Solved Cryptowall 3.0 on W8

N

Neal Young

Posts: 38   +0
Daughters laptop was/is infected with Cryptowall 3. I have downloaded and scanned with FRST and did a 'fix'. It rebooted to 'fix' more of the infected folder and items. When it started back up I was planning to rescan to continue cleaning but not it just shuts down, sometimes I get an overheating error. The FRST app is gone. It restarts before I can download it again. I was able to pull the 'fixlog' to another laptop. Any help would be great.
 
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================

redtarget.gif
I'm assuming you're aware of this:
Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key. Also any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if your lucky from Shadow Volume Copies.
Click to expand...
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
We can fairly easily remove infection itself though.

redtarget.gif
You shouldn't run any fixes by yourself if you're not sure what you're doing.

redtarget.gif
Can you post content of your "fixlist"?

redtarget.gif
What Windows version is it?
 
- Yes, I am aware of the decryption mess.
- Lesson learned, I will await instructions and have NOW read the instructions...
- next post will be the fixlist data
-Windows 8.1.
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
Ran by Neal at 2015-05-08 08:48:53 Run:1
Running from C:\Users\Neal\Desktop
Loaded Profiles: Neal (Available profiles: Neal & Sean & Noelle & Administrator)
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
Start
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [Onics] => regsvr32.exe C:\Users\Neal\AppData\Local\Onics\jtqwehqk.dll
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [udsfurd] => rundll32 "C:\Users\Neal\AppData\Local\udsfurd.dll",udsfurd
2015-05-05 14:18 - 2015-05-05 14:18 - 0001353 _____ () C:\Program Files\HELP_TO_SAVE_FILES.txt
2015-05-05 14:17 - 2015-05-05 14:17 - 0001353 _____ () C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt
2015-05-07 15:51 - 2015-05-07 15:51 - 0221184 _____ ( ) C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
2015-05-07 15:54 - 2015-05-07 15:54 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-07 15:54 - 2015-05-07 15:54 - 0045557 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
2015-05-07 15:54 - 2015-05-07 15:54 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-07 15:54 - 2015-05-07 15:54 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt
2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
2015-05-05 14:14 - 2015-05-05 14:14 - 0000752 _____ () C:\Users\Neal\AppData\Roaming\key.dat
2015-05-07 15:52 - 2015-05-07 15:52 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
2015-05-05 14:14 - 2015-05-07 14:06 - 0553922 _____ () C:\Users\Neal\AppData\Roaming\log.html
2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
2015-05-05 14:14 - 2015-05-05 14:13 - 0458240 _____ (PGWARE LLC) C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
2015-05-07 15:52 - 2015-05-07 15:52 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2014-07-11 14:14 - 2015-05-05 14:21 - 0000916 _____ () C:\ProgramData\CyberlinkOutput.txt.ezz
2015-05-07 15:53 - 2015-05-07 15:53 - 0008602 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 0045557 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-05-07 15:53 - 2015-05-07 15:53 - 0004244 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 0000284 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\ProgramData\HELP_TO_SAVE_FILES.txt
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Public\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Public\Documents\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Noelle\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Noelle\AppData\Local\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Noelle\AppData\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\Downloads\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\Documents\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\Users\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00008602 _____ () C:\HELP_DECRYPT.HTML
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Public\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Public\Documents\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Noelle\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Noelle\AppData\Local\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Noelle\AppData\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\Downloads\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\Documents\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\Users\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00004244 _____ () C:\HELP_DECRYPT.TXT
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Public\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Public\Documents\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Noelle\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Noelle\AppData\Local\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Noelle\AppData\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\Downloads\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\Documents\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\Users\HELP_DECRYPT.URL
2015-05-07 15:59 - 2015-05-07 15:59 - 00000284 _____ () C:\HELP_DECRYPT.URL
2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.HTML
2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Default\HELP_DECRYPT.HTML
2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Default\Documents\HELP_DECRYPT.HTML
2015-05-07 15:54 - 2015-05-07 15:54 - 00008602 _____ () C:\Users\Default User\Documents\HELP_DECRYPT.HTML
2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.TXT
2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Default\HELP_DECRYPT.TXT
2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Default\Documents\HELP_DECRYPT.TXT
2015-05-07 15:54 - 2015-05-07 15:54 - 00004244 _____ () C:\Users\Default User\Documents\HELP_DECRYPT.TXT
2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.URL
2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Default\HELP_DECRYPT.URL
2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Default\Documents\HELP_DECRYPT.URL
2015-05-07 15:54 - 2015-05-07 15:54 - 00000284 _____ () C:\Users\Default User\Documents\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default\AppData\Local\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default\AppData\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default User\AppData\Local\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Default User\AppData\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00008602 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default\AppData\Local\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default\AppData\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default User\AppData\Local\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Default User\AppData\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00004244 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default\AppData\Local\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default\AppData\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default User\AppData\Local\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Default User\AppData\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.URL
2015-05-07 15:53 - 2015-05-07 15:53 - 00000284 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-05-07 15:52 - 2015-05-07 15:52 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2015-05-07 15:52 - 2015-05-07 15:52 - 00051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
2015-05-07 15:51 - 2015-05-07 15:51 - 00221184 _____ ( ) C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
2015-05-07 15:51 - 2015-05-07 15:51 - 00000000 ___HD () C:\a9e1cbaf
2015-05-07 15:46 - 2015-05-08 08:20 - 00000264 _____ () C:\Users\Neal\Desktop\Search.txt
2015-05-07 15:41 - 2015-05-07 15:42 - 00035104 _____ () C:\Users\Neal\Desktop\Addition.txt
2015-05-07 15:34 - 2015-05-08 08:21 - 00000000 _____ () C:\Users\Neal\Desktop\FRST.txt
2015-05-07 15:33 - 2015-05-07 15:33 - 02102272 _____ (Farbar) C:\Users\Neal\Desktop\FRST64.exe
2015-05-07 15:23 - 2015-05-07 15:24 - 00035152 _____ () C:\Users\Neal\Downloads\Addition.txt
2015-05-07 15:19 - 2015-05-08 08:21 - 00000000 ____D () C:\FRST
2015-05-07 15:19 - 2015-05-07 15:24 - 00039680 _____ () C:\Users\Neal\Downloads\FRST.txt
2015-05-07 15:19 - 2015-05-07 15:19 - 02102272 _____ (Farbar) C:\Users\Neal\Downloads\FRST64.exe
2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\Users\Public\Documents\HELP_TO_SAVE_FILES.txt
2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt
2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\Users\Neal\AppData\HELP_TO_SAVE_FILES.txt
2015-05-07 14:03 - 2015-05-07 14:03 - 00001632 _____ () C:\ProgramData\HELP_TO_SAVE_FILES.txt
2015-05-07 14:00 - 2015-05-07 14:00 - 00000512 _____ () C:\Users\Neal\Documents\RECOVERY_FILE.TXT
2015-05-07 11:46 - 2015-05-07 11:46 - 00000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\Desktop\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\AppData\Roaming\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\AppData\Local\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default\AppData\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\Desktop\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\AppData\Roaming\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\AppData\Local\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001632 _____ () C:\Users\Default User\AppData\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt
2015-05-05 14:31 - 2015-05-05 14:31 - 00001353 _____ () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt
2015-05-05 14:21 - 2015-05-05 14:21 - 00001353 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt
2015-05-05 14:21 - 2015-05-05 14:21 - 00001353 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt
2015-05-05 14:18 - 2015-05-05 14:18 - 00001353 _____ () C:\Program Files\HELP_TO_SAVE_FILES.txt
2015-05-05 14:17 - 2015-05-05 14:17 - 00001353 _____ () C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt
2015-05-05 14:14 - 2015-05-07 14:06 - 00553922 _____ () C:\Users\Neal\AppData\Roaming\log.html
2015-05-05 14:14 - 2015-05-05 14:14 - 00000752 _____ () C:\Users\Neal\AppData\Roaming\key.dat
2015-05-05 14:14 - 2015-05-05 14:13 - 00458240 _____ (PGWARE LLC) C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
2015-05-05 02:15 - 2015-05-05 02:15 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\WildTangent
2015-05-05 01:50 - 2015-05-07 15:54 - 00000000 ____D () C:\Users\Neal\.jpi_cache
2015-05-05 01:50 - 2015-05-07 15:54 - 00000000 ____D () C:\Users\Neal\.java
2015-05-04 22:12 - 2015-05-04 22:12 - 00000000 ____D () C:\Users\Noelle\Documents\New folder
2015-05-03 15:12 - 2015-05-03 15:12 - 00008602 _____ () C:\Users\Noelle\Documents\HELP_DECRYPT.HTML
2015-05-03 15:12 - 2015-05-03 15:12 - 00004244 _____ () C:\Users\Noelle\Documents\HELP_DECRYPT.TXT
2015-05-03 15:12 - 2015-05-03 15:12 - 00000284 _____ () C:\Users\Noelle\Documents\HELP_DECRYPT.URL
2015-05-03 14:56 - 2015-05-03 15:19 - 00000000 ____D () C:\Users\Neal\AppData\Local\toteke
2015-05-05 14:18 - 2015-05-05 14:18 - 0001353 _____ () C:\Program Files\HELP_TO_SAVE_FILES.txt
2015-05-05 14:17 - 2015-05-05 14:17 - 0001353 _____ () C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt
2015-05-07 15:51 - 2015-05-07 15:51 - 0221184 _____ ( ) C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
2015-05-07 15:54 - 2015-05-07 15:54 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-07 15:54 - 2015-05-07 15:54 - 0045557 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
2015-05-07 15:54 - 2015-05-07 15:54 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-07 15:54 - 2015-05-07 15:54 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt
2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
2015-05-05 14:14 - 2015-05-05 14:14 - 0000752 _____ () C:\Users\Neal\AppData\Roaming\key.dat
2015-05-07 15:52 - 2015-05-07 15:52 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
2015-05-05 14:14 - 2015-05-07 14:06 - 0553922 _____ () C:\Users\Neal\AppData\Roaming\log.html
2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
2015-05-05 14:14 - 2015-05-05 14:13 - 0458240 _____ (PGWARE LLC) C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
2015-05-07 15:52 - 2015-05-07 15:52 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2014-07-11 14:14 - 2015-05-05 14:21 - 0000916 _____ () C:\ProgramData\CyberlinkOutput.txt.ezz
2015-05-07 15:53 - 2015-05-07 15:53 - 0008602 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-05-07 15:53 - 2015-05-07 15:53 - 0045557 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-05-07 15:53 - 2015-05-07 15:53 - 0004244 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-05-07 15:53 - 2015-05-07 15:53 - 0000284 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-05-07 14:03 - 2015-05-07 14:03 - 0001632 _____ () C:\ProgramData\HELP_TO_SAVE_FILES.txt
end

