktop\9781616251345_ApologiaExploringCreationWithB.pdf.ezz
    2015-05-07 10:25 - 2014-08-17 18:22 - 10782340 _____ () C:\Users\Neal\Desktop\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
    2015-05-07 10:25 - 2014-07-11 13:24 - 01440996 _____ () C:\Users\Neal\Desktop\CRCS Handbook.pdf.ezz
    2015-05-07 10:13 - 2015-01-08 23:01 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4105420370-3369507210-3028615837-1004
    2015-05-07 09:47 - 2015-01-08 22:59 - 00000000 ___RD () C:\Users\Noelle\OneDrive
    2015-05-06 22:07 - 2015-01-08 22:55 - 00003942 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{C556DA80-233A-4939-81B7-D4F612CB4826}
    2015-05-05 11:31 - 2012-10-29 17:58 - 00000000 ____D () C:\ProgramData\Temp
    2015-05-05 11:30 - 2014-08-18 09:58 - 00000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz
    2015-05-05 11:21 - 2012-08-03 14:28 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Packages
    2015-05-05 11:18 - 2014-03-18 01:45 - 00000000 ____D () C:\Program Files\Windows Journal
    2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\WindowsPowerShell
    2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Portable Devices
    2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
    2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Multimedia Platform
    2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Defender
    2015-05-05 11:17 - 2014-09-11 13:12 - 00000000 ____D () C:\Program Files\Common Files\ATI Technologies
    2015-05-05 11:17 - 2014-07-11 10:52 - 00000000 ____D () C:\Program Files\Bonjour
    2015-05-05 11:17 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Common Files\Services
    2015-05-05 11:17 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
    2015-05-05 11:17 - 2012-09-18 18:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
    2015-05-04 23:16 - 2012-10-29 18:16 - 00000000 ____D () C:\Program Files (x86)\WildTangent Games
    2015-05-04 12:46 - 2014-08-15 06:06 - 00000000 ____D () C:\Users\Public\Documents\TT Algebra 1
    2015-05-03 12:12 - 2015-03-16 09:27 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Mozilla
    2015-05-03 12:12 - 2015-01-21 10:05 - 00000000 ____D () C:\Users\Noelle\Documents\CyberLink
    2015-05-03 12:12 - 2015-01-08 22:57 - 00000000 ____D () C:\Users\Noelle\AppData\Local\AMD
    2015-05-03 12:12 - 2015-01-08 22:55 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Adobe
    2015-05-03 12:10 - 2014-08-18 10:15 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Mozilla
    2015-05-03 12:10 - 2014-08-18 10:00 - 00000000 ____D () C:\Users\Neal\AppData\Local\AMD
    2015-05-03 12:10 - 2014-08-18 09:58 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Hewlett-Packard
    2015-05-03 12:10 - 2014-08-18 09:56 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Adobe
    2015-05-03 12:10 - 2014-08-18 09:53 - 00000000 ____D () C:\Users\Neal\AppData\Local\Power2Go8
    2015-04-20 10:56 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\rescache
    2015-04-18 17:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\AppCompat
    2015-04-17 06:52 - 2014-03-18 02:03 - 00956480 _____ () C:\Windows\System32\PerfStringBackup.INI
    2015-04-17 06:45 - 2015-03-29 18:04 - 00000000 ___SD () C:\Windows\System32\CompatTel
    2015-04-14 17:35 - 2014-08-22 21:19 - 00000000 ____D () C:\Windows\System32\MRT
    2015-04-14 17:33 - 2014-08-22 21:19 - 128913832 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2015-04-14 17:33 - 2012-07-25 23:59 - 00000000 ____D () C:\Windows\CbsTemp

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe
    [2015-03-16 09:59] - [2014-10-28 17:22] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437

    C:\Windows\System32\wininit.exe
    [2015-03-16 09:57] - [2014-10-28 17:25] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380

    C:\Windows\explorer.exe
    [2015-03-11 08:44] - [2015-01-27 15:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88

    C:\Windows\SysWOW64\explorer.exe
    [2015-03-11 08:44] - [2015-01-27 15:41] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225

    C:\Windows\System32\svchost.exe
    [2015-03-16 09:57] - [2014-10-28 20:11] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47

    C:\Windows\SysWOW64\svchost.exe
    [2015-03-16 09:57] - [2014-10-28 19:17] - 0033088 ____A (Microsoft Corporation) D0ABC231C0B3E88C6B612B28ABBF734D

    C:\Windows\System32\services.exe
    [2015-03-16 10:00] - [2014-10-28 19:53] - 0411128 ____A (Microsoft Corporation) 5BF02EBEFEDC706318C96E2E60EDCB91

    C:\Windows\System32\User32.dll
    [2015-03-16 10:02] - [2014-10-28 20:00] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

    C:\Windows\SysWOW64\User32.dll
    [2015-03-16 10:02] - [2014-10-28 17:04] - 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE

    C:\Windows\System32\userinit.exe
    [2015-03-16 09:57] - [2014-10-28 17:28] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F

    C:\Windows\SysWOW64\userinit.exe
    [2015-03-16 09:57] - [2014-10-28 17:05] - 0022528 ____A (Microsoft Corporation) D10643FC0095434C819316CA6CD748C0

    C:\Windows\System32\rpcss.dll
    [2015-03-16 10:01] - [2014-10-28 17:19] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00

    ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== Restore Points =========================

    Restore point made on: 2015-04-27 10:21:09
    Restore point made on: 2015-04-27 10:21:15
    Restore point made on: 2015-04-27 10:21:16
    Restore point made on: 2015-04-27 10:21:17
    Restore point made on: 2015-04-27 10:21:25
    Restore point made on: 2015-04-27 10:21:27

    ==================== Memory info ===========================

    Percentage of memory in use: 21%
    Total physical RAM: 3554.26 MB
    Available physical RAM: 2800.33 MB
    Total Pagefile: 3554.26 MB
    Available Pagefile: 2822.92 MB
    Total Virtual: 131072 MB
    Available Virtual: 131071.88 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:565.37 GB) (Free:523.59 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive d: (RECOVERY) (Fixed) (Total:29.6 GB) (Free:3.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive f: () (Removable) (Total:0.49 GB) (Free:0.31 GB) FAT
    Drive g: () (Fixed) (Total:0.44 GB) (Free:0.11 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 596.2 GB) (Disk ID: 4FBE1E19)

    Partition: GPT Partition Type.

    ========================================================
    Disk: 1 (Size: 498.1 MB) (Disk ID: 0006736D)
    Partition 1: (Active) - (Size=498 MB) - (Type=0E)


    LastRegBack: 2015-05-03 12:35

    ==================== End Of Log ============================
     
  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot normally.
     

    Attached Files:

  9. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
    Ran by SYSTEM at 2015-05-08 11:41:27 Run:2
    Running from f:\
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    HKLM-x32\...\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
    HKLM-x32\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    Winlogon\Notify\udsfurd-x32: C:\Users\Neal\AppData\Local\udsfurd.dll [X]
    C:\Users\Neal\AppData\Local\toteke\toteke.exe
    C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    HKLM\...\Policies\Explorer\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
    HKU\Neal\...\Run: [Ogics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll
    HKU\Neal\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    HKU\Neal\...\Run: [a9e1cba] => C:\a9e1cbaf\a9e1cbaf.exe
    HKU\Neal\...\Run: [a9e1cbaf] => C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
    C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll
    C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
    C:\a9e1cbaf\a9e1cbaf.exe
    C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
    Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt [2015-05-05] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe [2015-05-07] ( )
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-03] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-03] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-03] ()
    InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w
    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL
    2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\Onics
    2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\AVNworks

    *****************

    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\toteke => value deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AVrSvc => value deleted successfully.
    "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\udsfurd" => Key deleted successfully.
    "C:\Users\Neal\AppData\Local\toteke\toteke.exe" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\toteke => value deleted successfully.
    HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\Ogics => value deleted successfully.
    HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\AVrSvc => value deleted successfully.
    HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\a9e1cba => value deleted successfully.
    HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\a9e1cbaf => value deleted successfully.
    C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll => Moved successfully.
    "C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
    "C:\a9e1cbaf\a9e1cbaf.exe" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe" => File/Directory not found.
    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
    "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL" => File/Directory not found.
    C:\Users\Neal\AppData\Local\Onics => Moved successfully.
    C:\Users\Neal\AppData\Local\AVNworks => Moved successfully.

