Jump to content

jimthom

Members
  • Posts

    18
  • Joined

  • Last visited

Everything posted by jimthom

  1. Maniac, I can't believe I had all of those nasties on my computer. I'm ding another scan with ESET. Thanks, Jim ESET Scan Results: C:\Users\All Users\Browser Manager\2.5.976.107\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.crx Win32/bProtector.D application C:\Users\All Users\Browser Manager\2.5.976.107\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\FirefoxExtension\content\mngr.js Win32/bProtector.C application C:\$RECYCLE.BIN\S-1-5-21-1938810720-712540534-2006144177-1000\$RGV4BGC.lnk Win32/Reveton.M trojan cleaned by deleting - quarantined C:\FRST\Quarantine\regmonstd.lnk Win32/Reveton.M trojan cleaned by deleting - quarantined C:\Program Files (x86)\EaseUS\Todo Backup\bin\PxeServer.dll a variant of Win32/TFTPD32.A application cleaned by deleting - quarantined C:\ProgramData\Browser Manager\2.5.976.107\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.crx Win32/bProtector.D application deleted - quarantined C:\ProgramData\Browser Manager\2.5.976.107\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\FirefoxExtension\content\mngr.js Win32/bProtector.C application cleaned by deleting - quarantined C:\Users\Jim\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined C:\Users\Jim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\34327d4-20681dbd multiple threats cleaned by deleting - quarantined C:\Users\Jim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\77d9ea8-174e3877 Java/Exploit.Agent.OLC trojan cleaned by deleting - quarantined C:\Users\Jim\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\5177d46a-6cd1cfa3 a variant of Java/Exploit.CVE-2013-1493.EG trojan cleaned by deleting - quarantined C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe Win32/OpenCandy application cleaned by deleting - quarantined C:\Users\Jim\Downloads\tb_free.exe a variant of Win32/TFTPD32.A application cleaned by deleting - quarantined
  2. Hi Maniac; Unless you have seen anything specific in the logs to suggest I proceed with Combofix I'm going to pull the plug. At this stage I'm more worried about using ComboFix than I am about Ransom remnants. I'm pretty sure Kapersky removed all the active elements except for the ones you helped me with. I'm basing this on the fact that he reconized the trojan and removed nine elements from my computer, and I don't think he would leave anything lurking there dormant waiting for the right conditions to manifest itself. If I'm wrong I suppose I will find out about it eventually but it couldn't be anyting worse than of original infestation and my computer is not mission critical for business. I've done a back-up so if worse comes to worse, I can still get it back to this current condition. Thank you, Jim
  3. DDS.txt: DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16490 BrowserJavaVersion: 10.25.2 Run by Jim at 21:36:52 on 2013-07-10 Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.4095.1164 [GMT 10:00] . AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664} . ============== Running Processes =============== . C:\PROGRA~2\AVG\AVG2013\avgrsa.exe C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\nvvsvc.exe C:\Windows\System32\spoolsv.exe C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe C:\Windows\Explorer.EXE C:\ProgramData\DatacardService\HWDeviceService64.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Windows\SysWOW64\WinService.exe C:\ProgramData\DatacardService\DCSHelper.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe C:\Program Files (x86)\AVG\AVG2013\avgemca.exe C:\Windows\System32\alg.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files (x86)\LaunchMate\LnchMate.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\System32\WUDFHost.exe C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe C:\Program Files (x86)\AVG\AVG2013\avgui.exe C:\Program Files (x86)\AVG Secure Search\vprot.exe C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\system32\svchost.exe -k HPService C:\Windows\ehome\mcGlidHost.exe C:\Program Files (x86)\LaunchMate\Folders\Games\freecell.exe C:\Windows\system32\prevhost.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\wuauclt.exe C:\Windows\ehome\ehRecvr.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uProxyOverride = <local> mWinlogon: Userinit = userinit.exe, BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned> BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.3.0.11\AVG Secure Search_toolbar.dll BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.3.0.11\AVG Secure Search_toolbar.dll mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" mRun: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe mRun: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" mRun: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" dRun: [Mobile Partner] C:\Program Files (x86)\Optus Mini WiFi\Optus Mini WiFi Modem StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LAUNCH~1.LNK - C:\Program Files (x86)\LaunchMate\LnchMate.