*****************

"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Onics => value deleted successfully.
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\udsfurd => value deleted successfully.
C:\Program Files\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja => Moved successfully.
C:\Users\Neal\AppData\Roaming\key.dat => Moved successfully.
C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe => Moved successfully.
C:\Users\Neal\AppData\Roaming\log.html => Moved successfully.
C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3 => Moved successfully.
C:\Users\Neal\AppData\Roaming\rkdvuiw.exe => Moved successfully.
C:\Users\Neal\AppData\Local\udsfurd.dll => Moved successfully.
C:\ProgramData\CyberlinkOutput.txt.ezz => Moved successfully.
C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.
C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.
C:\ProgramData\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Public\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Public\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Noelle\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Noelle\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Noelle\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\Downloads\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\Desktop\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\HELP_DECRYPT.HTML => Moved successfully.
C:\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Public\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Public\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Noelle\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Noelle\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Noelle\AppData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\Downloads\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\Desktop\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\HELP_DECRYPT.TXT => Moved successfully.
C:\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Public\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Public\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Noelle\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Noelle\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Noelle\AppData\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\Downloads\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\Desktop\HELP_DECRYPT.URL => Moved successfully.
C:\Users\HELP_DECRYPT.URL => Moved successfully.
C:\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Neal\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Default\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Default\Documents\HELP_DECRYPT.HTML => Moved successfully.
"C:\Users\Default User\Documents\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
C:\Users\Neal\AppData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Default\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Default\Documents\HELP_DECRYPT.TXT => Moved successfully.
"C:\Users\Default User\Documents\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
C:\Users\Neal\AppData\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Default\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Default\Documents\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Default User\Documents\HELP_DECRYPT.URL" => File/Directory not found.
C:\Users\Default\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Default\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Default\AppData\HELP_DECRYPT.HTML => Moved successfully.
"C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\Default User\AppData\Local\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\Default User\AppData\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Administrator\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Administrator\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Administrator\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Administrator\AppData\HELP_DECRYPT.HTML => Moved successfully.
"C:\ProgramData\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Default\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Default\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Default\AppData\HELP_DECRYPT.TXT => Moved successfully.
"C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Default User\AppData\Local\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Default User\AppData\HELP_DECRYPT.TXT" => File/Directory not found.
C:\Users\Administrator\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Administrator\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Administrator\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Administrator\AppData\HELP_DECRYPT.TXT => Moved successfully.
"C:\ProgramData\HELP_DECRYPT.TXT" => File/Directory not found.
C:\Users\Default\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Default\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Default\AppData\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Default User\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\Default User\AppData\Local\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\Default User\AppData\HELP_DECRYPT.URL" => File/Directory not found.
C:\Users\Administrator\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Administrator\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Administrator\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Administrator\AppData\HELP_DECRYPT.URL => Moved successfully.
"C:\ProgramData\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe" => File/Directory not found.
C:\a9e1cbaf => Moved successfully.
C:\Users\Neal\Desktop\Search.txt => Moved successfully.
C:\Users\Neal\Desktop\Addition.txt => Moved successfully.
C:\Users\Neal\Desktop\FRST.txt => Moved successfully.
C:\Users\Neal\Desktop\FRST64.exe => Moved successfully.
C:\Users\Neal\Downloads\Addition.txt => Moved successfully.

"C:\FRST" directory move:

Could not move "C:\FRST" directory. => Scheduled to move on reboot.

C:\Users\Neal\Downloads\FRST.txt => Moved successfully.
C:\Users\Neal\Downloads\FRST64.exe => Moved successfully.
C:\Users\Public\Documents\HELP_TO_SAVE_FILES.txt => Moved successfully.
"C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
C:\Users\Neal\AppData\HELP_TO_SAVE_FILES.txt => Moved successfully.
"C:\ProgramData\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
C:\Users\Neal\Documents\RECOVERY_FILE.TXT => Moved successfully.
"C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja" => File/Directory not found.
C:\Users\Default\Desktop\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\Roaming\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\Local\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\HELP_TO_SAVE_FILES.txt => Moved successfully.
"C:\Users\Default User\Desktop\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Default User\AppData\Roaming\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Default User\AppData\Local\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Default User\AppData\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt => Moved successfully.
"C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_TO_SAVE_FILES.txt => Moved successfully.
"C:\Program Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\log.html" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\key.dat" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
C:\Users\Noelle\AppData\Roaming\WildTangent => Moved successfully.
C:\Users\Neal\.jpi_cache => Moved successfully.
C:\Users\Neal\.java => Moved successfully.
C:\Users\Noelle\Documents\New folder => Moved successfully.
C:\Users\Noelle\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Noelle\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Noelle\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\AppData\Local\toteke => Moved successfully.
"C:\Program Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Program Files\Common Files\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\key.dat" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\log.html" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
"C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
"C:\ProgramData\CyberlinkOutput.txt.ezz" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\ProgramData\HELP_DECRYPT.URL" => File/Directory not found.
"C:\ProgramData\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
 
NOTE 1. Use another working computer to download Farbar Recovery Scan Tool. Use USB flash drive to transfer it from good computer to the bad one.
NOTE 2. Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. To access Advanced Boot Options start and shut down computer TWICE. On third start you should see Advanced Boot Options.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note:     Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2015 01
Ran by SYSTEM on MININT-8MKEEIN on 08-05-2015 10:52:55
Running from f:\
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool:

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-08-19] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-24] (Synaptics Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491632 2012-09-10] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [93296 2012-07-13] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [581024 2012-09-07] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1342008 2012-09-14] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\qttask.exe [77824 2014-08-18] (Apple Computer, Inc.)
HKLM-x32\...\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
HKLM-x32\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
Winlogon\Notify\udsfurd-x32: C:\Users\Neal\AppData\Local\udsfurd.dll [X]
HKLM\...\Policies\Explorer\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
HKU\Administrator\...\Run: [Power2GoExpress8] => C:\Program Files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe [1707632 2012-09-10] (CyberLink Corp.)
HKU\Administrator\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-10-28] (Microsoft Corporation)
HKU\Neal\...\Run: [AVNworks] => C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe [192512 2015-05-02] (Fullerene)
HKU\Neal\...\Run: [Ogics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll
HKU\Neal\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
HKU\Neal\...\Run: [a9e1cba] => C:\a9e1cbaf\a9e1cbaf.exe
HKU\Neal\...\Run: [a9e1cbaf] => C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
HKU\Noelle\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Bubbles.scr [788480 2014-10-28] (Microsoft Corporation)
HKU\Sean\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-10-28] (Microsoft Corporation)
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt [2015-05-05] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe [2015-05-07] ( )
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-03] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-03] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-03] ()
InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [373312 2015-04-14] (WildTangent)
S2 HPConnectedRemote; C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35744 2012-10-12] (Hewlett-Packard)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-09-11] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-19] (Advanced Micro Devices)
S3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [91648 2012-08-21] (Advanced Micro Devices)
S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [269968 2012-07-03] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-08-24] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [43832 2012-08-24] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
S3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-07 12:19 - 2015-05-08 05:50 - 00000000 ____D () C:\FRST
2015-05-07 11:06 - 2015-05-07 11:06 - 00000000 ____D () C:\Windows\pss
2015-05-05 11:10 - 2015-05-07 12:53 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
2015-05-04 23:17 - 2015-05-07 12:53 - 00000000 ____D () C:\ProgramData\BlueStacks
2015-05-04 19:12 - 2015-05-04 19:12 - 00000000 ____D () C:\Users\Noelle\Documents\julius caesar
2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\Onics
2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\AVNworks
2015-04-17 06:45 - 2015-04-17 06:45 - 00000000 ____D () C:\Windows\System32\appraiser
2015-04-14 16:50 - 2015-03-23 13:59 - 07476032 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2015-04-14 16:50 - 2015-03-23 13:59 - 01733952 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2015-04-14 16:50 - 2015-03-23 13:59 - 00360480 _____ (Microsoft Corporation) C:\Windows\System32\sechost.dll
2015-04-14 16:50 - 2015-03-23 13:58 - 01498872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-04-14 16:50 - 2015-03-23 13:45 - 00257216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sechost.dll
2015-04-14 16:50 - 2015-03-19 20:12 - 00246272 _____ (Microsoft Corporation) C:\Windows\System32\microsoft-windows-system-events.dll
2015-04-14 16:50 - 2015-03-19 20:10 - 00285184 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2015-04-14 16:50 - 2015-03-19 20:10 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2015-04-14 16:50 - 2015-03-19 19:17 - 00411648 _____ (Microsoft Corporation) C:\Windows\System32\tracerpt.exe
2015-04-14 16:50 - 2015-03-19 18:41 - 00369152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tracerpt.exe
2015-04-14 16:50 - 2015-03-19 18:40 - 00950784 _____ (Microsoft Corporation) C:\Windows\System32\tdh.dll
2015-04-14 16:50 - 2015-03-19 18:16 - 00749568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2015-04-14 16:50 - 2015-03-14 00:20 - 01385256 _____ (Microsoft Corporation) C:\Windows\System32\msctf.dll
2015-04-14 16:50 - 2015-03-14 00:13 - 01124352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2015-04-14 16:50 - 2015-03-12 20:32 - 24980480 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2015-04-14 16:50 - 2015-03-12 19:50 - 06025216 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2015-04-14 16:50 - 2015-03-12 19:42 - 19695616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-04-14 16:50 - 2015-03-12 19:00 - 14397440 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2015-04-14 16:50 - 2015-03-12 18:58 - 00259072 _____ (Microsoft Corporation) C:\Windows\System32\pku2u.dll
2015-04-14 16:50 - 2015-03-12 18:49 - 04305408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-04-14 16:50 - 2015-03-12 18:37 - 00208896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2015-04-14 16:50 - 2015-02-20 15:49 - 00780800 _____ (Microsoft Corporation) C:\Windows\System32\lsm.dll
2015-04-14 16:49 - 2015-03-22 14:45 - 00227328 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2015-04-14 16:49 - 2015-03-22 14:09 - 01111552 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2015-04-14 16:49 - 2015-03-22 14:09 - 00957440 _____ (Microsoft Corporation) C:\Windows\System32\appraiser.dll
2015-04-14 16:49 - 2015-03-22 14:09 - 00769024 _____ (Microsoft Corporation) C:\Windows\System32\invagent.dll
2015-04-14 16:49 - 2015-03-22 14:09 - 00726528 _____ (Microsoft Corporation) C:\Windows\System32\generaltel.dll
2015-04-14 16:49 - 2015-03-22 14:09 - 00419328 _____ (Microsoft Corporation) C:\Windows\System32\devinv.dll
2015-04-14 16:49 - 2015-03-22 14:09 - 00030720 _____ (Microsoft Corporation) C:\Windows\System32\acmigration.dll
2015-04-14 16:49 - 2015-03-14 00:54 - 00133256 _____ (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2015-04-14 16:49 - 2015-03-13 17:56 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\wups.dll
2015-04-14 16:49 - 2015-03-13 17:56 - 00052224 _____ (Microsoft Corporation) C:\Windows\System32\wups2.dll
2015-04-14 16:49 - 2015-03-13 17:51 - 00015360 _____ (Microsoft Corporation) C:\Windows\System32\wu.upgrade.ps.dll
2015-04-14 16:49 - 2015-03-13 17:37 - 00267264 _____ (Microsoft Corporation) C:\Windows\System32\WinSetupUI.dll
2015-04-14 16:49 - 2015-03-13 17:14 - 00027136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-04-14 16:49 - 2015-03-13 16:22 - 03678720 _____ (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2015-04-14 16:49 - 2015-03-13 16:12 - 00140288 _____ (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2015-04-14 16:49 - 2015-03-13 16:12 - 00035840 _____ (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2015-04-14 16:49 - 2015-03-13 16:09 - 00200192 _____ (Microsoft Corporation) C:\Windows\System32\storewuauth.dll
2015-04-14 16:49 - 2015-03-13 16:08 - 00408064 _____ (Microsoft Corporation) C:\Windows\System32\WUSettingsProvider.dll
2015-04-14 16:49 - 2015-03-13 16:08 - 00095744 _____ (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2015-04-14 16:49 - 2015-03-13 16:06 - 02373632 _____ (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2015-04-14 16:49 - 2015-03-13 16:06 - 00891392 _____ (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2015-04-14 16:49 - 2015-03-13 16:02 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-04-14 16:49 - 2015-03-13 16:02 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-04-14 16:49 - 2015-03-13 15:59 - 00721920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-04-14 16:49 - 2015-03-13 15:59 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-04-14 16:49 - 2015-03-12 20:08 - 00584192 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2015-04-14 16:49 - 2015-03-12 20:07 - 02886144 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2015-04-14 16:49 - 2015-03-12 19:53 - 00816128 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2015-04-14 16:49 - 2015-03-12 19:28 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-04-14 16:49 - 2015-03-12 19:26 - 00092160 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2015-04-14 16:49 - 2015-03-12 19:22 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-04-14 16:49 - 2015-03-12 19:17 - 01032704 _____ (Microsoft Corporation) C:\Windows\System32\inetcomm.dll
2015-04-14 16:49 - 2015-03-12 19:16 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-04-14 16:49 - 2015-03-12 19:08 - 00720384 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2015-04-14 16:49 - 2015-03-12 19:07 - 00801280 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2015-04-14 16:49 - 2015-03-12 18:50 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-04-14 16:49 - 2015-03-12 18:45 - 02358784 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2015-04-14 16:49 - 2015-03-12 18:44 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-04-14 16:49 - 2015-03-12 18:34 - 12825600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-04-14 16:49 - 2015-03-12 18:33 - 01548288 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2015-04-14 16:49 - 2015-03-12 18:22 - 00800768 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2015-04-14 16:49 - 2015-03-12 18:20 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-04-14 16:49 - 2015-03-12 18:16 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-04-14 16:49 - 2015-03-12 18:14 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-04-14 16:49 - 2015-03-04 02:25 - 00377152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\clfs.sys
2015-04-14 16:49 - 2015-03-03 19:04 - 00075264 _____ (Microsoft Corporation) C:\Windows\System32\clfsw32.dll
2015-04-14 16:49 - 2015-03-03 18:19 - 00058880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\clfsw32.dll
2015-04-14 16:49 - 2015-02-24 00:32 - 00991552 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\http.sys
2015-04-14 16:49 - 2014-12-02 15:09 - 00192000 _____ (Microsoft Corporation) C:\Windows\System32\aepic.dll
2015-04-08 09:05 - 2015-04-08 09:06 - 00000000 ___SD () C:\Windows\System32\GWX
2015-04-08 09:05 - 2015-04-08 09:05 - 00000000 ___SD () C:\Windows\SysWOW64\GWX