    ==== End of Fixlog 11:41:38 ====
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    See if you can boot normally.
     
  11. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    So far so good. Booted in normal mode. Created a test text doc. It is not crypted. Has not yet hibernated or rebooted itself.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please download Farbar Recovery Scan Tool and save it to your Desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
     
  13. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Wow that took forever, and it's back.
    I downloaded Farbar in Normal mode. And Scanned. Next post will be the frst then the addition.
     
  14. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2015 01
    Ran by Neal (administrator) on HOMESCHOOL1 on 08-05-2015 12:55:29
    Running from C:\Users\Neal\Desktop
    Loaded Profiles: Neal (Available profiles: Neal & Sean & Noelle & Administrator)
    Platform: Windows 8.1 (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (AMD) C:\Windows\System32\atiesrxx.exe
    (AMD) C:\Windows\System32\atieclxx.exe
    (IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
    (Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
    (Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Microsoft Corporation) C:\Windows\System32\dasHost.exe
    (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
    (Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
    (CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
    (CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
    (Apple Computer, Inc.) C:\Program Files (x86)\QuickTime\qttask.exe
    (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
    (WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
    (Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Local\Temp\8FB3.tmp
    (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
    () C:\Users\Neal\AppData\Local\Temp\9FD4.tmp
    (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    (Microsoft Corporation) C:\Windows\System32\msiexec.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Windows\System32\msiexec.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\logagent.exe
    (Microsoft Corporation) C:\Windows\System32\msiexec.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
    (Microsoft Corporation) C:\Windows\System32\wermgr.exe
    (Microsoft Corporation) C:\Windows\System32\cmd.exe
    (Microsoft Corporation) C:\Windows\System32\cmd.exe
    (Microsoft Corporation) C:\Windows\System32\msiexec.exe
    (Microsoft Corporation) C:\Windows\System32\msiexec.exe
    Failed to access process -> HPConnectedRemoteService.exe
    (Microsoft Corporation) C:\Windows\System32\WerFault.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Failed to access process -> HPConnectedRemoteService.exe
    (Microsoft Corporation) C:\Windows\System32\WerFault.exe
    Failed to access process -> HPConnectedRemoteService.exe
    (Microsoft Corporation) C:\Windows\System32\WerFault.exe
    Failed to access process -> HPConnectedRemoteService.exe
    (Microsoft Corporation) C:\Windows\System32\WerFault.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\dvdupgrd.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\dllhst3g.exe
    (Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe
    (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20413_x64__8wekyb3d8bbwe\livecomm.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\NAPSTAT.EXE
    (Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-08-20] (IDT, Inc.)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-24] (Synaptics Incorporated)
    HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491632 2012-09-10] (CyberLink Corp.)
    HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [93296 2012-07-13] (CyberLink Corp.)
    HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [581024 2012-09-07] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1342008 2012-09-14] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\qttask.exe [77824 2014-08-18] (Apple Computer, Inc.)
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [AVNworks] => C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [udsfurd] => rundll32 "C:\Users\Neal\AppData\Local\udsfurd.dll",udsfurd <===== ATTENTION
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [BluetoothManager] => rundll32.exe "%appdata%\Microsoft\bstack.dll",bs_init
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27907 more characters). <==== Poweliks!
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-08] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-08] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-08] ()
    InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w
    ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT13/1
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT13/1
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT13/1
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT13/1
    SearchScopes: HKLM -> {72A94EC8-3F90-47F1-9886-E2A151F94BD1} URL = http://www.amazon.com/s/ref=azs_osd...ode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    SearchScopes: HKLM-x32 -> {72A94EC8-3F90-47F1-9886-E2A151F94BD1} URL = http://www.amazon.com/s/ref=azs_osd...ode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    SearchScopes: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> {72A94EC8-3F90-47F1-9886-E2A151F94BD1} URL = http://www.amazon.com/s/ref=azs_osd...ode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll No File
    Toolbar: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    FireFox:
    ========
    FF ProfilePath: C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
    FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll [2012-08-08] (Adobe Systems, Inc.)
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3503.0728 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-07-28] (Microsoft Corporation)
    FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2014-11-14] ()
    FF Extension: Windows Script Host Shell Object - C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F} [2015-05-02]