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-Explorer: NoActiveDesktopChanges = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:0 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableLUA = dword:0 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: PromptOnSecureDesktop = dword:0 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll LSP: C:\Windows\System32\ASProxy.dll TCP: NameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121} : DHCPNameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121}\45548435F5236414445334 : DHCPNameServer = 192.168.0.1 TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121}\C696E6B6379737 : DHCPNameServer = 192.168.0.1 8.8.8.8 TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121}\D4646303F5249314345454 : DHCPNameServer = 192.168.0.1 192.168.0.1 TCP: Interfaces\{9C0C5852-68CF-4095-A45C-AF7D25B49B5B} : DHCPNameServer = 192.168.0.1 192.168.0.1 TCP: Interfaces\{C09B1532-53EE-473B-96F3-85E40F0BB221} : DHCPNameServer = 198.18.0.1 TCP: Interfaces\{F7263611-5FDC-408F-9ADA-D38BFFB83867}\C696E6B6379737 : DHCPNameServer = 192.168.0.1 8.8.8.8 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned> Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.3.0\ViProtocol.dll AppInit_DLLs= c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll SSODL: WebCheck - <orphaned> x64-BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll x64-BHO: {BA3E58F7-60C6-485E-A775-0C1FD9C0E55E} - <orphaned> x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned> x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned> x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned> x64-SSODL: WebCheck - <orphaned> x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe . ============= SERVICES / DRIVERS =============== . R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-2-8 71480] R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-2-8 311096] R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-2-8 116536] R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-2-8 45880] R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2011-5-17 25312] R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);C:\Windows\System32\drivers\tdrpm273.sys [2011-5-25 1263200] R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-3-29 246072] R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-2-8 206136] R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-3-21 240952] R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-6 45856] R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2012-5-7 3246040] R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-5-14 4937264] R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-4-18 283136] R3 afcdp;afcdp;C:\Windows\System32\drivers\afcdp.sys [2012-5-7 285280] R3 asvpndrv;Astrill SSL VPN Adapter;C:\Windows\System32\drivers\asvpndrv.sys [2012-9-27 31744] R3 EST_BusEnum;Network USB Device Bus;C:\Windows\System32\drivers\GenBus.sys [2009-10-6 29696] R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2013-4-13 86016] R3 ITECIRfilter;ITECIR Filter Driver;C:\Windows\System32\drivers\ITECIRfilter.sys [2011-3-22 28264] R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-5-18 25928] R3 NUS_Bus;Network USB Server Bus;C:\Windows\System32\drivers\NUS_Bus.sys [2010-1-28 30208] R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-4-28 83080] R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-4-28 184968] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S3 ASOVPNHelper;Astrill OpenVPN Service;C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [2012-9-27 434928] S3 ASProxy;ASProxy;C:\Program Files (x86)\Astrill\ASProxy.exe [2012-9-27 1918888] S3 EST_Server;Network USB Device;C:\Windows\System32\drivers\GenHC.sys [2009-10-6 199168] S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2013-4-13 117248] S3 ewusbmbb;HUAWEI USB-WWAN miniport;C:\Windows\System32\drivers\ewusbwwan.sys [2013-4-13 415744] S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-5-17 61280] S3 huawei_cdcacm;huawei_cdcacm;C:\Windows\System32\drivers\ew_jucdcacm.sys [2013-4-13 98816] S3 huawei_cdcecm;huawei_cdcecm;C:\Windows\System32\drivers\ew_jucdcecm.sys [2013-4-13 69632] S3 huawei_ext_ctrl;huawei_ext_ctrl;C:\Windows\System32\drivers\ew_juextctrl.sys [2013-4-13 28672] S3 IT9135BDA;IT9135 BDA Devices;C:\Windows\System32\drivers\IT9135BDA.sys [2012-10-1 164736] S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2012-5-8 33096] S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\System32\drivers\netr28x.sys [2009-6-11 620544] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-1 19456] S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2011-5-18 31800] S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\Windows\System32\drivers\wg111v2.sys [2011-5-17 340992] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-1 57856] S3 ZTEusbnet;ZTE USB-NDIS miniport;C:\Windows\System32\drivers\ZTEusbnet.sys [2013-1-7 137728] . =============== Created Last 30 ================ . 2013-07-06 22:26:36 -------- d-----w- C:\FRST 2013-07-06 20:17:09 -------- d-----w- C:\Temp 2013-07-05 03:49:34 -------- d-----w- C:\Users\Jim\AppData\Roaming\OpenCandy 2013-07-01 05:15:36 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll 2013-06-25 12:55:25 -------- d-----w- C:\Program Files (x86)\Auslogics 2013-06-12 03:19:17 9089416 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe 2013-06-11 22:45:22 903168 ----a-w- C:\Windows\SysWow64\certutil.exe 2013-06-11 22:45:22 1464320 ----a-w- C:\Windows\System32\crypt32.dll 2013-06-11 22:45:22 1192448 ----a-w- C:\Windows\System32\certutil.exe 2013-06-11 22:45:21 52224 ----a-w- C:\Windows\System32\certenc.dll 2013-06-11 22:45:21 43008 ----a-w- C:\Windows\SysWow64\certenc.dll 2013-06-11 22:45:21 184320 ----a-w- C:\Windows\System32\cryptsvc.dll 2013-06-11 22:45:21 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll 2013-06-11 22:45:21 139776 ----a-w- C:\Windows\System32\cryptnet.dll 2013-06-11 22:45:21 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll 2013-06-11 22:45:21 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll 2013-06-11 22:44:58 30720 ----a-w- C:\Windows\System32\cryptdlg.dll 2013-06-11 22:44:57 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll 2013-06-11 22:44:48 1887232 ----a-w- C:\Windows\System32\d3d11.dll 2013-06-11 22:44:48 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll 2013-06-11 22:44:43 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2013-06-11 22:44:33 751104 ----a-w- C:\Windows\System32\win32spl.dll 2013-06-11 22:44:33 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll 2013-06-11 22:44:32 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll 2013-06-11 22:44:32 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll . ==================== Find3M ==================== . 