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-08 06:17 - 2014-09-11 13:13 - 01818681 _____ () C:\Windows\WindowsUpdate.log
2015-05-08 05:50 - 2014-03-18 01:54 - 00055204 _____ () C:\Windows\PFRO.log
2015-05-08 05:49 - 2014-09-11 13:28 - 00000000 ____D () C:\users\Neal
2015-05-08 05:48 - 2014-09-11 13:28 - 00000000 ____D () C:\users\Noelle
2015-05-08 05:48 - 2014-09-11 13:28 - 00000000 ____D () C:\users\Administrator
2015-05-08 05:48 - 2013-08-22 05:36 - 00000000 __RHD () C:\users\Default
2015-05-07 12:54 - 2014-12-22 17:58 - 00000000 ____D () C:\Users\Neal\Documents\CyberLink
2015-05-07 12:54 - 2014-11-05 11:25 - 00000000 ____D () C:\Users\Neal\Desktop\noelle
2015-05-07 12:54 - 2014-09-30 12:50 - 00000000 ____D () C:\Users\Neal\Desktop\Master bath
2015-05-07 12:54 - 2014-09-27 05:39 - 00000000 ____D () C:\Users\Neal\Desktop\RN Liscense
2015-05-07 12:54 - 2014-09-13 11:40 - 00000000 ____D () C:\Users\Neal\Desktop\Hurst Review
2015-05-07 12:54 - 2014-09-03 05:33 - 00000000 ____D () C:\Users\Neal\Desktop\STVE
2015-05-07 12:54 - 2014-08-17 22:43 - 00000000 ____D () C:\Users\Neal\Desktop\General Sciencev2-MP3
2015-05-07 12:54 - 2014-08-17 21:52 - 00000000 ____D () C:\Users\Neal\.javaws
2015-05-07 12:53 - 2014-09-11 16:09 - 00000000 __SHD () C:\Recovery
2015-05-07 12:53 - 2014-09-11 13:17 - 00000000 ____D () C:\ProgramData\AMD
2015-05-07 12:53 - 2014-09-11 13:16 - 00000000 ____D () C:\ProgramData\Package Cache
2015-05-07 12:53 - 2014-09-08 04:29 - 00000000 ____D () C:\ProgramData\lx_Cats
2015-05-07 12:53 - 2014-08-18 17:50 - 00000000 ____D () C:\ProgramData\QuickTime
2015-05-07 12:53 - 2014-08-18 10:14 - 00000000 ____D () C:\ProgramData\Mozilla
2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\ATI
2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\ATI
2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\AMD
2015-05-07 12:53 - 2014-07-11 11:35 - 00000000 ____D () C:\ProgramData\ATI
2015-05-07 12:53 - 2014-07-11 11:24 - 00000000 ____D () C:\ProgramData\Norton
2015-05-07 12:53 - 2014-07-11 11:16 - 00000000 ____D () C:\ProgramData\CyberLink
2015-05-07 12:53 - 2014-07-11 11:00 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Downloaded Installations
2015-05-07 12:53 - 2014-07-11 10:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Synaptics
2015-05-07 12:53 - 2014-07-11 10:56 - 00000000 ____D () C:\ProgramData\Synaptics
2015-05-07 12:53 - 2014-07-11 10:53 - 00000000 ____D () C:\ProgramData\Qualcomm Atheros
2015-05-07 12:53 - 2014-07-11 10:52 - 00000000 ____D () C:\ProgramData\Apple
2015-05-07 12:53 - 2012-10-29 18:18 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\FFSJ
2015-05-07 12:53 - 2012-10-29 18:16 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Hewlett-Packard
2015-05-07 12:53 - 2012-10-29 18:16 - 00000000 ____D () C:\ProgramData\WildTangent
2015-05-07 12:53 - 2012-10-29 18:10 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2015-05-07 12:53 - 2012-10-29 18:06 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Windows Live
2015-05-07 12:53 - 2012-10-29 18:06 - 00000000 ____D () C:\ProgramData\Microsoft SkyDrive
2015-05-07 12:53 - 2012-10-29 17:58 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\hpqLog
2015-05-07 12:53 - 2012-10-29 17:58 - 00000000 ____D () C:\ProgramData\install_clap
2015-05-07 12:53 - 2012-10-29 17:55 - 00000000 ___HD () C:\Users\Administrator\Documents\hp.system.package.metadata
2015-05-07 12:53 - 2012-08-03 16:02 - 00000000 __RHD () C:\SYSTEM.SAV
2015-05-07 12:53 - 2012-08-03 16:02 - 00000000 ____D () C:\SWSetup
2015-05-07 12:53 - 2012-08-03 14:29 - 00000000 ____D () C:\ProgramData\PRICache
2015-05-07 12:53 - 2012-08-03 14:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
2015-05-07 12:52 - 2014-09-11 15:59 - 00000000 ____D () C:\inetpub
2015-05-07 12:52 - 2014-09-11 13:12 - 00000000 ____D () C:\AMD
2015-05-07 12:52 - 2014-08-18 11:51 - 00000000 ___HD () C:\$SysReset
2015-05-07 11:06 - 2013-08-22 06:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-07 11:00 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\System32\sru
2015-05-07 10:59 - 2014-09-11 14:08 - 00000000 __RDO () C:\Users\Neal\OneDrive
2015-05-07 10:58 - 2013-08-22 06:46 - 00422594 _____ () C:\Windows\setupact.log
2015-05-07 10:54 - 2012-10-29 18:07 - 00000000 ___RD () C:\Users\Administrator\SkyDrive
2015-05-07 10:25 - 2014-09-08 16:54 - 00007332 _____ () C:\Users\Neal\Desktop\double barn doors.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:47 - 00009396 _____ () C:\Users\Neal\Desktop\tile size.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:45 - 00005972 _____ () C:\Users\Neal\Desktop\barn door.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:38 - 00006772 _____ () C:\Users\Neal\Desktop\imagesCAVYFP72.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:35 - 00009460 _____ () C:\Users\Neal\Desktop\imagesCA7CH076.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:30 - 00007556 _____ () C:\Users\Neal\Desktop\imagesCASKJVS5.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:22 - 00008660 _____ () C:\Users\Neal\Desktop\stone shower.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:19 - 00072372 _____ () C:\Users\Neal\Desktop\Nice-Rustic-Wooden-Look-in-Western-Style-Bathroom-Interior.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:14 - 00021940 _____ () C:\Users\Neal\Desktop\stoneshowers3.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:13 - 00126212 _____ () C:\Users\Neal\Desktop\shower-designs_stone.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:11 - 00145892 _____ () C:\Users\Neal\Desktop\bathroom-natural-cream-small-bathroom-renovation-idea-with-cream-stone-wall-colorful-border-and-shower-nice-small-bathroom-renovation-ideas-972x650.jpg.ezz
2015-05-07 10:25 - 2014-09-08 16:06 - 00042676 _____ () C:\Users\Neal\Desktop\thumb4_wlshower.jpg.ezz
2015-05-07 10:25 - 2014-08-17 20:39 - 10782340 _____ () C:\Users\Neal\Documents\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
2015-05-07 10:25 - 2014-08-17 20:35 - 24867156 _____ () C:\Users\Neal\Desktop\9781616251345_ApologiaExploringCreationWithB.pdf.ezz
2015-05-07 10:25 - 2014-08-17 18:22 - 10782340 _____ () C:\Users\Neal\Desktop\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
2015-05-07 10:25 - 2014-07-11 13:24 - 01440996 _____ () C:\Users\Neal\Desktop\CRCS Handbook.pdf.ezz
2015-05-07 10:13 - 2015-01-08 23:01 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4105420370-3369507210-3028615837-1004
2015-05-07 09:47 - 2015-01-08 22:59 - 00000000 ___RD () C:\Users\Noelle\OneDrive
2015-05-06 22:07 - 2015-01-08 22:55 - 00003942 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{C556DA80-233A-4939-81B7-D4F612CB4826}
2015-05-05 11:31 - 2012-10-29 17:58 - 00000000 ____D () C:\ProgramData\Temp
2015-05-05 11:30 - 2014-08-18 09:58 - 00000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz
2015-05-05 11:21 - 2012-08-03 14:28 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Packages
2015-05-05 11:18 - 2014-03-18 01:45 - 00000000 ____D () C:\Program Files\Windows Journal
2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\WindowsPowerShell
2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Multimedia Platform
2015-05-05 11:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Windows Defender
2015-05-05 11:17 - 2014-09-11 13:12 - 00000000 ____D () C:\Program Files\Common Files\ATI Technologies
2015-05-05 11:17 - 2014-07-11 10:52 - 00000000 ____D () C:\Program Files\Bonjour
2015-05-05 11:17 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Common Files\Services
2015-05-05 11:17 - 2013-08-22 07:36 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-05-05 11:17 - 2012-09-18 18:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2015-05-04 23:16 - 2012-10-29 18:16 - 00000000 ____D () C:\Program Files (x86)\WildTangent Games
2015-05-04 12:46 - 2014-08-15 06:06 - 00000000 ____D () C:\Users\Public\Documents\TT Algebra 1
2015-05-03 12:12 - 2015-03-16 09:27 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Mozilla
2015-05-03 12:12 - 2015-01-21 10:05 - 00000000 ____D () C:\Users\Noelle\Documents\CyberLink
2015-05-03 12:12 - 2015-01-08 22:57 - 00000000 ____D () C:\Users\Noelle\AppData\Local\AMD
2015-05-03 12:12 - 2015-01-08 22:55 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Adobe
2015-05-03 12:10 - 2014-08-18 10:15 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Mozilla
2015-05-03 12:10 - 2014-08-18 10:00 - 00000000 ____D () C:\Users\Neal\AppData\Local\AMD
2015-05-03 12:10 - 2014-08-18 09:58 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Hewlett-Packard
2015-05-03 12:10 - 2014-08-18 09:56 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Adobe
2015-05-03 12:10 - 2014-08-18 09:53 - 00000000 ____D () C:\Users\Neal\AppData\Local\Power2Go8
2015-04-20 10:56 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\rescache
2015-04-18 17:18 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\AppCompat
2015-04-17 06:52 - 2014-03-18 02:03 - 00956480 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-04-17 06:45 - 2015-03-29 18:04 - 00000000 ___SD () C:\Windows\System32\CompatTel
2015-04-14 17:35 - 2014-08-22 21:19 - 00000000 ____D () C:\Windows\System32\MRT
2015-04-14 17:33 - 2014-08-22 21:19 - 128913832 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2015-04-14 17:33 - 2012-07-25 23:59 - 00000000 ____D () C:\Windows\CbsTemp