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.) [File not signed]
    S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
    R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [373312 2015-04-14] (WildTangent)
    R2 HPConnectedRemote; C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35744 2012-10-12] (Hewlett-Packard)
    R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2451456 2012-07-13] (Realsil Microelectronics Inc.) [File not signed]
    S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-09-11] (Microsoft Corporation)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-20] (Advanced Micro Devices)
    R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [91648 2012-08-21] (Advanced Micro Devices)
    R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
    R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [269968 2012-07-03] (Realtek Semiconductor Corp.)
    S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-08-24] (Synaptics Incorporated)
    S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [43832 2012-08-24] (Synaptics Incorporated)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
    R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-08 12:55 - 2015-05-08 13:03 - 00013856 _____ () C:\Users\Neal\Desktop\FRST.txt
    2015-05-08 12:54 - 2015-05-08 12:49 - 02102272 _____ (Farbar) C:\Users\Neal\Desktop\FRST64.exe
    2015-05-08 12:49 - 2015-05-08 12:53 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Local Store
    2015-05-08 12:48 - 2015-05-08 12:48 - 00008602 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.HTML
    2015-05-08 12:48 - 2015-05-08 12:48 - 00000284 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.URL
    2015-05-08 12:47 - 2015-05-08 12:47 - 00008602 _____ () C:\Users\Neal\HELP_DECRYPT.HTML
    2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\HELP_DECRYPT.TXT
    2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.TXT
    2015-05-08 12:47 - 2015-05-08 12:47 - 00000284 _____ () C:\Users\Neal\HELP_DECRYPT.URL
    2015-05-08 12:45 - 2015-05-08 12:49 - 02102272 _____ (Farbar) C:\Users\Neal\Downloads\FRST64.exe
    2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.HTML
    2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.TXT
    2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.URL
    2015-05-08 12:41 - 2015-05-08 12:41 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2015-05-08 12:40 - 2015-05-08 12:40 - 01141248 _____ (Farbar) C:\Users\Neal\Downloads\FRST.exe
    2015-05-08 12:40 - 2015-05-08 12:40 - 00051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
    2015-05-08 11:48 - 2015-05-08 11:48 - 00000288 _____ () C:\Users\Neal\Desktop\test.txt
    2015-05-08 11:45 - 2015-05-08 11:45 - 00000000 ____D () C:\HP
    2015-05-07 15:19 - 2015-05-08 12:56 - 00000000 ____D () C:\FRST
    2015-05-07 14:06 - 2015-05-07 14:06 - 00000000 ____D () C:\WINDOWS\pss
    2015-05-07 11:46 - 2015-05-07 11:46 - 00000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
    2015-05-05 14:10 - 2015-05-08 12:43 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
    2015-05-05 02:17 - 2015-05-07 15:53 - 00000000 ____D () C:\ProgramData\BlueStacks
    2015-05-04 22:12 - 2015-05-04 22:12 - 00000000 ____D () C:\Users\Noelle\Documents\julius caesar
    2015-04-17 09:45 - 2015-04-17 09:45 - 00000000 ____D () C:\WINDOWS\system32\appraiser
    2015-04-14 19:50 - 2015-03-23 16:59 - 07476032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
    2015-04-14 19:50 - 2015-03-23 16:59 - 01733952 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
    2015-04-14 19:50 - 2015-03-23 16:59 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\system32\sechost.dll
    2015-04-14 19:50 - 2015-03-23 16:58 - 01498872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
    2015-04-14 19:50 - 2015-03-23 16:45 - 00257216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sechost.dll
    2015-04-14 19:50 - 2015-03-19 23:12 - 00246272 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
    2015-04-14 19:50 - 2015-03-19 23:10 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
    2015-04-14 19:50 - 2015-03-19 23:10 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
    2015-04-14 19:50 - 2015-03-19 22:17 - 00411648 _____ (Microsoft Corporation) C:\WINDOWS\system32\tracerpt.exe
    2015-04-14 19:50 - 2015-03-19 21:41 - 00369152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tracerpt.exe
    2015-04-14 19:50 - 2015-03-19 21:40 - 00950784 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll
    2015-04-14 19:50 - 2015-03-19 21:16 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll
    2015-04-14 19:50 - 2015-03-14 03:20 - 01385256 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
    2015-04-14 19:50 - 2015-03-14 03:13 - 01124352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
    2015-04-14 19:50 - 2015-03-12 23:32 - 24980480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2015-04-14 19:50 - 2015-03-12 22:50 - 06025216 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
    2015-04-14 19:50 - 2015-03-12 22:42 - 19695616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2015-04-14 19:50 - 2015-03-12 22:00 - 14397440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
    2015-04-14 19:50 - 2015-03-12 21:58 - 00259072 _____ (Microsoft Corporation) C:\WINDOWS\system32\pku2u.dll
    2015-04-14 19:50 - 2015-03-12 21:49 - 04305408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
    2015-04-14 19:50 - 2015-03-12 21:37 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\pku2u.dll
    2015-04-14 19:50 - 2015-02-20 18:49 - 00780800 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsm.dll
    2015-04-14 19:49 - 2015-03-22 17:45 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
    2015-04-14 19:49 - 2015-03-22 17:09 - 01111552 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
    2015-04-14 19:49 - 2015-03-22 17:09 - 00957440 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
    2015-04-14 19:49 - 2015-03-22 17:09 - 00769024 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
    2015-04-14 19:49 - 2015-03-22 17:09 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
    2015-04-14 19:49 - 2015-03-22 17:09 - 00419328 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
    2015-04-14 19:49 - 2015-03-22 17:09 - 00030720 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
    2015-04-14 19:49 - 2015-03-14 03:54 - 00133256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
    2015-04-14 19:49 - 2015-03-13 20:56 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
    2015-04-14 19:49 - 2015-03-13 20:56 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
    2015-04-14 19:49 - 2015-03-13 20:51 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wu.upgrade.ps.dll
    2015-04-14 19:49 - 2015-03-13 20:37 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll
    2015-04-14 19:49 - 2015-03-13 20:14 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
    2015-04-14 19:49 - 2015-03-13 19:22 - 03678720 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
    2015-04-14 19:49 - 2015-03-13 19:12 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
    2015-04-14 19:49 - 2015-03-13 19:12 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
    2015-04-14 19:49 - 2015-03-13 19:09 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
    2015-04-14 19:49 - 2015-03-13 19:08 - 00408064 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
    2015-04-14 19:49 - 2015-03-13 19:08 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
    2015-04-14 19:49 - 2015-03-13 19:06 - 02373632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
    2015-04-14 19:49 - 2015-03-13 19:06 - 00891392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
    2015-04-14 19:49 - 2015-03-13 19:02 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
    2015-04-14 19:49 - 2015-03-13 19:02 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
    2015-04-14 19:49 - 2015-03-13 18:59 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
    2015-04-14 19:49 - 2015-03-13 18:59 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
    2015-04-14 19:49 - 2015-03-12 23:08 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
    2015-04-14 19:49 - 2015-03-12 23:07 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2015-04-14 19:49 - 2015-03-12 22:53 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
    2015-04-14 19:49 - 2015-03-12 22:28 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
    2015-04-14 19:49 - 2015-03-12 22:26 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
    2015-04-14 19:49 - 2015-03-12 22:22 - 02278400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2015-04-14 19:49 - 2015-03-12 22:17 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
    2015-04-14 19:49 - 2015-03-12 22:16 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
    2015-04-14 19:49 - 2015-03-12 22:08 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
    2015-04-14 19:49 - 2015-03-12 22:07 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
    2015-04-14 19:49 - 2015-03-12 21:50 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
    2015-04-14 19:49 - 2015-03-12 21:45 - 02358784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
    2015-04-14 19:49 - 2015-03-12 21:44 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
    2015-04-14 19:49 - 2015-03-12 21:34 - 12825600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
    2015-04-14 19:49 - 2015-03-12 21:33 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
    2015-04-14 19:49 - 2015-03-12 21:22 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
    2015-04-14 19:49 - 2015-03-12 21:20 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
    2015-04-14 19:49 - 2015-03-12 21:16 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
    2015-04-14 19:49 - 2015-03-12 21:14 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
    2015-04-14 19:49 - 2015-03-04 05:25 - 00377152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys
    2015-04-14 19:49 - 2015-03-03 22:04 - 00075264 _____ (Microsoft Corporation) C:\WINDOWS\system32\clfsw32.dll
    2015-04-14 19:49 - 2015-03-03 21:19 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clfsw32.dll
    2015-04-14 19:49 - 2015-02-24 03:32 - 00991552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
    2015-04-14 19:49 - 2014-12-02 18:09 - 00192000 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
    2015-04-08 12:05 - 2015-04-08 12:06 - 00000000 ___SD () C:\WINDOWS\system32\GWX
    2015-04-08 12:05 - 2015-04-08 12:05 - 00000000 ___SD () C:\WINDOWS\SysWOW64\GWX