2013-07-01 05:15:16 867240 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll 2013-07-01 05:15:16 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll 2013-06-27 07:27:03 45856 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys 2013-06-12 04:29:03 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2013-06-12 04:29:03 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2013-05-17 03:09:56 2312704 ----a-w- C:\Windows\System32\jscript9.dll 2013-05-17 03:02:29 1392128 ----a-w- C:\Windows\System32\wininet.dll 2013-05-17 03:01:13 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2013-05-17 02:56:09 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2013-05-17 02:56:00 599040 ----a-w- C:\Windows\System32\vbscript.dll 2013-05-17 02:51:27 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2013-05-16 22:39:39 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll 2013-05-16 22:28:26 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2013-05-16 22:27:30 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2013-05-16 22:21:37 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2013-05-16 22:20:30 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll 2013-05-16 22:16:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll 2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll 2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll 2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll 2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll 2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll 2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys 2003-07-30 04:12:32 473340 ----a-w- C:\Program Files (x86)\setup.exe . ============= FINISH: 21:38:48.40 ===============
  4. Attach.txt: . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Professional Boot Device: \Device\HarddiskVolume2 Install Date: 17/05/2011 7:32:25 PM System Uptime: 10/07/2013 9:34:12 AM (12 hours ago) . Motherboard: ASUSTeK Computer INC. | | EB1501P Processor: Intel® Atom CPU D525 @ 1.80GHz | BGA 473 | 1795/200mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 80 GiB total, 32.657 GiB free. D: is FIXED (NTFS) - 203 GiB total, 188.257 GiB free. G: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318} Description: HP Color LaserJet 2600n Device ID: ROOT\MULTIFUNCTION\0000 Manufacturer: Hewlett-Packard Name: HP Color LaserJet 2600n PNP Device ID: ROOT\MULTIFUNCTION\0000 Service: . Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318} Description: Deskjet D5500 series Device ID: ROOT\MULTIFUNCTION\0001 Manufacturer: HP Name: Deskjet D5500 series PNP Device ID: ROOT\MULTIFUNCTION\0001 Service: . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . 64 Bit HP CIO Components Installer Acronis True Image Home 2011 Adobe AIR Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Reader XI (11.0.03) Adobe Shockwave Player 12.0 Amazon Kindle Any Video Converter 3.5.7 Astrill ASUS WebStorage Atheros Client Installation Program µTorrent Aura Software Manager 1.0.3 Aura Video Converter 1.3.1 Auslogics Disk Defrag AVG 2013 AVG Security Toolbar AXIS Media Control Embedded BlazeDTV 6.0 Bungee 6.5 Canon MP Navigator EX 4.0 CanoScan LiDE 110 Scanner Driver CCleaner CruzPro MaxVu110 CruzPro MaxVu110 (C:\Program Files (x86)\CruzPro MaxVu110\) CruzPro PC Fishfinder CruzPro PC Fishfinder (C:\Program Files (x86)\PC Fishfinder\) CutePDF Writer 2.8 DJ_SF_06_D5500_SW_Min EasyBCD 2.1.2 findit_pi 1.0 FleetMon Explorer FREE Thailand 2010_R9 MAR 2010 Garmin MapSource Garmin nRoute Garmin USB Drivers Garmin WorldMap v4 Google Desktop Google Earth Google Update Helper GPSBabel 1.4.4 HD Youtube Downloader Free HP Deskjet D5500 Printer Driver 14.0 Rel. 6 ImgBurn Intel® Matrix Storage Manager IrfanView (remove only) ITE Infrared Transceiver Java 7 Update 25 Java Auto Updater Junk Mail filter update LaunchMate Lizard Safeguard - PDF Viewer 2.6.25 logbookkonni_pi 1.1 Malwarebytes Anti-Malware version 1.75.0.1300 Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Choice Guard Microsoft Search Enhancement Pack Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Sync Framework Runtime Native v1.0 (x86) Microsoft Sync Framework Services Native v1.0 (x86) Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Mobile Hotspot Mozilla Thunderbird 17.0.7 (x86 en-US) MSVCRT MSXML 4.0 SP3 Parser (KB2721691) MSXML 4.0 SP3 Parser (KB2758694) MSXML 4.0 SP3 Parser (KB973685) Navi Weather (64bit) 2.03 NETGEAR WG111v2 wireless USB 2.0 adapter Network64 NVIDIA Display Control Panel NVIDIA Drivers NVIDIA HD Audio Driver 1.3.18.0 NVIDIA Install Application OpenCPN 3.2.0 OpenOffice.org 3.4.1 Optus Mini WiFi Modem Optus Mobile Broadband OSM-PH Garmin maps latest PeaZip 3.8 PL-2303 USB-to-Serial PlayReady PC Runtime amd64 PolarCOM PolarView NS Realtek Ethernet Controller Driver For Windows 7 Realtek High Definition Audio Driver Remove Empty Directories version 2.2 Renesas Electronics USB 3.0 Host Controller Driver Revo Uninstaller Pro 2.5.8 Sailing Directions (Planning Guide) - Pub 120 -- Pacific Ocean and Southeast Asia (8th