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2015-03-16 09:59] - [2014-10-28 17:22] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437

C:\Windows\System32\wininit.exe
[2015-03-16 09:57] - [2014-10-28 17:25] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380

C:\Windows\explorer.exe
[2015-03-11 08:44] - [2015-01-27 15:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88

C:\Windows\SysWOW64\explorer.exe
[2015-03-11 08:44] - [2015-01-27 15:41] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225

C:\Windows\System32\svchost.exe
[2015-03-16 09:57] - [2014-10-28 20:11] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47

C:\Windows\SysWOW64\svchost.exe
[2015-03-16 09:57] - [2014-10-28 19:17] - 0033088 ____A (Microsoft Corporation) D0ABC231C0B3E88C6B612B28ABBF734D

C:\Windows\System32\services.exe
[2015-03-16 10:00] - [2014-10-28 19:53] - 0411128 ____A (Microsoft Corporation) 5BF02EBEFEDC706318C96E2E60EDCB91

C:\Windows\System32\User32.dll
[2015-03-16 10:02] - [2014-10-28 20:00] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

C:\Windows\SysWOW64\User32.dll
[2015-03-16 10:02] - [2014-10-28 17:04] - 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE

C:\Windows\System32\userinit.exe
[2015-03-16 09:57] - [2014-10-28 17:28] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F

C:\Windows\SysWOW64\userinit.exe
[2015-03-16 09:57] - [2014-10-28 17:05] - 0022528 ____A (Microsoft Corporation) D10643FC0095434C819316CA6CD748C0

C:\Windows\System32\rpcss.dll
[2015-03-16 10:01] - [2014-10-28 17:19] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00

ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2015-04-27 10:21:09
Restore point made on: 2015-04-27 10:21:15
Restore point made on: 2015-04-27 10:21:16
Restore point made on: 2015-04-27 10:21:17
Restore point made on: 2015-04-27 10:21:25
Restore point made on: 2015-04-27 10:21:27

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3554.26 MB
Available physical RAM: 2800.33 MB
Total Pagefile: 3554.26 MB
Available Pagefile: 2822.92 MB
Total Virtual: 131072 MB
Available Virtual: 131071.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:565.37 GB) (Free:523.59 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:29.6 GB) (Free:3.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:0.49 GB) (Free:0.31 GB) FAT
Drive g: () (Fixed) (Total:0.44 GB) (Free:0.11 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 596.2 GB) (Disk ID: 4FBE1E19)

Partition: GPT Partition Type.

========================================================
Disk: 1 (Size: 498.1 MB) (Disk ID: 0006736D)
Partition 1: (Active) - (Size=498 MB) - (Type=0E)


LastRegBack: 2015-05-03 12:35

==================== End Of Log ============================
 
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7/8: Now please enter System Recovery Options.
On Windows XP: Now please boot into the OTLPE CD.
Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if you can boot normally.
 

Attachments

  • fixlist.txt
    2.4 KB · Views: 1
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
Ran by SYSTEM at 2015-05-08 11:41:27 Run:2
Running from f:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
HKLM-x32\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
Winlogon\Notify\udsfurd-x32: C:\Users\Neal\AppData\Local\udsfurd.dll [X]
C:\Users\Neal\AppData\Local\toteke\toteke.exe
C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
HKLM\...\Policies\Explorer\Run: [toteke] => "C:\Users\Neal\AppData\Local\toteke\toteke.exe"
HKU\Neal\...\Run: [Ogics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll
HKU\Neal\...\Run: [AVrSvc] => C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
HKU\Neal\...\Run: [a9e1cba] => C:\a9e1cbaf\a9e1cbaf.exe
HKU\Neal\...\Run: [a9e1cbaf] => C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll
C:\Users\Neal\AppData\Roaming\rkdvuiw.exe
C:\a9e1cbaf\a9e1cbaf.exe
C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt [2015-05-05] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe [2015-05-07] ( )
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-03] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-03] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-03] ()
InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL
2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\Onics
2015-05-02 14:50 - 2015-05-02 14:50 - 00000000 ____D () C:\Users\Neal\AppData\Local\AVNworks

*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\toteke => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AVrSvc => value deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\udsfurd" => Key deleted successfully.
"C:\Users\Neal\AppData\Local\toteke\toteke.exe" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\toteke => value deleted successfully.
HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\Ogics => value deleted successfully.
HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\AVrSvc => value deleted successfully.
HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\a9e1cba => value deleted successfully.
HKU\Neal\Software\Microsoft\Windows\CurrentVersion\Run\\a9e1cbaf => value deleted successfully.
C:\Users\Neal\AppData\Local\AVNworks\kddxetxs.dll => Moved successfully.
"C:\Users\Neal\AppData\Roaming\rkdvuiw.exe" => File/Directory not found.
"C:\a9e1cbaf\a9e1cbaf.exe" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\a9e1cbaf.exe" => File/Directory not found.
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_TO_SAVE_FILES.txt" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9e1cbaf.exe" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL" => File/Directory not found.
C:\Users\Neal\AppData\Local\Onics => Moved successfully.
C:\Users\Neal\AppData\Local\AVNworks => Moved successfully.

==== End of Fixlog 11:41:38 ====
 
So far so good. Booted in normal mode. Created a test text doc. It is not crypted. Has not yet hibernated or rebooted itself.
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
 
Wow that took forever, and it's back.
I downloaded Farbar in Normal mode. And Scanned. Next post will be the frst then the addition.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2015 01
Ran by Neal (administrator) on HOMESCHOOL1 on 08-05-2015 12:55:29
Running from C:\Users\Neal\Desktop
Loaded Profiles: Neal (Available profiles: Neal & Sean & Noelle & Administrator)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool:

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Apple Computer, Inc.) C:\Program Files (x86)\QuickTime\qttask.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Local\Temp\8FB3.tmp
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\Users\Neal\AppData\Local\Temp\9FD4.tmp
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\SysWOW64\logagent.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\wermgr.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
Failed to access process -> HPConnectedRemoteService.exe
(Microsoft Corporation) C:\Windows\System32\WerFault.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Failed to access process -> HPConnectedRemoteService.exe
(Microsoft Corporation) C:\Windows\System32\WerFault.exe
Failed to access process -> HPConnectedRemoteService.exe
(Microsoft Corporation) C:\Windows\System32\WerFault.exe
Failed to access process -> HPConnectedRemoteService.exe
(Microsoft Corporation) C:\Windows\System32\WerFault.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dvdupgrd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhst3g.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20413_x64__8wekyb3d8bbwe\livecomm.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\NAPSTAT.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-08-20] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-24] (Synaptics Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491632 2012-09-10] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [93296 2012-07-13] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [581024 2012-09-07] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1342008 2012-09-14] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\qttask.exe [77824 2014-08-18] (Apple Computer, Inc.)
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [AVNworks] => C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [udsfurd] => rundll32 "C:\Users\Neal\AppData\Local\udsfurd.dll",udsfurd <===== ATTENTION
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [BluetoothManager] => rundll32.exe "%appdata%\Microsoft\bstack.dll",bs_init
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27907 more characters). <==== Poweliks!
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-08] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-08] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-08] ()
InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT13/1
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT13/1
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT13/1
SearchScopes: HKLM -> {72A94EC8-3F90-47F1-9886-E2A151F94BD1} URL = http://www.amazon.com/s/ref=azs_osd...ode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {72A94EC8-3F90-47F1-9886-E2A151F94BD1} URL = http://www.amazon.com/s/ref=azs_osd...ode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> {72A94EC8-3F90-47F1-9886-E2A151F94BD1} URL = http://www.amazon.com/s/ref=azs_osd...ode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll No File
Toolbar: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll [2012-08-08] (Adobe Systems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3503.0728 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-07-28] (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2014-11-14] ()
FF Extension: Windows Script Host Shell Object - C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F} [2015-05-02]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.) [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [373312 2015-04-14] (WildTangent)
R2 HPConnectedRemote; C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35744 2012-10-12] (Hewlett-Packard)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2451456 2012-07-13] (Realsil Microelectronics Inc.) [File not signed]
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-09-11] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-20] (Advanced Micro Devices)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [91648 2012-08-21] (Advanced Micro Devices)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [269968 2012-07-03] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-08-24] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [43832 2012-08-24] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-08 12:55 - 2015-05-08 13:03 - 00013856 _____ () C:\Users\Neal\Desktop\FRST.txt
2015-05-08 12:54 - 2015-05-08 12:49 - 02102272 _____ (Farbar) C:\Users\Neal\Desktop\FRST64.exe
2015-05-08 12:49 - 2015-05-08 12:53 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Local Store
2015-05-08 12:48 - 2015-05-08 12:48 - 00008602 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.HTML
2015-05-08 12:48 - 2015-05-08 12:48 - 00000284 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.URL
2015-05-08 12:47 - 2015-05-08 12:47 - 00008602 _____ () C:\Users\Neal\HELP_DECRYPT.HTML
2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\HELP_DECRYPT.TXT
2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.TXT
2015-05-08 12:47 - 2015-05-08 12:47 - 00000284 _____ () C:\Users\Neal\HELP_DECRYPT.URL
2015-05-08 12:45 - 2015-05-08 12:49 - 02102272 _____ (Farbar) C:\Users\Neal\Downloads\FRST64.exe
2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.HTML
2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.TXT
2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.URL
2015-05-08 12:41 - 2015-05-08 12:41 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2015-05-08 12:40 - 2015-05-08 12:40 - 01141248 _____ (Farbar) C:\Users\Neal\Downloads\FRST.exe
2015-05-08 12:40 - 2015-05-08 12:40 - 00051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
2015-05-08 11:48 - 2015-05-08 11:48 - 00000288 _____ () C:\Users\Neal\Desktop\test.txt
2015-05-08 11:45 - 2015-05-08 11:45 - 00000000 ____D () C:\HP
2015-05-07 15:19 - 2015-05-08 12:56 - 00000000 ____D () C:\FRST
2015-05-07 14:06 - 2015-05-07 14:06 - 00000000 ____D () C:\WINDOWS\pss
2015-05-07 11:46 - 2015-05-07 11:46 - 00000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
2015-05-05 14:10 - 2015-05-08 12:43 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
2015-05-05 02:17 - 2015-05-07 15:53 - 00000000 ____D () C:\ProgramData\BlueStacks
2015-05-04 22:12 - 2015-05-04 22:12 - 00000000 ____D () C:\Users\Noelle\Documents\julius caesar
2015-04-17 09:45 - 2015-04-17 09:45 - 00000000 ____D () C:\WINDOWS\system32\appraiser
2015-04-14 19:50 - 2015-03-23 16:59 - 07476032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-04-14 19:50 - 2015-03-23 16:59 - 01733952 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-04-14 19:50 - 2015-03-23 16:59 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\system32\sechost.dll
2015-04-14 19:50 - 2015-03-23 16:58 - 01498872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-04-14 19:50 - 2015-03-23 16:45 - 00257216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sechost.dll
2015-04-14 19:50 - 2015-03-19 23:12 - 00246272 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2015-04-14 19:50 - 2015-03-19 23:10 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2015-04-14 19:50 - 2015-03-19 23:10 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
2015-04-14 19:50 - 2015-03-19 22:17 - 00411648 _____ (Microsoft Corporation) C:\WINDOWS\system32\tracerpt.exe
2015-04-14 19:50 - 2015-03-19 21:41 - 00369152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tracerpt.exe
2015-04-14 19:50 - 2015-03-19 21:40 - 00950784 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll
2015-04-14 19:50 - 2015-03-19 21:16 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll
2015-04-14 19:50 - 2015-03-14 03:20 - 01385256 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
2015-04-14 19:50 - 2015-03-14 03:13 - 01124352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
2015-04-14 19:50 - 2015-03-12 23:32 - 24980480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-04-14 19:50 - 2015-03-12 22:50 - 06025216 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-04-14 19:50 - 2015-03-12 22:42 - 19695616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-04-14 19:50 - 2015-03-12 22:00 - 14397440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-04-14 19:50 - 2015-03-12 21:58 - 00259072 _____ (Microsoft Corporation) C:\WINDOWS\system32\pku2u.dll
2015-04-14 19:50 - 2015-03-12 21:49 - 04305408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-04-14 19:50 - 2015-03-12 21:37 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\pku2u.dll
2015-04-14 19:50 - 2015-02-20 18:49 - 00780800 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsm.dll
2015-04-14 19:49 - 2015-03-22 17:45 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
2015-04-14 19:49 - 2015-03-22 17:09 - 01111552 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-04-14 19:49 - 2015-03-22 17:09 - 00957440 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-04-14 19:49 - 2015-03-22 17:09 - 00769024 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-04-14 19:49 - 2015-03-22 17:09 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-04-14 19:49 - 2015-03-22 17:09 - 00419328 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-04-14 19:49 - 2015-03-22 17:09 - 00030720 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2015-04-14 19:49 - 2015-03-14 03:54 - 00133256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-04-14 19:49 - 2015-03-13 20:56 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2015-04-14 19:49 - 2015-03-13 20:56 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
2015-04-14 19:49 - 2015-03-13 20:51 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wu.upgrade.ps.dll
2015-04-14 19:49 - 2015-03-13 20:37 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll
2015-04-14 19:49 - 2015-03-13 20:14 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
2015-04-14 19:49 - 2015-03-13 19:22 - 03678720 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-04-14 19:49 - 2015-03-13 19:12 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-04-14 19:49 - 2015-03-13 19:12 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-04-14 19:49 - 2015-03-13 19:09 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2015-04-14 19:49 - 2015-03-13 19:08 - 00408064 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-04-14 19:49 - 2015-03-13 19:08 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-04-14 19:49 - 2015-03-13 19:06 - 02373632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-04-14 19:49 - 2015-03-13 19:06 - 00891392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-04-14 19:49 - 2015-03-13 19:02 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-04-14 19:49 - 2015-03-13 19:02 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-04-14 19:49 - 2015-03-13 18:59 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-04-14 19:49 - 2015-03-13 18:59 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-04-14 19:49 - 2015-03-12 23:08 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-04-14 19:49 - 2015-03-12 23:07 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-04-14 19:49 - 2015-03-12 22:53 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-04-14 19:49 - 2015-03-12 22:28 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-04-14 19:49 - 2015-03-12 22:26 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-04-14 19:49 - 2015-03-12 22:22 - 02278400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-04-14 19:49 - 2015-03-12 22:17 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-04-14 19:49 - 2015-03-12 22:16 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-04-14 19:49 - 2015-03-12 22:08 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-04-14 19:49 - 2015-03-12 22:07 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-04-14 19:49 - 2015-03-12 21:50 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-04-14 19:49 - 2015-03-12 21:45 - 02358784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-04-14 19:49 - 2015-03-12 21:44 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-04-14 19:49 - 2015-03-12 21:34 - 12825600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-04-14 19:49 - 2015-03-12 21:33 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-04-14 19:49 - 2015-03-12 21:22 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-04-14 19:49 - 2015-03-12 21:20 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-04-14 19:49 - 2015-03-12 21:16 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-04-14 19:49 - 2015-03-12 21:14 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-04-14 19:49 - 2015-03-04 05:25 - 00377152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys
2015-04-14 19:49 - 2015-03-03 22:04 - 00075264 _____ (Microsoft Corporation) C:\WINDOWS\system32\clfsw32.dll
2015-04-14 19:49 - 2015-03-03 21:19 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clfsw32.dll
2015-04-14 19:49 - 2015-02-24 03:32 - 00991552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
2015-04-14 19:49 - 2014-12-02 18:09 - 00192000 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2015-04-08 12:05 - 2015-04-08 12:06 - 00000000 ___SD () C:\WINDOWS\system32\GWX
2015-04-08 12:05 - 2015-04-08 12:05 - 00000000 ___SD () C:\WINDOWS\SysWOW64\GWX