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-08 13:00 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\system32\sru
    2015-05-08 12:47 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Neal
    2015-05-08 12:38 - 2014-09-11 17:08 - 00000000 __RDO () C:\Users\Neal\OneDrive
    2015-05-08 12:37 - 2013-08-22 09:46 - 00422748 _____ () C:\WINDOWS\setupact.log
    2015-05-08 12:37 - 2013-08-22 09:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
    2015-05-08 12:37 - 2013-08-22 08:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
    2015-05-08 11:55 - 2014-08-18 12:57 - 00003934 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{E6DB391A-67E2-49DF-ADDD-A578345A07FB}
    2015-05-08 09:17 - 2014-09-11 16:13 - 01818681 _____ () C:\WINDOWS\WindowsUpdate.log
    2015-05-08 08:50 - 2014-03-18 04:54 - 00055204 _____ () C:\WINDOWS\PFRO.log
    2015-05-08 08:48 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Noelle
    2015-05-08 08:48 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Administrator
    2015-05-08 08:48 - 2013-08-22 08:36 - 00000000 __RHD () C:\Users\Default
    2015-05-07 15:54 - 2014-12-22 20:58 - 00000000 ____D () C:\Users\Neal\Documents\CyberLink
    2015-05-07 15:54 - 2014-11-05 14:25 - 00000000 ____D () C:\Users\Neal\Desktop\noelle
    2015-05-07 15:54 - 2014-09-30 15:50 - 00000000 ____D () C:\Users\Neal\Desktop\Master bath
    2015-05-07 15:54 - 2014-09-27 08:39 - 00000000 ____D () C:\Users\Neal\Desktop\RN Liscense
    2015-05-07 15:54 - 2014-09-13 14:40 - 00000000 ____D () C:\Users\Neal\Desktop\Hurst Review
    2015-05-07 15:54 - 2014-09-03 08:33 - 00000000 ____D () C:\Users\Neal\Desktop\STVE
    2015-05-07 15:54 - 2014-08-18 01:43 - 00000000 ____D () C:\Users\Neal\Desktop\General Sciencev2-MP3
    2015-05-07 15:54 - 2014-08-18 00:52 - 00000000 ____D () C:\Users\Neal\.javaws
    2015-05-07 15:53 - 2014-09-11 19:09 - 00000000 __SHD () C:\Recovery
    2015-05-07 15:53 - 2014-09-11 16:17 - 00000000 ____D () C:\ProgramData\AMD
    2015-05-07 15:53 - 2014-09-11 16:16 - 00000000 ____D () C:\ProgramData\Package Cache
    2015-05-07 15:53 - 2014-09-08 07:29 - 00000000 ____D () C:\ProgramData\lx_Cats
    2015-05-07 15:53 - 2014-08-18 20:50 - 00000000 ____D () C:\ProgramData\QuickTime
    2015-05-07 15:53 - 2014-08-18 13:14 - 00000000 ____D () C:\ProgramData\Mozilla
    2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\ATI
    2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\ATI
    2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\AMD
    2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\ProgramData\ATI
    2015-05-07 15:53 - 2014-07-11 14:24 - 00000000 ____D () C:\ProgramData\Norton
    2015-05-07 15:53 - 2014-07-11 14:16 - 00000000 ____D () C:\ProgramData\CyberLink
    2015-05-07 15:53 - 2014-07-11 14:00 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Downloaded Installations
    2015-05-07 15:53 - 2014-07-11 13:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Synaptics
    2015-05-07 15:53 - 2014-07-11 13:56 - 00000000 ____D () C:\ProgramData\Synaptics
    2015-05-07 15:53 - 2014-07-11 13:53 - 00000000 ____D () C:\ProgramData\Qualcomm Atheros
    2015-05-07 15:53 - 2014-07-11 13:52 - 00000000 ____D () C:\ProgramData\Apple
    2015-05-07 15:53 - 2012-10-29 21:18 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\FFSJ
    2015-05-07 15:53 - 2012-10-29 21:16 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Hewlett-Packard
    2015-05-07 15:53 - 2012-10-29 21:16 - 00000000 ____D () C:\ProgramData\WildTangent
    2015-05-07 15:53 - 2012-10-29 21:10 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
    2015-05-07 15:53 - 2012-10-29 21:06 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Windows Live
    2015-05-07 15:53 - 2012-10-29 21:06 - 00000000 ____D () C:\ProgramData\Microsoft SkyDrive
    2015-05-07 15:53 - 2012-10-29 20:58 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\hpqLog
    2015-05-07 15:53 - 2012-10-29 20:58 - 00000000 ____D () C:\ProgramData\install_clap
    2015-05-07 15:53 - 2012-10-29 20:55 - 00000000 ___HD () C:\Users\Administrator\Documents\hp.system.package.metadata
    2015-05-07 15:53 - 2012-08-03 19:02 - 00000000 __RHD () C:\SYSTEM.SAV
    2015-05-07 15:53 - 2012-08-03 19:02 - 00000000 ____D () C:\SWSetup
    2015-05-07 15:53 - 2012-08-03 17:29 - 00000000 ____D () C:\ProgramData\PRICache
    2015-05-07 15:53 - 2012-08-03 17:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
    2015-05-07 15:52 - 2014-09-11 18:59 - 00000000 ____D () C:\inetpub
    2015-05-07 15:52 - 2014-09-11 16:12 - 00000000 ____D () C:\AMD
    2015-05-07 15:52 - 2014-08-18 14:51 - 00000000 ___HD () C:\$SysReset
    2015-05-07 13:54 - 2012-10-29 21:07 - 00000000 ___RD () C:\Users\Administrator\SkyDrive
    2015-05-07 13:25 - 2014-09-08 19:54 - 00007332 _____ () C:\Users\Neal\Desktop\double barn doors.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:47 - 00009396 _____ () C:\Users\Neal\Desktop\tile size.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:45 - 00005972 _____ () C:\Users\Neal\Desktop\barn door.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:38 - 00006772 _____ () C:\Users\Neal\Desktop\imagesCAVYFP72.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:35 - 00009460 _____ () C:\Users\Neal\Desktop\imagesCA7CH076.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:30 - 00007556 _____ () C:\Users\Neal\Desktop\imagesCASKJVS5.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:22 - 00008660 _____ () C:\Users\Neal\Desktop\stone shower.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:19 - 00072372 _____ () C:\Users\Neal\Desktop\Nice-Rustic-Wooden-Look-in-Western-Style-Bathroom-Interior.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:14 - 00021940 _____ () C:\Users\Neal\Desktop\stoneshowers3.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:13 - 00126212 _____ () C:\Users\Neal\Desktop\shower-designs_stone.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:11 - 00145892 _____ () C:\Users\Neal\Desktop\bathroom-natural-cream-small-bathroom-renovation-idea-with-cream-stone-wall-colorful-border-and-shower-nice-small-bathroom-renovation-ideas-972x650.jpg.ezz
    2015-05-07 13:25 - 2014-09-08 19:06 - 00042676 _____ () C:\Users\Neal\Desktop\thumb4_wlshower.jpg.ezz
    2015-05-07 13:25 - 2014-08-17 23:39 - 10782340 _____ () C:\Users\Neal\Documents\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
    2015-05-07 13:25 - 2014-08-17 23:35 - 24867156 _____ () C:\Users\Neal\Desktop\9781616251345_ApologiaExploringCreationWithB.pdf.ezz
    2015-05-07 13:25 - 2014-08-17 21:22 - 10782340 _____ () C:\Users\Neal\Desktop\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
    2015-05-07 13:25 - 2014-07-11 16:24 - 01440996 _____ () C:\Users\Neal\Desktop\CRCS Handbook.pdf.ezz
    2015-05-07 13:13 - 2015-01-09 02:01 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4105420370-3369507210-3028615837-1004
    2015-05-07 12:47 - 2015-01-09 01:59 - 00000000 ___RD () C:\Users\Noelle\OneDrive
    2015-05-07 01:07 - 2015-01-09 01:55 - 00003942 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{C556DA80-233A-4939-81B7-D4F612CB4826}
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    2015-05-05 14:31 - 2012-10-29 20:58 - 00000000 ____D () C:\ProgramData\Temp
    2015-05-05 14:30 - 2014-08-18 12:58 - 00000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz
    2015-05-05 14:22 - 2014-09-13 14:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
    2015-05-05 14:22 - 2014-09-11 16:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
    2015-05-05 14:22 - 2014-08-18 20:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
    2015-05-05 14:22 - 2014-08-18 20:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Web Start
    2015-05-05 14:22 - 2014-08-18 20:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Rosetta Stone
    2015-05-05 14:22 - 2014-08-18 13:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TT Algebra 1
    2015-05-05 14:22 - 2014-08-18 12:56 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services
    2015-05-05 14:22 - 2014-07-11 14:08 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Communication and Chat
    2015-05-05 14:22 - 2014-07-11 14:00 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Productivity and Tools
    2015-05-05 14:22 - 2014-03-18 04:45 - 00000000 __RHD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC
    2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools
    2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility
    2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance
    2015-05-05 14:22 - 2012-10-29 21:17 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
    2015-05-05 14:22 - 2012-10-29 21:13 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
    2015-05-05 14:22 - 2012-10-29 21:02 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security and Protection
    2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
    2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
    2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    2015-05-05 14:21 - 2012-08-03 17:28 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Packages
    2015-05-05 14:18 - 2014-03-18 04:45 - 00000000 ____D () C:\Program Files\Windows Journal
    2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\WindowsPowerShell
    2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Portable Devices
    2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
    2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Multimedia Platform
    2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Defender
    2015-05-05 14:17 - 2014-09-11 16:12 - 00000000 ____D () C:\Program Files\Common Files\ATI Technologies
    2015-05-05 14:17 - 2014-07-11 13:52 - 00000000 ____D () C:\Program Files\Bonjour
    2015-05-05 14:17 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Common Files\Services
    2015-05-05 14:17 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
    2015-05-05 14:17 - 2012-09-18 21:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
    2015-05-05 02:16 - 2012-10-29 21:16 - 00000000 ____D () C:\Program Files (x86)\WildTangent Games
    2015-05-04 15:46 - 2014-08-15 09:06 - 00000000 ____D () C:\Users\Public\Documents\TT Algebra 1
    2015-05-03 15:12 - 2015-03-16 12:27 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Mozilla
    2015-05-03 15:12 - 2015-01-21 13:05 - 00000000 ____D () C:\Users\Noelle\Documents\CyberLink
    2015-05-03 15:12 - 2015-01-09 01:57 - 00000000 ____D () C:\Users\Noelle\AppData\Local\AMD
    2015-05-03 15:12 - 2015-01-09 01:55 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Adobe
    2015-05-03 15:10 - 2014-08-18 13:15 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Mozilla
    2015-05-03 15:10 - 2014-08-18 13:00 - 00000000 ____D () C:\Users\Neal\AppData\Local\AMD
    2015-05-03 15:10 - 2014-08-18 12:58 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Hewlett-Packard
    2015-05-03 15:10 - 2014-08-18 12:56 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Adobe
    2015-05-03 15:10 - 2014-08-18 12:53 - 00000000 ____D () C:\Users\Neal\AppData\Local\Power2Go8
    2015-04-20 13:56 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\rescache
    2015-04-18 20:18 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\AppCompat
    2015-04-17 09:52 - 2014-03-18 05:03 - 00956480 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
    2015-04-17 09:45 - 2015-03-29 21:04 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel
    2015-04-14 20:35 - 2014-08-23 00:19 - 00000000 ____D () C:\WINDOWS\system32\MRT
    2015-04-14 20:33 - 2014-08-23 00:19 - 128913832 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2015-04-14 20:33 - 2012-07-26 02:59 - 00000000 ____D () C:\WINDOWS\CbsTemp