Ed) 2011 Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576) Silicon Laboratories CP210x USB to UART Bridge (Driver Removal) Silicon Laboratories CP210x VCP Drivers for Windows XP/2003 Server/Vista/7 Skype Click to Call Skype™ 6.5 Splash Lite swMSM Toolbox Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft .NET Framework 4 Client Profile (KB2836939) USB Server Visual Passage Planner 2 Visual Studio 2008 x64 Redistributables Visual Studio 2010 x64 Redistributables Windows Automated Installation Kit Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0) Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Family Safety Windows Live Mail Windows Live Messenger Windows Live Photo Gallery Windows Live Sign-in Assistant Windows Live Sync Windows Live Toolbar Windows Live Upload Tool Windows Live Writer WinHTTrack Website Copier 3.44-1 (x64) WinRAR 4.01 (32-bit) Yahoo! Detect . ==== Event Viewer Messages From Past Week ======== . 10/07/2013 9:35:02 PM, Error: Service Control Manager [7031] - The Windows Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. 10/07/2013 8:22:01 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied. 09/07/2013 8:46:50 AM, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error. 09/07/2013 10:33:28 PM, Error: Microsoft-Windows-BitLocker-Driver [24620] - Encrypted volume check: Volume information on cannot be read. 07/07/2013 5:47:22 PM, Error: volsnap [14] - The shadow copies of volume C: were aborted because of an IO failure on volume C:. 07/07/2013 5:47:22 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\DR0. 07/07/2013 12:56:51 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WwanSvc service. 05/07/2013 8:25:06 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MBAMScheduler service. 04/07/2013 3:29:48 PM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10. 03/07/2013 5:11:21 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service. . ==== End Of File ===========================
  5. Thanks Maniac for all yourhelp; I've followed your instructions. Cheers, Jim
  6. More to come: Malwarebytes Anti-Malware (PRO) 1.75.0.1300 www.malwarebytes.org Database version: v2013.07.09.09 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Jim :: NAVIGATION [administrator] Protection: Enabled 10/07/2013 8:58:38 PM mbam-log-2013-07-10 (20-58-38).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 222625 Time elapsed: 18 minute(s), 48 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  7. Thank you maniac, that has fixed it. No more error message and regmonstd.lnk is removed from the startup folder. Cheera, Jim
  8. The new one Maniac: Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-07-2013 Ran by SYSTEM on 09-07-2013 22:45:56 Running from F:\ Windows 7 Professional (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [390720 2011-02-01] (Acronis) HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-27] (Renesas Electronics Corporation) HKLM-x32\...\Run: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe [195200 2009-12-30] (ASUSTeK Computer Inc.) HKLM-x32\...\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2013-03-15] (Google) HKLM-x32\...\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [5550984 2011-09-22] (Acronis) HKLM-x32\...\Run: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2536760 2011-09-21] (Acronis) HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2236080 2013-06-26] () HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S [740736 2012-08-03] (ASUS Cloud Corporation) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) AppInit_DLLs-x32: c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll [123392 2013-03-15] (Google) Startup: C:\ProgramData\Start Menu\Programs\Startup\LaunchMate.lnk ShortcutTarget: LaunchMate.lnk -> C:\Program Files (x86)\LaunchMate\LnchMate.exe (TDRWare) Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File) ==================== Services (Whitelisted) ================= S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill) S3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1918888 2013-02-18] (Astrill) S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.) S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-17] (AVG Technologies CZ, s.r.o.) S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2013-03-15] (Google) S2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] () S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-03] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-03] (Malwarebytes Corporation) S2 SCM_Service; C:\Windows\SysWOW64\WinService.exe [180224 2007-07-16] () S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search) ==================== Drivers (Whitelisted) ==================== S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] () S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] () S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] () S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] () S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] () S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] () S3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill) S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.) S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-07] (AVG Technologies CZ, s.r.o.) S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-07] (AVG Technologies CZ, s.r.o.) S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.) S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies) S3 EST_BusEnum; C:\Windows\System32\DRIVERS\GenBus.sys [29696 2009-10-05] ( ) S3 EST_Server; C:\Windows\System32\DRIVERS\GenHC.sys [199168 2009-10-05] ( ) S3 