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-08 13:00 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-05-08 12:47 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Neal
2015-05-08 12:38 - 2014-09-11 17:08 - 00000000 __RDO () C:\Users\Neal\OneDrive
2015-05-08 12:37 - 2013-08-22 09:46 - 00422748 _____ () C:\WINDOWS\setupact.log
2015-05-08 12:37 - 2013-08-22 09:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-05-08 12:37 - 2013-08-22 08:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2015-05-08 11:55 - 2014-08-18 12:57 - 00003934 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{E6DB391A-67E2-49DF-ADDD-A578345A07FB}
2015-05-08 09:17 - 2014-09-11 16:13 - 01818681 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-08 08:50 - 2014-03-18 04:54 - 00055204 _____ () C:\WINDOWS\PFRO.log
2015-05-08 08:48 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Noelle
2015-05-08 08:48 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Administrator
2015-05-08 08:48 - 2013-08-22 08:36 - 00000000 __RHD () C:\Users\Default
2015-05-07 15:54 - 2014-12-22 20:58 - 00000000 ____D () C:\Users\Neal\Documents\CyberLink
2015-05-07 15:54 - 2014-11-05 14:25 - 00000000 ____D () C:\Users\Neal\Desktop\noelle
2015-05-07 15:54 - 2014-09-30 15:50 - 00000000 ____D () C:\Users\Neal\Desktop\Master bath
2015-05-07 15:54 - 2014-09-27 08:39 - 00000000 ____D () C:\Users\Neal\Desktop\RN Liscense
2015-05-07 15:54 - 2014-09-13 14:40 - 00000000 ____D () C:\Users\Neal\Desktop\Hurst Review
2015-05-07 15:54 - 2014-09-03 08:33 - 00000000 ____D () C:\Users\Neal\Desktop\STVE
2015-05-07 15:54 - 2014-08-18 01:43 - 00000000 ____D () C:\Users\Neal\Desktop\General Sciencev2-MP3
2015-05-07 15:54 - 2014-08-18 00:52 - 00000000 ____D () C:\Users\Neal\.javaws
2015-05-07 15:53 - 2014-09-11 19:09 - 00000000 __SHD () C:\Recovery
2015-05-07 15:53 - 2014-09-11 16:17 - 00000000 ____D () C:\ProgramData\AMD
2015-05-07 15:53 - 2014-09-11 16:16 - 00000000 ____D () C:\ProgramData\Package Cache
2015-05-07 15:53 - 2014-09-08 07:29 - 00000000 ____D () C:\ProgramData\lx_Cats
2015-05-07 15:53 - 2014-08-18 20:50 - 00000000 ____D () C:\ProgramData\QuickTime
2015-05-07 15:53 - 2014-08-18 13:14 - 00000000 ____D () C:\ProgramData\Mozilla
2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\ATI
2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\ATI
2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\AMD
2015-05-07 15:53 - 2014-07-11 14:35 - 00000000 ____D () C:\ProgramData\ATI
2015-05-07 15:53 - 2014-07-11 14:24 - 00000000 ____D () C:\ProgramData\Norton
2015-05-07 15:53 - 2014-07-11 14:16 - 00000000 ____D () C:\ProgramData\CyberLink
2015-05-07 15:53 - 2014-07-11 14:00 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Downloaded Installations
2015-05-07 15:53 - 2014-07-11 13:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Synaptics
2015-05-07 15:53 - 2014-07-11 13:56 - 00000000 ____D () C:\ProgramData\Synaptics
2015-05-07 15:53 - 2014-07-11 13:53 - 00000000 ____D () C:\ProgramData\Qualcomm Atheros
2015-05-07 15:53 - 2014-07-11 13:52 - 00000000 ____D () C:\ProgramData\Apple
2015-05-07 15:53 - 2012-10-29 21:18 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\FFSJ
2015-05-07 15:53 - 2012-10-29 21:16 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Hewlett-Packard
2015-05-07 15:53 - 2012-10-29 21:16 - 00000000 ____D () C:\ProgramData\WildTangent
2015-05-07 15:53 - 2012-10-29 21:10 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2015-05-07 15:53 - 2012-10-29 21:06 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Windows Live
2015-05-07 15:53 - 2012-10-29 21:06 - 00000000 ____D () C:\ProgramData\Microsoft SkyDrive
2015-05-07 15:53 - 2012-10-29 20:58 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\hpqLog
2015-05-07 15:53 - 2012-10-29 20:58 - 00000000 ____D () C:\ProgramData\install_clap
2015-05-07 15:53 - 2012-10-29 20:55 - 00000000 ___HD () C:\Users\Administrator\Documents\hp.system.package.metadata
2015-05-07 15:53 - 2012-08-03 19:02 - 00000000 __RHD () C:\SYSTEM.SAV
2015-05-07 15:53 - 2012-08-03 19:02 - 00000000 ____D () C:\SWSetup
2015-05-07 15:53 - 2012-08-03 17:29 - 00000000 ____D () C:\ProgramData\PRICache
2015-05-07 15:53 - 2012-08-03 17:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
2015-05-07 15:52 - 2014-09-11 18:59 - 00000000 ____D () C:\inetpub
2015-05-07 15:52 - 2014-09-11 16:12 - 00000000 ____D () C:\AMD
2015-05-07 15:52 - 2014-08-18 14:51 - 00000000 ___HD () C:\$SysReset
2015-05-07 13:54 - 2012-10-29 21:07 - 00000000 ___RD () C:\Users\Administrator\SkyDrive
2015-05-07 13:25 - 2014-09-08 19:54 - 00007332 _____ () C:\Users\Neal\Desktop\double barn doors.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:47 - 00009396 _____ () C:\Users\Neal\Desktop\tile size.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:45 - 00005972 _____ () C:\Users\Neal\Desktop\barn door.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:38 - 00006772 _____ () C:\Users\Neal\Desktop\imagesCAVYFP72.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:35 - 00009460 _____ () C:\Users\Neal\Desktop\imagesCA7CH076.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:30 - 00007556 _____ () C:\Users\Neal\Desktop\imagesCASKJVS5.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:22 - 00008660 _____ () C:\Users\Neal\Desktop\stone shower.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:19 - 00072372 _____ () C:\Users\Neal\Desktop\Nice-Rustic-Wooden-Look-in-Western-Style-Bathroom-Interior.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:14 - 00021940 _____ () C:\Users\Neal\Desktop\stoneshowers3.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:13 - 00126212 _____ () C:\Users\Neal\Desktop\shower-designs_stone.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:11 - 00145892 _____ () C:\Users\Neal\Desktop\bathroom-natural-cream-small-bathroom-renovation-idea-with-cream-stone-wall-colorful-border-and-shower-nice-small-bathroom-renovation-ideas-972x650.jpg.ezz
2015-05-07 13:25 - 2014-09-08 19:06 - 00042676 _____ () C:\Users\Neal\Desktop\thumb4_wlshower.jpg.ezz
2015-05-07 13:25 - 2014-08-17 23:39 - 10782340 _____ () C:\Users\Neal\Documents\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
2015-05-07 13:25 - 2014-08-17 23:35 - 24867156 _____ () C:\Users\Neal\Desktop\9781616251345_ApologiaExploringCreationWithB.pdf.ezz
2015-05-07 13:25 - 2014-08-17 21:22 - 10782340 _____ () C:\Users\Neal\Desktop\9781616251185_ApologiaExploringCreationWithG.pdf.ezz
2015-05-07 13:25 - 2014-07-11 16:24 - 01440996 _____ () C:\Users\Neal\Desktop\CRCS Handbook.pdf.ezz
2015-05-07 13:13 - 2015-01-09 02:01 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4105420370-3369507210-3028615837-1004
2015-05-07 12:47 - 2015-01-09 01:59 - 00000000 ___RD () C:\Users\Noelle\OneDrive
2015-05-07 01:07 - 2015-01-09 01:55 - 00003942 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{C556DA80-233A-4939-81B7-D4F612CB4826}
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-05-05 14:31 - 2013-08-22 10:36 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-05-05 14:31 - 2012-10-29 20:58 - 00000000 ____D () C:\ProgramData\Temp
2015-05-05 14:30 - 2014-08-18 12:58 - 00000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz
2015-05-05 14:22 - 2014-09-13 14:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-05 14:22 - 2014-09-11 16:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
2015-05-05 14:22 - 2014-08-18 20:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-05-05 14:22 - 2014-08-18 20:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Web Start
2015-05-05 14:22 - 2014-08-18 20:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Rosetta Stone
2015-05-05 14:22 - 2014-08-18 13:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TT Algebra 1
2015-05-05 14:22 - 2014-08-18 12:56 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services
2015-05-05 14:22 - 2014-07-11 14:08 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Communication and Chat
2015-05-05 14:22 - 2014-07-11 14:00 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Productivity and Tools
2015-05-05 14:22 - 2014-03-18 04:45 - 00000000 __RHD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC
2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools
2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-05-05 14:22 - 2013-08-22 10:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-05-05 14:22 - 2012-10-29 21:17 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-05-05 14:22 - 2012-10-29 21:13 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2015-05-05 14:22 - 2012-10-29 21:02 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security and Protection
2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-05-05 14:21 - 2014-09-11 16:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-05-05 14:21 - 2012-08-03 17:28 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Packages
2015-05-05 14:18 - 2014-03-18 04:45 - 00000000 ____D () C:\Program Files\Windows Journal
2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\WindowsPowerShell
2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Multimedia Platform
2015-05-05 14:18 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Windows Defender
2015-05-05 14:17 - 2014-09-11 16:12 - 00000000 ____D () C:\Program Files\Common Files\ATI Technologies
2015-05-05 14:17 - 2014-07-11 13:52 - 00000000 ____D () C:\Program Files\Bonjour
2015-05-05 14:17 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Common Files\Services
2015-05-05 14:17 - 2013-08-22 10:36 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-05-05 14:17 - 2012-09-18 21:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2015-05-05 02:16 - 2012-10-29 21:16 - 00000000 ____D () C:\Program Files (x86)\WildTangent Games
2015-05-04 15:46 - 2014-08-15 09:06 - 00000000 ____D () C:\Users\Public\Documents\TT Algebra 1
2015-05-03 15:12 - 2015-03-16 12:27 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Mozilla
2015-05-03 15:12 - 2015-01-21 13:05 - 00000000 ____D () C:\Users\Noelle\Documents\CyberLink
2015-05-03 15:12 - 2015-01-09 01:57 - 00000000 ____D () C:\Users\Noelle\AppData\Local\AMD
2015-05-03 15:12 - 2015-01-09 01:55 - 00000000 ____D () C:\Users\Noelle\AppData\Roaming\Adobe
2015-05-03 15:10 - 2014-08-18 13:15 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Mozilla
2015-05-03 15:10 - 2014-08-18 13:00 - 00000000 ____D () C:\Users\Neal\AppData\Local\AMD
2015-05-03 15:10 - 2014-08-18 12:58 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Hewlett-Packard
2015-05-03 15:10 - 2014-08-18 12:56 - 00000000 ____D () C:\Users\Neal\AppData\Roaming\Adobe
2015-05-03 15:10 - 2014-08-18 12:53 - 00000000 ____D () C:\Users\Neal\AppData\Local\Power2Go8
2015-04-20 13:56 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\rescache
2015-04-18 20:18 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\AppCompat
2015-04-17 09:52 - 2014-03-18 05:03 - 00956480 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-04-17 09:45 - 2015-03-29 21:04 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel
2015-04-14 20:35 - 2014-08-23 00:19 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-04-14 20:33 - 2014-08-23 00:19 - 128913832 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-04-14 20:33 - 2012-07-26 02:59 - 00000000 ____D () C:\WINDOWS\CbsTemp