    ==================== Files in the root of some directories =======

    2015-05-08 12:45 - 2015-05-08 12:45 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-08 12:45 - 2015-05-08 12:45 - 0045579 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
    2015-05-08 12:45 - 2015-05-08 12:45 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-08 12:45 - 2015-05-08 12:45 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
    2015-05-08 12:40 - 2015-05-08 12:40 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
    2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
    2015-05-08 12:41 - 2015-05-08 12:41 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2014-09-15 20:51 - 2015-02-04 14:46 - 0000342 _____ () C:\ProgramData\lxee.log
    2014-09-25 19:06 - 2015-02-04 15:05 - 0009990 _____ () C:\ProgramData\lxeeJSW.log
    2014-09-08 07:27 - 2015-02-04 14:46 - 0000392 _____ () C:\ProgramData\lxeescan.log
    2014-08-18 12:58 - 2015-05-05 14:30 - 0000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz

    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-05-03 15:35

    ==================== End Of Log ============================
     
  15. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-05-2015 01
    Ran by Neal at 2015-05-08 13:32:07
    Running from C:\Users\Neal\Desktop
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-4105420370-3369507210-3028615837-500 - Administrator - Disabled) => C:\Users\Administrator
    Guest (S-1-5-21-4105420370-3369507210-3028615837-501 - Limited - Disabled)
    Neal (S-1-5-21-4105420370-3369507210-3028615837-1002 - Administrator - Enabled) => C:\Users\Neal
    Noelle (S-1-5-21-4105420370-3369507210-3028615837-1004 - Limited - Enabled) => C:\Users\Noelle
    Sean (S-1-5-21-4105420370-3369507210-3028615837-1003 - Limited - Enabled) => C:\Users\Sean

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)


    ==================== Installed Programs ======================

    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    4 Elements II (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.6.636 - Adobe Systems, Inc.)
    Algebra 1 Teaching Textbook (HKLM-x32\...\Algebra 1 Teaching Textbook) (Version: - Teaching Textbooks Inc.)
    AMD Catalyst Install Manager (HKLM\...\{3CEC10BE-CD7C-8E99-E3AC-DD31F4416C1C}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
    Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
    Build-a-lot 4 - Power Source (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
    Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
    CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2.5712 - CyberLink Corp.)
    CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.2.2114 - CyberLink Corp.)
    CyberLink PhotoDirector (HKLM-x32\...\InstallShield_{4862344A-A39C-4897-ACD4-A1BED5163C5A}) (Version: 2.0.2.3317 - CyberLink Corp.)
    CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.2.2110 - CyberLink Corp.)
    CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.2.2126 - CyberLink Corp.)
    CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.7.4528 - CyberLink Corp.)
    CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.5.5811 - CyberLink Corp.)
    D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
    Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
    Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
    FATE: The Cursed King (x32 Version: 2.2.0.97 - WildTangent) Hidden
    Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
    Gardenscapes: Mansion Makeover (x32 Version: 3.0.2.32 - WildTangent) Hidden
    Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
    House of 1000 Doors: Family Secrets (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Hoyle Card Games (x32 Version: 2.2.0.95 - WildTangent) Hidden
    HP 3D DriveGuard (HKLM\...\{6821D775-9303-46DD-977A-2D97CA18B054}) (Version: 4.2.8.1 - Hewlett-Packard Company)
    HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: v1.0 - Meridian Audio Ltd)
    HP Connected Remote (HKLM-x32\...\{F243A34B-AB7F-4065-B770-B85B767C247C}) (Version: 1.0.1218 - Hewlett-Packard)
    HP CoolSense (HKLM-x32\...\{8704FEEF-A6A8-4E7E-B124-BD6122C66E2C}) (Version: 2.10.42 - Hewlett-Packard Company)
    HP Documentation (HKLM-x32\...\{23C74C03-680C-455D-933F-5BC8683CAE52}) (Version: 1.2.0.0 - Hewlett-Packard)
    HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.3.0 - WildTangent)
    HP MyRoom (HKLM-x32\...\{9C35EDE5-4B0F-45E7-A438-314BA889948E}) (Version: 9.0.0.0 - Hewlett-Packard Company)
    HP Quick Launch (HKLM-x32\...\{E5823036-6F09-4D0A-B05C-E2BAA129288A}) (Version: 3.0.6 - Hewlett-Packard Company)
    HP Registration Service (HKLM\...\{C2E428EB-116E-41C0-9E84-B22DE9CCA42F}) (Version: 1.1.6232.4245 - Hewlett-Packard)
    HP Utility Center (HKLM-x32\...\{0C57987A-A03A-4B95-A309-D23F78F406CA}) (Version: 1.0.8 - Hewlett-Packard)
    HP Wireless Button Driver (HKLM-x32\...\{941DE69D-6CEE-4171-8F1F-3D7E352AA498}) (Version: 1.0.6.1 - Hewlett-Packard Company)
    IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6425.0 - IDT)
    Java 2 Runtime Environment, SE v1.4.1_02 (HKLM-x32\...\{EFCE5837-FC21-11D6-9D24-00010240CE95}) (Version: - )
    Java Web Start (HKLM-x32\...\Java Web Start) (Version: - )
    Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
    John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
    Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Mahjongg Dimensions Deluxe: Tiles in Time (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Microsoft Office (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.6120.5004 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
    Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
    Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
    Mortimer Beckett and the Crimson Thief Premium Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Movie Maker (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
    Mozilla Firefox 32.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 32.0.1 (x86 en-US)) (Version: 32.0.1 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
    Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
    Polar Golfer (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros)
    QuickTime (HKLM-x32\...\QuickTime) (Version: - )
    Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
    Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.2.8400.29029 - Realtek Semiconductor Corp.)
    Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Royal Envoy 2 Collector's Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
    Student Management System (HKLM-x32\...\Student Management System) (Version: - )
    swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
    Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.10.12 - Synaptics Incorporated)
    Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
    The Rosetta Stone (HKLM-x32\...\The Rosetta Stone) (Version: - )
    Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
    WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.3.0 - WildTangent)
    WildTangent Games App (x32 Version: 4.0.9.7 - WildTangent) Hidden
    Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3503.0728 - Microsoft Corporation)
    Youda Jewel Shop (x32 Version: 3.0.2.32 - WildTangent) Hidden
    Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

    ==================== Custom CLSID (selected items): ==========================

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

    CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll ()
    CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27915 more characters). <==== Poweliks?

    ==================== Restore Points =========================


    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

    ==================== Scheduled Tasks (whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

    Task: {06EAB617-28D2-4B01-B359-FC14AEDB75DE} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2012-06-07] (CyberLink)
    Task: {238CA5C8-F07E-4F6A-A548-45499010B7A7} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-23] (Microsoft Corporation)
    Task: {71F80F89-232A-4966-855C-6FE0FB2E1956} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
    Task: {843F5273-3392-4FFC-A015-0DA84847EF55} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe [2012-08-24] (Synaptics Incorporated)
    Task: {C43512FA-BE5A-4012-A14F-BA2B34634288} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
    Task: {D40E2186-25E0-4499-BFE4-C994389C4EDF} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2012-10-12] (CyberLink)
    Task: {E6B5E745-C45E-4784-B9EE-70FE7C70454E} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
    Task: {F3799BF6-D57F-47B0-B8B0-717104309832} - System32\Tasks\{B4B196E5-6F81-42F7-9583-FFE3E9689CDE} => pcalua.exe -a E:\autorun.exe -d E:\

    ==================== Loaded Modules (whitelisted) ==============

    2014-09-08 07:29 - 2009-11-04 13:18 - 00189440 _____ () C:\WINDOWS\system32\spool\PRTPROCS\x64\lxeedrpp.dll
    2014-07-04 21:33 - 2014-07-04 21:33 - 00127488 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
    2014-07-04 21:33 - 2014-07-04 21:33 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
    2015-05-05 14:12 - 2015-05-05 14:12 - 00253080 _____ () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll
    2014-07-11 14:11 - 2012-06-07 22:34 - 00627216 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
    2012-06-08 13:34 - 2012-06-08 13:34 - 00016400 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
    2015-05-08 12:41 - 2015-05-08 12:41 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2014-12-17 14:54 - 2014-12-17 14:54 - 03716720 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

    ==================== Alternate Data Streams (whitelisted) =========

    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

    AlternateDataStreams: C:\Users\Neal\OneDrive:ms-properties
    AlternateDataStreams: C:\Users\Noelle\OneDrive:ms-properties

    ==================== Safe Mode (whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== EXE Association (whitelisted) ===============

    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, the associated entry will be removed from the registry.)


    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
    DNS Servers: 192.168.1.1

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)


    ==================== FirewallRules (whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

    FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
    FirewallRules: [{EB40A931-D85B-4CCA-B3D4-C1A8C51FD92D}] => (Allow) C:\Windows\system32\lxeecoms.exe
    FirewallRules: [{5A5CF6C9-6FB3-4CF7-A892-0DB4543C3058}] => (Block) C:\windows\syswow64\java.exe
    FirewallRules: [{5D8777C7-815F-459B-9D56-2EF931A5D0ED}] => (Block) C:\windows\syswow64\java.exe
    FirewallRules: [UDP Query User{665BB536-0130-4C51-B5B1-1926C4D4DE97}C:\windows\syswow64\java.exe] => (Allow) C:\windows\syswow64\java.exe
    FirewallRules: [TCP Query User{ABC0D633-705D-4D01-A6A6-8B3468C3C741}C:\windows\syswow64\java.exe] => (Allow) C:\windows\syswow64\java.exe
    FirewallRules: [{BCE893FD-2BA3-4A07-B47D-ADCEA98A6491}] => (Allow) LPort=52000
    FirewallRules: [{1E0D5EFE-D8C3-4139-AE6E-CB833453E3CA}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
    FirewallRules: [{9E086A13-706A-4014-B1B0-36070A8A5AA6}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD10.EXE
    FirewallRules: [{A6EA8DB4-9C8A-4048-BB3F-1DAAAE352B02}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    FirewallRules: [{0ADE7D14-E0FA-4290-978B-32F65B660588}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    FirewallRules: [{FE6B40FC-707E-4F2E-90F8-AB1335156BC4}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
    FirewallRules: [{0D7B6C92-A706-4DA9-AD8C-0EAC8E7D30AE}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
    FirewallRules: [{853DA728-1141-4D89-A895-B7F4DEB5B004}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
    FirewallRules: [{5BA0062D-F4B2-4D7F-97C3-9CAED76EC3E8}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
    FirewallRules: [{48C8B771-AE46-44F6-B014-46CAC123D294}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
    FirewallRules: [{9E825020-25E9-4D5A-A7A6-992E2F31866D}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
    FirewallRules: [{2665AFA2-B5CE-4E26-8932-86A7D3F664C4}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
    FirewallRules: [{DD21F78F-AF64-47E1-AACD-D58499719F1E}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
    FirewallRules: [{FD5EC627-F3BD-4CC8-920D-45F47DE678B7}] => (Allow) LPort=1900
    FirewallRules: [{9835CC22-556D-4430-8243-EE8C26B97658}] => (Allow) LPort=2869
    FirewallRules: [{CCF723D3-CB8D-4493-82CA-1AF295CE1A00}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    FirewallRules: [{1A0F3415-E39D-4108-99E4-18767F6B3C02}] => (Allow) C:\Users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
    FirewallRules: [TCP Query User{7F399BDC-C4DC-4754-88A1-DE7CFEBEF1EC}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
    FirewallRules: [UDP Query User{B1149B3C-6700-4ECF-ACCE-25DE89F82194}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
    FirewallRules: [TCP Query User{B1B05C83-36AF-4F11-9F58-FCD7CC626822}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
    FirewallRules: [UDP Query User{70ACB0BF-07A0-468D-83E9-2845DD9255E9}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
    FirewallRules: [{4F364D9A-276E-408C-89B4-1674E2E51EA4}] => (Allow) LPort=53000

    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (05/08/2015 01:05:19 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
    Exception code: 0xe0434352
    Fault offset: 0x0000000000008b9c
    Faulting process id: 0x8b4
    Faulting application start time: 0xHPConnectedRemoteService.exe0
    Faulting application path: HPConnectedRemoteService.exe1
    Faulting module path: HPConnectedRemoteService.exe2
    Report Id: HPConnectedRemoteService.exe3
    Faulting package full name: HPConnectedRemoteService.exe4
    Faulting package-relative application ID: HPConnectedRemoteService.exe5

    Error: (05/08/2015 01:05:19 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:05:06 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
    Exception code: 0xe0434352
    Fault offset: 0x0000000000008b9c
    Faulting process id: 0x2d3c
    Faulting application start time: 0xHPConnectedRemoteService.exe0
    Faulting application path: HPConnectedRemoteService.exe1
    Faulting module path: HPConnectedRemoteService.exe2
    Report Id: HPConnectedRemoteService.exe3
    Faulting package full name: HPConnectedRemoteService.exe4
    Faulting package-relative application ID: HPConnectedRemoteService.exe5

    Error: (05/08/2015 01:05:05 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:04:52 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
    Exception code: 0xe0434352
    Fault offset: 0x0000000000008b9c
    Faulting process id: 0x2fd4
    Faulting application start time: 0xHPConnectedRemoteService.exe0
    Faulting application path: HPConnectedRemoteService.exe1
    Faulting module path: HPConnectedRemoteService.exe2
    Report Id: HPConnectedRemoteService.exe3
    Faulting package full name: HPConnectedRemoteService.exe4
    Faulting package-relative application ID: HPConnectedRemoteService.exe5

    Error: (05/08/2015 01:04:52 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:04:37 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
    Exception code: 0xe0434352
    Fault offset: 0x0000000000008b9c
    Faulting process id: 0x2098
    Faulting application start time: 0xHPConnectedRemoteService.exe0
    Faulting application path: HPConnectedRemoteService.exe1
    Faulting module path: HPConnectedRemoteService.exe2
    Report Id: HPConnectedRemoteService.exe3
    Faulting package full name: HPConnectedRemoteService.exe4
    Faulting package-relative application ID: HPConnectedRemoteService.exe5

    Error: (05/08/2015 01:04:35 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:02:10 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
    Exception code: 0xe0434352
    Fault offset: 0x0000000000008b9c
    Faulting process id: 0x1ef4
    Faulting application start time: 0xHPConnectedRemoteService.exe0
    Faulting application path: HPConnectedRemoteService.exe1
    Faulting module path: HPConnectedRemoteService.exe2
    Report Id: HPConnectedRemoteService.exe3
    Faulting package full name: HPConnectedRemoteService.exe4
    Faulting package-relative application ID: HPConnectedRemoteService.exe5

    Error: (05/08/2015 01:02:09 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()


    System errors:
    =============
    Error: (05/08/2015 01:32:49 PM) (Source: DCOM) (EventID: 10010) (User: HOMESCHOOL1)
    Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

    Error: (05/08/2015 01:30:59 PM) (Source: DCOM) (EventID: 10010) (User: HOMESCHOOL1)
    Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

    Error: (05/08/2015 01:05:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The HP Connected Remote Service service failed to start due to the following error:
    %%1053

    Error: (05/08/2015 01:05:56 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
    Description: A timeout was reached (30000 milliseconds) while waiting for the HP Connected Remote Service service to connect.