==================== Files in the root of some directories =======

2015-05-08 12:45 - 2015-05-08 12:45 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-08 12:45 - 2015-05-08 12:45 - 0045579 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
2015-05-08 12:45 - 2015-05-08 12:45 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-08 12:45 - 2015-05-08 12:45 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
2015-05-08 12:40 - 2015-05-08 12:40 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
2015-05-08 12:41 - 2015-05-08 12:41 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2014-09-15 20:51 - 2015-02-04 14:46 - 0000342 _____ () C:\ProgramData\lxee.log
2014-09-25 19:06 - 2015-02-04 15:05 - 0009990 _____ () C:\ProgramData\lxeeJSW.log
2014-09-08 07:27 - 2015-02-04 14:46 - 0000392 _____ () C:\ProgramData\lxeescan.log
2014-08-18 12:58 - 2015-05-05 14:30 - 0000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-05-03 15:35

==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-05-2015 01
Ran by Neal at 2015-05-08 13:32:07
Running from C:\Users\Neal\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4105420370-3369507210-3028615837-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-4105420370-3369507210-3028615837-501 - Limited - Disabled)
Neal (S-1-5-21-4105420370-3369507210-3028615837-1002 - Administrator - Enabled) => C:\Users\Neal
Noelle (S-1-5-21-4105420370-3369507210-3028615837-1004 - Limited - Enabled) => C:\Users\Noelle
Sean (S-1-5-21-4105420370-3369507210-3028615837-1003 - Limited - Enabled) => C:\Users\Sean

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

4 Elements II (x32 Version: 2.2.0.98 - WildTangent) Hidden
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.6.636 - Adobe Systems, Inc.)
Algebra 1 Teaching Textbook (HKLM-x32\...\Algebra 1 Teaching Textbook) (Version: - Teaching Textbooks Inc.)
AMD Catalyst Install Manager (HKLM\...\{3CEC10BE-CD7C-8E99-E3AC-DD31F4416C1C}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build-a-lot 4 - Power Source (x32 Version: 2.2.0.98 - WildTangent) Hidden
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2.5712 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.2.2114 - CyberLink Corp.)
CyberLink PhotoDirector (HKLM-x32\...\InstallShield_{4862344A-A39C-4897-ACD4-A1BED5163C5A}) (Version: 2.0.2.3317 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.2.2110 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.2.2126 - CyberLink Corp.)
CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.7.4528 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.5.5811 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
FATE: The Cursed King (x32 Version: 2.2.0.97 - WildTangent) Hidden
Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
Gardenscapes: Mansion Makeover (x32 Version: 3.0.2.32 - WildTangent) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
House of 1000 Doors: Family Secrets (x32 Version: 2.2.0.98 - WildTangent) Hidden
Hoyle Card Games (x32 Version: 2.2.0.95 - WildTangent) Hidden
HP 3D DriveGuard (HKLM\...\{6821D775-9303-46DD-977A-2D97CA18B054}) (Version: 4.2.8.1 - Hewlett-Packard Company)
HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: v1.0 - Meridian Audio Ltd)
HP Connected Remote (HKLM-x32\...\{F243A34B-AB7F-4065-B770-B85B767C247C}) (Version: 1.0.1218 - Hewlett-Packard)
HP CoolSense (HKLM-x32\...\{8704FEEF-A6A8-4E7E-B124-BD6122C66E2C}) (Version: 2.10.42 - Hewlett-Packard Company)
HP Documentation (HKLM-x32\...\{23C74C03-680C-455D-933F-5BC8683CAE52}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.3.0 - WildTangent)
HP MyRoom (HKLM-x32\...\{9C35EDE5-4B0F-45E7-A438-314BA889948E}) (Version: 9.0.0.0 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{E5823036-6F09-4D0A-B05C-E2BAA129288A}) (Version: 3.0.6 - Hewlett-Packard Company)
HP Registration Service (HKLM\...\{C2E428EB-116E-41C0-9E84-B22DE9CCA42F}) (Version: 1.1.6232.4245 - Hewlett-Packard)
HP Utility Center (HKLM-x32\...\{0C57987A-A03A-4B95-A309-D23F78F406CA}) (Version: 1.0.8 - Hewlett-Packard)
HP Wireless Button Driver (HKLM-x32\...\{941DE69D-6CEE-4171-8F1F-3D7E352AA498}) (Version: 1.0.6.1 - Hewlett-Packard Company)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6425.0 - IDT)
Java 2 Runtime Environment, SE v1.4.1_02 (HKLM-x32\...\{EFCE5837-FC21-11D6-9D24-00010240CE95}) (Version: - )
Java Web Start (HKLM-x32\...\Java Web Start) (Version: - )
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mahjongg Dimensions Deluxe: Tiles in Time (x32 Version: 2.2.0.98 - WildTangent) Hidden
Microsoft Office (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.6120.5004 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mortimer Beckett and the Crimson Thief Premium Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
Movie Maker (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Mozilla Firefox 32.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 32.0.1 (x86 en-US)) (Version: 32.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.98 - WildTangent) Hidden
Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros)
QuickTime (HKLM-x32\...\QuickTime) (Version: - )
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.2.8400.29029 - Realtek Semiconductor Corp.)
Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Royal Envoy 2 Collector's Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
Student Management System (HKLM-x32\...\Student Management System) (Version: - )
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.10.12 - Synaptics Incorporated)
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
The Rosetta Stone (HKLM-x32\...\The Rosetta Stone) (Version: - )
Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.3.0 - WildTangent)
WildTangent Games App (x32 Version: 4.0.9.7 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3503.0728 - Microsoft Corporation)
Youda Jewel Shop (x32 Version: 3.0.2.32 - WildTangent) Hidden
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll ()
CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27915 more characters). <==== Poweliks?

==================== Restore Points =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {06EAB617-28D2-4B01-B359-FC14AEDB75DE} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2012-06-07] (CyberLink)
Task: {238CA5C8-F07E-4F6A-A548-45499010B7A7} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-23] (Microsoft Corporation)
Task: {71F80F89-232A-4966-855C-6FE0FB2E1956} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
Task: {843F5273-3392-4FFC-A015-0DA84847EF55} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe [2012-08-24] (Synaptics Incorporated)
Task: {C43512FA-BE5A-4012-A14F-BA2B34634288} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
Task: {D40E2186-25E0-4499-BFE4-C994389C4EDF} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2012-10-12] (CyberLink)
Task: {E6B5E745-C45E-4784-B9EE-70FE7C70454E} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
Task: {F3799BF6-D57F-47B0-B8B0-717104309832} - System32\Tasks\{B4B196E5-6F81-42F7-9583-FFE3E9689CDE} => pcalua.exe -a E:\autorun.exe -d E:\

==================== Loaded Modules (whitelisted) ==============

2014-09-08 07:29 - 2009-11-04 13:18 - 00189440 _____ () C:\WINDOWS\system32\spool\PRTPROCS\x64\lxeedrpp.dll
2014-07-04 21:33 - 2014-07-04 21:33 - 00127488 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2014-07-04 21:33 - 2014-07-04 21:33 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2015-05-05 14:12 - 2015-05-05 14:12 - 00253080 _____ () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll
2014-07-11 14:11 - 2012-06-07 22:34 - 00627216 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2012-06-08 13:34 - 2012-06-08 13:34 - 00016400 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
2015-05-08 12:41 - 2015-05-08 12:41 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2014-12-17 14:54 - 2014-12-17 14:54 - 03716720 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Neal\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Noelle\OneDrive:ms-properties