    Error: (05/08/2015 01:05:19 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 35 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Error: (05/08/2015 01:05:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 34 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Error: (05/08/2015 01:04:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 33 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Error: (05/08/2015 01:04:38 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 32 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Error: (05/08/2015 01:03:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    Error: (05/08/2015 01:03:45 PM) (Source: DCOM) (EventID: 10010) (User: HOMESCHOOL1)
    Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}


    Microsoft Office Sessions:
    =========================
    Error: (05/08/2015 01:05:19 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c8b401d089b9867e6757C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllc9581784-f5ac-11e4-becb-38eaa7dc590b

    Error: (05/08/2015 01:05:19 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:05:06 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c2d3c01d089b97e837108C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllc11662a8-f5ac-11e4-becb-38eaa7dc590b

    Error: (05/08/2015 01:05:05 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:04:52 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c2fd401d089b975afa2f0C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllb9272c3b-f5ac-11e4-becb-38eaa7dc590b

    Error: (05/08/2015 01:04:52 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:04:37 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c209801d089b95abee26bC:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllb02b8b2b-f5ac-11e4-becb-38eaa7dc590b

    Error: (05/08/2015 01:04:35 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()

    Error: (05/08/2015 01:02:10 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c1ef401d089b915450644C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dll5878a687-f5ac-11e4-becb-38eaa7dc590b

    Error: (05/08/2015 01:02:09 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
    Description: Application: HPConnectedRemoteService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
    Stack:
    at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
    at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
    at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
    at SwitchBoard.SwitchBoardService.RunService()
    at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
    at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
    at System.Threading.ThreadHelper.ThreadStart()


    CodeIntegrity Errors:
    ===================================
    Date: 2015-05-07 01:07:46.241
    Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll that did not meet the Windows signing level requirements.


    ==================== Memory info ===========================

    Processor: AMD A8-4500M APU with Radeon(tm) HD Graphics
    Percentage of memory in use: 84%
    Total physical RAM: 3554.26 MB
    Available physical RAM: 559.93 MB
    Total Pagefile: 7963.3 MB
    Available Pagefile: 2935.17 MB
    Total Virtual: 131072 MB
    Available Virtual: 131071.84 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:565.37 GB) (Free:519.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive d: (RECOVERY) (Fixed) (Total:29.6 GB) (Free:3.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 596.2 GB) (Disk ID: 4FBE1E19)

    Partition: GPT Partition Type.

    ==================== End Of Log ============================
     
  16. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    This is very severe infection so it'll take a while to clean it up.

    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
     

    Attached Files:

  17. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    I did not rename or remove the last 'fixlog' on the affected desktop. The machine is restarting. Assuming here it will rename the new file something like "fixlog1" or maybe it overwrites...?

    Simply let me know if I need to start over.
     
  18. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Nm, it only opened the txt file so I overwrote the original.
     
  19. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
    Ran by Neal at 2015-05-08 14:33:01 Run:3
    Running from C:\Users\Neal\Desktop
    Loaded Profiles: Neal (Available profiles: Neal & Sean & Noelle & Administrator)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Local\Temp\8FB3.tmp
    C:\Users\Neal\AppData\Local\Temp\8FB3.tmp
    () C:\Users\Neal\AppData\Local\Temp\9FD4.tmp
    C:\Users\Neal\AppData\Local\Temp\9FD4.tmp
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [AVNworks] => C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [udsfurd] => rundll32 "C:\Users\Neal\AppData\Local\udsfurd.dll",udsfurd <===== ATTENTION
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27907 more characters). <==== Poweliks!
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-08] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-08] ()
    Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-08] ()
    InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w
    ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe
    C:\Users\Neal\AppData\Local\udsfurd.dll
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL
    BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll No File
    Toolbar: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    FF Extension: Windows Script Host Shell Object - C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F} [2015-05-02]
    C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F}
    2015-05-08 12:48 - 2015-05-08 12:48 - 00008602 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.HTML
    2015-05-08 12:48 - 2015-05-08 12:48 - 00000284 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.URL
    2015-05-08 12:47 - 2015-05-08 12:47 - 00008602 _____ () C:\Users\Neal\HELP_DECRYPT.HTML
    2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\HELP_DECRYPT.TXT
    2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.TXT
    2015-05-08 12:47 - 2015-05-08 12:47 - 00000284 _____ () C:\Users\Neal\HELP_DECRYPT.URL
    2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.HTML
    2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.TXT
    2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.URL
    2015-05-08 12:41 - 2015-05-08 12:41 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2015-05-08 12:40 - 2015-05-08 12:40 - 00051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
    2015-05-07 11:46 - 2015-05-07 11:46 - 00000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
    2015-05-05 14:10 - 2015-05-08 12:43 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
    2015-05-08 12:45 - 2015-05-08 12:45 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
    2015-05-08 12:45 - 2015-05-08 12:45 - 0045579 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
    2015-05-08 12:45 - 2015-05-08 12:45 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
    2015-05-08 12:45 - 2015-05-08 12:45 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
    2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
    2015-05-08 12:40 - 2015-05-08 12:40 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
    2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
    2015-05-08 12:41 - 2015-05-08 12:41 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
    2014-09-15 20:51 - 2015-02-04 14:46 - 0000342 _____ () C:\ProgramData\lxee.log
    2014-09-25 19:06 - 2015-02-04 15:05 - 0009990 _____ () C:\ProgramData\lxeeJSW.log
    2014-09-08 07:27 - 2015-02-04 14:46 - 0000392 _____ () C:\ProgramData\lxeescan.log
    2014-08-18 12:58 - 2015-05-05 14:30 - 0000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz
    CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll ()
    CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27915 more characters). <==== Poweliks?
    C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll
    AlternateDataStreams: C:\Users\Neal\OneDrive:ms-properties
    AlternateDataStreams: C:\Users\Noelle\OneDrive:ms-properties
    FirewallRules: [TCP Query User{7F399BDC-C4DC-4754-88A1-DE7CFEBEF1EC}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
    FirewallRules: [UDP Query User{B1149B3C-6700-4ECF-ACCE-25DE89F82194}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
    FirewallRules: [TCP Query User{B1B05C83-36AF-4F11-9F58-FCD7CC626822}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
    FirewallRules: [UDP Query User{70ACB0BF-07A0-468D-83E9-2845DD9255E9}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
    C:\users\neal\appdata\local\temp\61b8.tmp
    C:\users\neal\appdata\local\temp\8fb3.tmp

    *****************

    (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Local\Temp\8FB3.tmp => Error: No automatic fix found for this entry.
    C:\Users\Neal\AppData\Local\Temp\8FB3.tmp => Moved successfully.
    C:\Users\Neal\AppData\Local\Temp\9FD4.tmp => No running process found
    C:\Users\Neal\AppData\Local\Temp\9FD4.tmp => Moved successfully.
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\AVNworks => value deleted successfully.
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\udsfurd => value deleted successfully.
    "HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
    "HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
    HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
    HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
    HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
    "C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe" => File/Directory not found.
    C:\Users\Neal\AppData\Local\udsfurd.dll => Moved successfully.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL" => File/Directory not found.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}" => Key deleted successfully.
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
    HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
    C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F} => Moved successfully.
    "C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F}" => File/Directory not found.
    C:\Users\Neal\Desktop\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\Desktop\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\Desktop\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\AppData\HELP_DECRYPT.HTML => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\AppData\HELP_DECRYPT.TXT => Moved successfully.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
    C:\Users\Neal\AppData\HELP_DECRYPT.URL => Moved successfully.
    "C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
    C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe => Moved successfully.
    C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja => Moved successfully.

    "C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}" directory move:

    Could not move "C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}" directory. => Scheduled to move on reboot.

    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
    C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja" => File/Directory not found.
    "C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe" => File/Directory not found.
    C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3 => Moved successfully.
    "C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
    C:\ProgramData\lxee.log => Moved successfully.
    C:\ProgramData\lxeeJSW.log => Moved successfully.
    C:\ProgramData\lxeescan.log => Moved successfully.
    C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz => Moved successfully.
    "HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}" => Key deleted successfully.
    HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
    Could not move "C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll" => Scheduled to move on reboot.
    "C:\Users\Neal\OneDrive" => ":ms-properties" ADS not found.
    "C:\Users\Noelle\OneDrive" => ":ms-properties" ADS not found.
    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{7F399BDC-C4DC-4754-88A1-DE7CFEBEF1EC}C:\users\neal\appdata\local\temp\61b8.tmp => value deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{B1149B3C-6700-4ECF-ACCE-25DE89F82194}C:\users\neal\appdata\local\temp\61b8.tmp => value deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{B1B05C83-36AF-4F11-9F58-FCD7CC626822}C:\users\neal\appdata\local\temp\8fb3.tmp => value deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{70ACB0BF-07A0-468D-83E9-2845DD9255E9}C:\users\neal\appdata\local\temp\8fb3.tmp => value deleted successfully.
    C:\users\neal\appdata\local\temp\61b8.tmp => Moved successfully.
    "C:\users\neal\appdata\local\temp\8fb3.tmp" => File/Directory not found.

    => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-05-08 14:35:39)<=

    C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0} => Moved successfully.
    C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll => Is moved successfully.

    ==== End of Fixlog 14:35:39 ====
     
  20. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good :)

    Please download Powelikscleaner (by ESET) and save it to your Desktop.

    1. Double-click on ESETPoweliksCleaner.exe to start the tool.

    2. Read the terms of the End-user license agreement and click Agree.

    3. The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

    [​IMG]

    4. If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.

    [​IMG]

    The tool will produce a log in the same directory the tool was run from.

    Please copy and paste the log in your next reply.
     
  21. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    [2015.05.08 14:47:50.801] - Begin
    [2015.05.08 14:47:50.802] -
    [2015.05.08 14:47:50.803] - ....................................
    [2015.05.08 14:47:50.804] - ..::::::::::::::::::....................
    [2015.05.08 14:47:50.806] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Poweliks
    [2015.05.08 14:47:50.810] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.0.0.4
    [2015.05.08 14:47:50.812] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Mar 25 2015
    [2015.05.08 14:47:50.814] - .::EE:::::::::::::SS:.EE..........TT......
    [2015.05.08 14:47:50.816] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
    [2015.05.08 14:47:50.817] - ..::::::::::::::::::.................... 1992-2015. All rights reserved.
    [2015.05.08 14:47:50.818] - ....................................
    [2015.05.08 14:47:50.818] -
    [2015.05.08 14:47:50.819] - --------------------------------------------------------------------------------
    [2015.05.08 14:47:50.819] -
    [2015.05.08 14:47:50.820] - INFO: OS: 6.2.9200 SP0
    [2015.05.08 14:47:50.821] - INFO: Product Type: Workstation
    [2015.05.08 14:47:50.821] - INFO: WoW64: True
    [2015.05.08 14:47:50.822] - INFO: Machine guid: 9820C332-B7F3-406D-BB3B-40E83CD45078
    [2015.05.08 14:47:50.822] -
    [2015.05.08 14:47:53.239] - INFO: Scanning for system infection...
    [2015.05.08 14:47:53.242] - --------------------------------------------------------------------------------
    [2015.05.08 14:47:53.243] -
    [2015.05.08 14:47:53.243] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
    [2015.05.08 14:47:53.244] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
    [2015.05.08 14:47:53.244] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
    [2015.05.08 14:47:53.245] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
    [2015.05.08 14:47:53.245] - INFO: Processing classes...
    [2015.05.08 14:47:53.245] - INFO: Processing clsid [\Registry\User\S-1-5-21-4105420370-3369507210-3028615837-1002\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}]
    [2015.05.08 14:47:53.246] - INFO: Processing clsid [\Registry\User\S-1-5-21-4105420370-3369507210-3028615837-1002\SOFTWARE\Classes\CLSID\{D9AC5E73-BB10-467b-B884-AA1E475C51F5}]
    [2015.05.08 14:47:53.246] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
    [2015.05.08 14:47:53.248] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
    [2015.05.08 14:47:53.249] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
    [2015.05.08 14:47:53.250] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
    [2015.05.08 14:47:53.250] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
    [2015.05.08 14:47:53.250] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
    [2015.05.08 14:47:53.250] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
    [2015.05.08 14:47:53.250] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
    [2015.05.08 14:47:53.250] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
    [2015.05.08 14:47:53.250] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
    [2015.05.08 14:47:53.253] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
    [2015.05.08 14:47:53.255] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
    [2015.05.08 14:47:53.255] - INFO: (XSW) Scanning for XSW variant...
    [2015.05.08 14:47:53.260] - INFO: (XSW) Processing users subkeys...
    [2015.05.08 14:47:53.263] - INFO: Win32/Poweliks not found
    [2015.05.08 14:49:33.871] - End
     
  22. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good :)

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
    NOTE. If you already have MBAM 2.0 installed scroll down.

    • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Launch Malwarebytes Anti-Malware
      • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
    • Click Finish.
    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.


    If you already have MBAM 2.0 installed:

    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.

    How to get logs:
    (Export log to save as txt)


    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Export'.
    • Click 'Text file (*.txt)'
    • In the Save File dialog box which appears, click on Desktop.
    • In the File name: box type a name for your scan log.
    • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
    • Click Ok
    • Attach that saved log to your next reply.


    (Copy to clipboard for pasting into forum replies or tickets)

    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Copy to Clipboard'
    • Paste the contents of the clipboard into your reply.

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
     
  23. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Dude, You Rock!
    Here is RK.

    RogueKiller V10.6.2.0 [May 4 2015] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
    Started in : Normal mode
    User : Neal [Administrator]
    Started from : C:\Users\Neal\Desktop\RogueKiller.exe
    Mode : Delete -- Date : 05/08/2015 15:16:12

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 7 ¤¤¤
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
    [PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> Not selected
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: Hitachi HTS547564A9E384 SATA Disk Device +++++
    --- User ---
    [MBR] eaa93bc072eea7461895903666ebf1e0
    [BSP] 43085d0ea2d5c5f36c9a60da872f061e : Empty|VT.Unknown MBR Code
    Partition table:
    0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
    1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
    2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
    3 - Basic data partition | Offset (sectors): 1615872 | Size: 578935 MB
    4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1187274752 | Size: 450 MB
    5 - [SYSTEM] Basic data partition | Offset (sectors): 1188196352 | Size: 30306 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: CBM2080 Flash Disk USB Device +++++
    --- User ---
    [MBR] 1dc4f576e295253aec3e276ea38b4a33
    [BSP] 8820f824590844e2c45740a38ac00a7e : Windows XP|VT.Unknown MBR Code
    Partition table:
    0 - [ACTIVE] FAT16-LBA (0xe) [VISIBLE] Offset (sectors): 63 | Size: 498 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_SCN_05082015_151509.log
     
  24. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 5/8/2015
    Scan Time: 3:22:01 PM
    Logfile: mbamscanlog.txt
    Administrator: Yes

    Version: 2.01.6.1022
    Malware Database: v2015.05.08.08
    Rootkit Database: v2015.04.21.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    OS: Windows 8.1
    CPU: x64
    File System: NTFS
    User: Neal

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 470918
    Time Elapsed: 57 min, 19 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 9
    Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\CBFD.tmp, Quarantined, [08302a6741499b9ba1f686cfc1417a86],
    Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\1DA9.tmp, Quarantined, [132596fbb4d67bbb8e14b5c135cb25db],
    Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\8A9C.tmp, Quarantined, [1325583924661a1c3463eb6ab15109f7],
    Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\908F.tmp, Quarantined, [5bdd4a473654d36303c404051de96997],
    Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\9090.tmp, Quarantined, [43f595fc93f73afc4d7ac049689ef10f],
    Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\919A.tmp, Quarantined, [54e4741d593189ad18af858429dde020],
    Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\A8D4.tmp, Quarantined, [2513533e5d2d2214a5f28acb966c4bb5],
    Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\1B3.tmp, Quarantined, [cd6b474a107ad363aaedcc89c83a2dd3],
    CryptoWall.Trace, C:\Users\Neal\Desktop\HELP_DECRYPT.PNG, Quarantined, [74c40f82f496db5b04d0b9a60df82ad6],

    Physical Sectors: 0
    (No malicious items detected)


    (end)
     
  25. Neal Young

    Neal Young TS Rookie Topic Starter Posts: 38

    # AdwCleaner v4.203 - Logfile created 08/05/2015 at 16:26:34
    # Updated 30/04/2015 by Xplode
    # Database : 2015-05-08.1 [Server]
    # Operating system : Windows 8.1 (x64)
    # Username : Neal - HOMESCHOOL1
    # Running from : C:\Users\Neal\Desktop\adwcleaner_4.203.exe
    # Option : Cleaning

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****


    ***** [ Web browsers ] *****

    -\\ Internet Explorer v11.0.9600.17416


    -\\ Mozilla Firefox v32.0.1 (x86 en-US)


    *************************

    AdwCleaner[R0].txt - [735 bytes] - [08/05/2015 16:24:26]
    AdwCleaner[S0].txt - [661 bytes] - [08/05/2015 16:26:34]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [719 bytes] ##########
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...