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, the associated entry will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.1.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{EB40A931-D85B-4CCA-B3D4-C1A8C51FD92D}] => (Allow) C:\Windows\system32\lxeecoms.exe
FirewallRules: [{5A5CF6C9-6FB3-4CF7-A892-0DB4543C3058}] => (Block) C:\windows\syswow64\java.exe
FirewallRules: [{5D8777C7-815F-459B-9D56-2EF931A5D0ED}] => (Block) C:\windows\syswow64\java.exe
FirewallRules: [UDP Query User{665BB536-0130-4C51-B5B1-1926C4D4DE97}C:\windows\syswow64\java.exe] => (Allow) C:\windows\syswow64\java.exe
FirewallRules: [TCP Query User{ABC0D633-705D-4D01-A6A6-8B3468C3C741}C:\windows\syswow64\java.exe] => (Allow) C:\windows\syswow64\java.exe
FirewallRules: [{BCE893FD-2BA3-4A07-B47D-ADCEA98A6491}] => (Allow) LPort=52000
FirewallRules: [{1E0D5EFE-D8C3-4139-AE6E-CB833453E3CA}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{9E086A13-706A-4014-B1B0-36070A8A5AA6}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD10.EXE
FirewallRules: [{A6EA8DB4-9C8A-4048-BB3F-1DAAAE352B02}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0ADE7D14-E0FA-4290-978B-32F65B660588}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{FE6B40FC-707E-4F2E-90F8-AB1335156BC4}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{0D7B6C92-A706-4DA9-AD8C-0EAC8E7D30AE}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{853DA728-1141-4D89-A895-B7F4DEB5B004}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
FirewallRules: [{5BA0062D-F4B2-4D7F-97C3-9CAED76EC3E8}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
FirewallRules: [{48C8B771-AE46-44F6-B014-46CAC123D294}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
FirewallRules: [{9E825020-25E9-4D5A-A7A6-992E2F31866D}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
FirewallRules: [{2665AFA2-B5CE-4E26-8932-86A7D3F664C4}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
FirewallRules: [{DD21F78F-AF64-47E1-AACD-D58499719F1E}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
FirewallRules: [{FD5EC627-F3BD-4CC8-920D-45F47DE678B7}] => (Allow) LPort=1900
FirewallRules: [{9835CC22-556D-4430-8243-EE8C26B97658}] => (Allow) LPort=2869
FirewallRules: [{CCF723D3-CB8D-4493-82CA-1AF295CE1A00}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{1A0F3415-E39D-4108-99E4-18767F6B3C02}] => (Allow) C:\Users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [TCP Query User{7F399BDC-C4DC-4754-88A1-DE7CFEBEF1EC}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
FirewallRules: [UDP Query User{B1149B3C-6700-4ECF-ACCE-25DE89F82194}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
FirewallRules: [TCP Query User{B1B05C83-36AF-4F11-9F58-FCD7CC626822}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
FirewallRules: [UDP Query User{70ACB0BF-07A0-468D-83E9-2845DD9255E9}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
FirewallRules: [{4F364D9A-276E-408C-89B4-1674E2E51EA4}] => (Allow) LPort=53000

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (05/08/2015 01:05:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434352
Fault offset: 0x0000000000008b9c
Faulting process id: 0x8b4
Faulting application start time: 0xHPConnectedRemoteService.exe0
Faulting application path: HPConnectedRemoteService.exe1
Faulting module path: HPConnectedRemoteService.exe2
Report Id: HPConnectedRemoteService.exe3
Faulting package full name: HPConnectedRemoteService.exe4
Faulting package-relative application ID: HPConnectedRemoteService.exe5

Error: (05/08/2015 01:05:19 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:05:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434352
Fault offset: 0x0000000000008b9c
Faulting process id: 0x2d3c
Faulting application start time: 0xHPConnectedRemoteService.exe0
Faulting application path: HPConnectedRemoteService.exe1
Faulting module path: HPConnectedRemoteService.exe2
Report Id: HPConnectedRemoteService.exe3
Faulting package full name: HPConnectedRemoteService.exe4
Faulting package-relative application ID: HPConnectedRemoteService.exe5

Error: (05/08/2015 01:05:05 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:04:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434352
Fault offset: 0x0000000000008b9c
Faulting process id: 0x2fd4
Faulting application start time: 0xHPConnectedRemoteService.exe0
Faulting application path: HPConnectedRemoteService.exe1
Faulting module path: HPConnectedRemoteService.exe2
Report Id: HPConnectedRemoteService.exe3
Faulting package full name: HPConnectedRemoteService.exe4
Faulting package-relative application ID: HPConnectedRemoteService.exe5

Error: (05/08/2015 01:04:52 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:04:37 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434352
Fault offset: 0x0000000000008b9c
Faulting process id: 0x2098
Faulting application start time: 0xHPConnectedRemoteService.exe0
Faulting application path: HPConnectedRemoteService.exe1
Faulting module path: HPConnectedRemoteService.exe2
Report Id: HPConnectedRemoteService.exe3
Faulting package full name: HPConnectedRemoteService.exe4
Faulting package-relative application ID: HPConnectedRemoteService.exe5

Error: (05/08/2015 01:04:35 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:02:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HPConnectedRemoteService.exe, version: 1.0.1218.0, time stamp: 0x5078a573
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434352
Fault offset: 0x0000000000008b9c
Faulting process id: 0x1ef4
Faulting application start time: 0xHPConnectedRemoteService.exe0
Faulting application path: HPConnectedRemoteService.exe1
Faulting module path: HPConnectedRemoteService.exe2
Report Id: HPConnectedRemoteService.exe3
Faulting package full name: HPConnectedRemoteService.exe4
Faulting package-relative application ID: HPConnectedRemoteService.exe5

Error: (05/08/2015 01:02:09 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()


System errors:
=============
Error: (05/08/2015 01:32:49 PM) (Source: DCOM) (EventID: 10010) (User: HOMESCHOOL1)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (05/08/2015 01:30:59 PM) (Source: DCOM) (EventID: 10010) (User: HOMESCHOOL1)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (05/08/2015 01:05:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The HP Connected Remote Service service failed to start due to the following error:
%%1053

Error: (05/08/2015 01:05:56 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the HP Connected Remote Service service to connect.

Error: (05/08/2015 01:05:19 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 35 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (05/08/2015 01:05:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 34 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (05/08/2015 01:04:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 33 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (05/08/2015 01:04:38 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 32 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (05/08/2015 01:03:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The HP Connected Remote Service service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (05/08/2015 01:03:45 PM) (Source: DCOM) (EventID: 10010) (User: HOMESCHOOL1)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}


Microsoft Office Sessions:
=========================
Error: (05/08/2015 01:05:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c8b401d089b9867e6757C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllc9581784-f5ac-11e4-becb-38eaa7dc590b

Error: (05/08/2015 01:05:19 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:05:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c2d3c01d089b97e837108C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllc11662a8-f5ac-11e4-becb-38eaa7dc590b

Error: (05/08/2015 01:05:05 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:04:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c2fd401d089b975afa2f0C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllb9272c3b-f5ac-11e4-becb-38eaa7dc590b

Error: (05/08/2015 01:04:52 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:04:37 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c209801d089b95abee26bC:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dllb02b8b2b-f5ac-11e4-becb-38eaa7dc590b

Error: (05/08/2015 01:04:35 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()

Error: (05/08/2015 01:02:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: HPConnectedRemoteService.exe1.0.1218.05078a573KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9c1ef401d089b915450644C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\WINDOWS\system32\KERNELBASE.dll5878a687-f5ac-11e4-becb-38eaa7dc590b

Error: (05/08/2015 01:02:09 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPConnectedRemoteService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
Stack:
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.X509FindType, System.Object, System.ServiceModel.EndpointAddress, Boolean)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation, System.Security.Cryptography.X509Certificates.StoreName, System.Security.Cryptography.X509Certificates.X509FindType, System.Object)
at SwitchBoard.Utils.WCFServiceHostUtil.setupService(System.Object, System.Type, Int32, Boolean)
at SwitchBoard.SwitchBoardService.RunService()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()


CodeIntegrity Errors:
===================================
Date: 2015-05-07 01:07:46.241
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll that did not meet the Windows signing level requirements.


==================== Memory info ===========================

Processor: AMD A8-4500M APU with Radeon(tm) HD Graphics
Percentage of memory in use: 84%
Total physical RAM: 3554.26 MB
Available physical RAM: 559.93 MB
Total Pagefile: 7963.3 MB
Available Pagefile: 2935.17 MB
Total Virtual: 131072 MB
Available Virtual: 131071.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:565.37 GB) (Free:519.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:29.6 GB) (Free:3.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 596.2 GB) (Disk ID: 4FBE1E19)

Partition: GPT Partition Type.

==================== End Of Log ============================
 
This is very severe infection so it'll take a while to clean it up.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Attachments

  • fixlist.txt
    7.1 KB · Views: 2
I did not rename or remove the last 'fixlog' on the affected desktop. The machine is restarting. Assuming here it will rename the new file something like "fixlog1" or maybe it overwrites...?

Simply let me know if I need to start over.
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
Ran by Neal at 2015-05-08 14:33:01 Run:3
Running from C:\Users\Neal\Desktop
Loaded Profiles: Neal (Available profiles: Neal & Sean & Noelle & Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
(Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Local\Temp\8FB3.tmp
C:\Users\Neal\AppData\Local\Temp\8FB3.tmp
() C:\Users\Neal\AppData\Local\Temp\9FD4.tmp
C:\Users\Neal\AppData\Local\Temp\9FD4.tmp
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [AVNworks] => C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...\Run: [udsfurd] => rundll32 "C:\Users\Neal\AppData\Local\udsfurd.dll",udsfurd <===== ATTENTION
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27907 more characters). <==== Poweliks!
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML [2015-05-08] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG [2015-05-08] ()
Startup: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT [2015-05-08] ()
InternetURL: C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.gigapaysun.com/1sL7j4w
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe
C:\Users\Neal\AppData\Local\udsfurd.dll
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll No File
Toolbar: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Extension: Windows Script Host Shell Object - C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F} [2015-05-02]
C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F}
2015-05-08 12:48 - 2015-05-08 12:48 - 00008602 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.HTML
2015-05-08 12:48 - 2015-05-08 12:48 - 00000284 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.URL
2015-05-08 12:47 - 2015-05-08 12:47 - 00008602 _____ () C:\Users\Neal\HELP_DECRYPT.HTML
2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\HELP_DECRYPT.TXT
2015-05-08 12:47 - 2015-05-08 12:47 - 00004244 _____ () C:\Users\Neal\Desktop\HELP_DECRYPT.TXT
2015-05-08 12:47 - 2015-05-08 12:47 - 00000284 _____ () C:\Users\Neal\HELP_DECRYPT.URL
2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-08 12:45 - 2015-05-08 12:45 - 00008602 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.HTML
2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-08 12:45 - 2015-05-08 12:45 - 00004244 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.TXT
2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
2015-05-08 12:45 - 2015-05-08 12:45 - 00000284 _____ () C:\Users\Neal\AppData\HELP_DECRYPT.URL
2015-05-08 12:41 - 2015-05-08 12:41 - 00061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2015-05-08 12:40 - 2015-05-08 12:40 - 00051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
2015-05-07 11:46 - 2015-05-07 11:46 - 00000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
2015-05-05 14:10 - 2015-05-08 12:43 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
2015-05-08 12:45 - 2015-05-08 12:45 - 0008602 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML
2015-05-08 12:45 - 2015-05-08 12:45 - 0045579 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG
2015-05-08 12:45 - 2015-05-08 12:45 - 0004244 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT
2015-05-08 12:45 - 2015-05-08 12:45 - 0000284 _____ () C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL
2015-05-07 11:46 - 2015-05-07 11:46 - 0000327 _____ () C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja
2015-05-08 12:40 - 2015-05-08 12:40 - 0051399 _____ (Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe
2015-05-07 11:46 - 2015-05-07 11:46 - 0079648 _____ () C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3
2015-05-08 12:41 - 2015-05-08 12:41 - 0061952 _____ () C:\Users\Neal\AppData\Local\udsfurd.dll
2014-09-15 20:51 - 2015-02-04 14:46 - 0000342 _____ () C:\ProgramData\lxee.log
2014-09-25 19:06 - 2015-02-04 15:05 - 0009990 _____ () C:\ProgramData\lxeeJSW.log
2014-09-08 07:27 - 2015-02-04 14:46 - 0000392 _____ () C:\ProgramData\lxeescan.log
2014-08-18 12:58 - 2015-05-05 14:30 - 0000164 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz
CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll ()
CustomCLSID: HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"reie8\..\mshtml,RunHTMLApplication ";eval("qvnoq7<odv!@buhwdYNckdbu)#VRbshq (the data entry has 27915 more characters). <==== Poweliks?
C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll
AlternateDataStreams: C:\Users\Neal\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Noelle\OneDrive:ms-properties
FirewallRules: [TCP Query User{7F399BDC-C4DC-4754-88A1-DE7CFEBEF1EC}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
FirewallRules: [UDP Query User{B1149B3C-6700-4ECF-ACCE-25DE89F82194}C:\users\neal\appdata\local\temp\61b8.tmp] => (Allow) C:\users\neal\appdata\local\temp\61b8.tmp
FirewallRules: [TCP Query User{B1B05C83-36AF-4F11-9F58-FCD7CC626822}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
FirewallRules: [UDP Query User{70ACB0BF-07A0-468D-83E9-2845DD9255E9}C:\users\neal\appdata\local\temp\8fb3.tmp] => (Block) C:\users\neal\appdata\local\temp\8fb3.tmp
C:\users\neal\appdata\local\temp\61b8.tmp
C:\users\neal\appdata\local\temp\8fb3.tmp

*****************

(Akeo Consulting (http://akeo.ie)) C:\Users\Neal\AppData\Local\Temp\8FB3.tmp => Error: No automatic fix found for this entry.
C:\Users\Neal\AppData\Local\Temp\8FB3.tmp => Moved successfully.
C:\Users\Neal\AppData\Local\Temp\9FD4.tmp => No running process found
C:\Users\Neal\AppData\Local\Temp\9FD4.tmp => Moved successfully.
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\AVNworks => value deleted successfully.
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Windows\CurrentVersion\Run\\udsfurd => value deleted successfully.
"HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"C:\Users\Neal\AppData\Local\AVNworks\L_4bv.exe" => File/Directory not found.
C:\Users\Neal\AppData\Local\udsfurd.dll => Moved successfully.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL" => File/Directory not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}" => Key deleted successfully.
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F} => Moved successfully.
"C:\Users\Neal\AppData\Roaming\Mozilla\Firefox\Profiles\hjieooub.default\Extensions\{F92861AD-1977-2B60-239A-3484A474500F}" => File/Directory not found.
C:\Users\Neal\Desktop\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\Desktop\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\Desktop\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\AppData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Neal\AppData\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe => Moved successfully.
C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja => Moved successfully.

"C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}" directory move:

Could not move "C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}" directory. => Scheduled to move on reboot.

"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\jna71bgagagt1yabja" => File/Directory not found.
"C:\Users\Neal\AppData\Roaming\KVBYU9X3r2RExfg-3Lgv9E1FtUo5Mxw-Qa6PRGFJ5I1m8Xq-eToIcy4CmFQps6j.exe" => File/Directory not found.
C:\Users\Neal\AppData\Roaming\R.E.M. - Reveal - 07 - Beat A Drum.mp3 => Moved successfully.
"C:\Users\Neal\AppData\Local\udsfurd.dll" => File/Directory not found.
C:\ProgramData\lxee.log => Moved successfully.
C:\ProgramData\lxeeJSW.log => Moved successfully.
C:\ProgramData\lxeescan.log => Moved successfully.
C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc.ezz => Moved successfully.
"HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}" => Key deleted successfully.
HKU\S-1-5-21-4105420370-3369507210-3028615837-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
Could not move "C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll" => Scheduled to move on reboot.
"C:\Users\Neal\OneDrive" => ":ms-properties" ADS not found.
"C:\Users\Noelle\OneDrive" => ":ms-properties" ADS not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{7F399BDC-C4DC-4754-88A1-DE7CFEBEF1EC}C:\users\neal\appdata\local\temp\61b8.tmp => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{B1149B3C-6700-4ECF-ACCE-25DE89F82194}C:\users\neal\appdata\local\temp\61b8.tmp => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{B1B05C83-36AF-4F11-9F58-FCD7CC626822}C:\users\neal\appdata\local\temp\8fb3.tmp => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{70ACB0BF-07A0-468D-83E9-2845DD9255E9}C:\users\neal\appdata\local\temp\8fb3.tmp => value deleted successfully.
C:\users\neal\appdata\local\temp\61b8.tmp => Moved successfully.
"C:\users\neal\appdata\local\temp\8fb3.tmp" => File/Directory not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-05-08 14:35:39)<=

C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0} => Moved successfully.
C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll => Is moved successfully.

==== End of Fixlog 14:35:39 ====
 
Good :)

Please download Powelikscleaner (by ESET) and save it to your Desktop.

1. Double-click on ESETPoweliksCleaner.exe to start the tool.

2. Read the terms of the End-user license agreement and click Agree.

3. The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

newtool1_zpsa1caa06e.png


4. If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.

newtool2_zps0e6d39b1.png


The tool will produce a log in the same directory the tool was run from.

Please copy and paste the log in your next reply.
 
[2015.05.08 14:47:50.801] - Begin
[2015.05.08 14:47:50.802] -
[2015.05.08 14:47:50.803] - ....................................
[2015.05.08 14:47:50.804] - ..::::::::::::::::::....................
[2015.05.08 14:47:50.806] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Poweliks
[2015.05.08 14:47:50.810] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.0.0.4
[2015.05.08 14:47:50.812] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Mar 25 2015
[2015.05.08 14:47:50.814] - .::EE:::::::::::::SS:.EE..........TT......
[2015.05.08 14:47:50.816] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
[2015.05.08 14:47:50.817] - ..::::::::::::::::::.................... 1992-2015. All rights reserved.
[2015.05.08 14:47:50.818] - ....................................
[2015.05.08 14:47:50.818] -
[2015.05.08 14:47:50.819] - --------------------------------------------------------------------------------
[2015.05.08 14:47:50.819] -
[2015.05.08 14:47:50.820] - INFO: OS: 6.2.9200 SP0
[2015.05.08 14:47:50.821] - INFO: Product Type: Workstation
[2015.05.08 14:47:50.821] - INFO: WoW64: True
[2015.05.08 14:47:50.822] - INFO: Machine guid: 9820C332-B7F3-406D-BB3B-40E83CD45078
[2015.05.08 14:47:50.822] -
[2015.05.08 14:47:53.239] - INFO: Scanning for system infection...
[2015.05.08 14:47:53.242] - --------------------------------------------------------------------------------
[2015.05.08 14:47:53.243] -
[2015.05.08 14:47:53.243] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.05.08 14:47:53.244] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.05.08 14:47:53.244] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.05.08 14:47:53.245] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.05.08 14:47:53.245] - INFO: Processing classes...
[2015.05.08 14:47:53.245] - INFO: Processing clsid [\Registry\User\S-1-5-21-4105420370-3369507210-3028615837-1002\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}]
[2015.05.08 14:47:53.246] - INFO: Processing clsid [\Registry\User\S-1-5-21-4105420370-3369507210-3028615837-1002\SOFTWARE\Classes\CLSID\{D9AC5E73-BB10-467b-B884-AA1E475C51F5}]
[2015.05.08 14:47:53.246] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.05.08 14:47:53.248] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.05.08 14:47:53.249] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.05.08 14:47:53.250] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.05.08 14:47:53.250] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.05.08 14:47:53.250] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.05.08 14:47:53.250] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.05.08 14:47:53.250] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.05.08 14:47:53.250] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.05.08 14:47:53.250] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.05.08 14:47:53.253] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.05.08 14:47:53.255] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.05.08 14:47:53.255] - INFO: (XSW) Scanning for XSW variant...
[2015.05.08 14:47:53.260] - INFO: (XSW) Processing users subkeys...
[2015.05.08 14:47:53.263] - INFO: Win32/Poweliks not found
[2015.05.08 14:49:33.871] - End
 
Good :)

redtarget.gif
Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

  • Close all the running programs
  • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

  • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


If you already have MBAM 2.0 installed:

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

How to get logs:
(Export log to save as txt)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.


(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

redtarget.gif
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

redtarget.gif
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
 
Dude, You Rock!
Here is RK.

RogueKiller V10.6.2.0 [May 4 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Neal [Administrator]
Started from : C:\Users\Neal\Desktop\RogueKiller.exe
Mode : Delete -- Date : 05/08/2015 15:16:12

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
[PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS547564A9E384 SATA Disk Device +++++
--- User ---
[MBR] eaa93bc072eea7461895903666ebf1e0
[BSP] 43085d0ea2d5c5f36c9a60da872f061e : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 578935 MB
4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1187274752 | Size: 450 MB
5 - [SYSTEM] Basic data partition | Offset (sectors): 1188196352 | Size: 30306 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: CBM2080 Flash Disk USB Device +++++
--- User ---
[MBR] 1dc4f576e295253aec3e276ea38b4a33
[BSP] 8820f824590844e2c45740a38ac00a7e : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] FAT16-LBA (0xe) [VISIBLE] Offset (sectors): 63 | Size: 498 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_05082015_151509.log
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/8/2015
Scan Time: 3:22:01 PM
Logfile: mbamscanlog.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.08.08
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Neal

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 470918
Time Elapsed: 57 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 9
Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\CBFD.tmp, Quarantined, [08302a6741499b9ba1f686cfc1417a86],
Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\1DA9.tmp, Quarantined, [132596fbb4d67bbb8e14b5c135cb25db],
Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\8A9C.tmp, Quarantined, [1325583924661a1c3463eb6ab15109f7],
Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\908F.tmp, Quarantined, [5bdd4a473654d36303c404051de96997],
Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\9090.tmp, Quarantined, [43f595fc93f73afc4d7ac049689ef10f],
Trojan.Agent, C:\Users\Neal\AppData\Local\Temp\919A.tmp, Quarantined, [54e4741d593189ad18af858429dde020],
Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\A8D4.tmp, Quarantined, [2513533e5d2d2214a5f28acb966c4bb5],
Trojan.Zbot, C:\Users\Neal\AppData\Local\Temp\1B3.tmp, Quarantined, [cd6b474a107ad363aaedcc89c83a2dd3],
CryptoWall.Trace, C:\Users\Neal\Desktop\HELP_DECRYPT.PNG, Quarantined, [74c40f82f496db5b04d0b9a60df82ad6],

Physical Sectors: 0
(No malicious items detected)


(end)
 
# AdwCleaner v4.203 - Logfile created 08/05/2015 at 16:26:34
# Updated 30/04/2015 by Xplode
# Database : 2015-05-08.1 [Server]
# Operating system : Windows 8.1 (x64)
# Username : Neal - HOMESCHOOL1
# Running from : C:\Users\Neal\Desktop\adwcleaner_4.203.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v32.0.1 (x86 en-US)


*************************

AdwCleaner[R0].txt - [735 bytes] - [08/05/2015 16:24:26]
AdwCleaner[S0].txt - [661 bytes] - [08/05/2015 16:26:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [719 bytes] ##########
 
You must log in or register to reply here.

Similar threads

Cal Jeffrey
Flipper Zero pranksters could cause DoS havoc on your iPhone
Replies
7
Views
497
RaXelliX
R
J
  • Locked
Inactive Is there anything to fix this problem? on laptop?
Replies
2
Views
1K
Broni
Broni
PassRusher
USB Device Keeps Going To Error State on Surface Book 3
Replies
0
Views
2K
PassRusher
PassRusher

Latest posts

Back