IT9135BDA; C:\Windows\System32\Drivers\IT9135BDA.sys [164736 2012-09-30] (ITE ) S3 ITECIRfilter; C:\Windows\System32\DRIVERS\ITECIRfilter.sys [28264 2011-03-21] (ITE Tech. Inc. ) S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] () S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] () S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation) S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation) S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-21] () S3 NUS_Bus; C:\Windows\System32\DRIVERS\NUS_Bus.sys [30208 2010-01-27] (Elite Silicon Technology Inc.) S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-25] (NETGEAR Inc.) S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-08 03:29 - 2013-07-09 01:44 - 00009911 ____A C:\Users\Jim\Documents\Offshore.ods 2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST 2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url 2013-07-04 20:09 - 2013-07-04 20:10 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg 2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log 2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy 2013-07-04 19:33 - 2013-07-04 19:35 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe 2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip 2013-06-30 21:16 - 2013-06-30 21:15 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT 2013-06-28 17:08 - 2013-07-08 14:45 - 00002184 ____A C:\Windows\setupact.log 2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log 2013-06-25 18:18 - 2013-06-25 19:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics 2013-06-24 21:38 - 2013-07-08 15:00 - 00019607 ____A C:\Users\Jim\Documents\Blood Pressure.ods 2013-06-19 01:56 - 2013-07-05 15:08 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods 2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url 2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg 2013-06-11 19:19 - 2013-06-11 20:28 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2013-06-11 15:01 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-06-11 15:01 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-06-11 15:01 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-06-11 15:01 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-06-11 15:01 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-06-11 15:01 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-06-11 15:01 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2013-06-11 15:01 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-06-11 15:01 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-06-11 15:01 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-06-11 15:01 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-06-11 15:01 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-06-11 15:01 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-06-11 15:01 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-06-11 15:01 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-06-11 15:01 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-06-11 15:01 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-06-11 15:01 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-06-11 15:01 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-06-11 15:01 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-06-11 15:01 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-06-11 15:01 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2013-06-11 15:01 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2013-06-11 15:01 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-06-11 15:01 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-06-11 15:01 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2013-06-11 15:01 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2013-06-11 15:01 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-06-11 15:01 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-06-11 15:01 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2013-06-11 15:01 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-06-11 15:01 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll 2013-06-11 14:45 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll 2013-06-11 14:45 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe 2013-06-11 14:45 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe 2013-06-11 14:45 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll 2013-06-11 14:44 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll 2013-06-11 14:44 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll 2013-06-11 14:44 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2013-06-11 14:44 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-06-11 14:44 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-06-11 14:44 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll 2013-06-11 14:44 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2013-06-11 14:44 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll 2013-06-11 14:44 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll ==================== One Month Modified Files and Folders ======= 2013-07-09 04:35 - 2011-05-17 16:23 - 01079074 ____A C:\Windows\WindowsUpdate.log 2013-07-09 04:17 - 2012-06-11 07:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-07-09 04:10 - 2011-12-10 18:10 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-07-09 01:44 - 2013-07-08 03:29 - 00009911 ____A C:\Users\Jim\Documents\Offshore.ods 2013-07-09 00:12 - 2011-05-18 02:24 - 00000000 ____D C:\ProgramData\MFAData 2013-07-08 22:10 - 2011-12-10 18:10 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-07-08 17:02 - 2011-07-03 00:58 - 00000000 ____D C:\ProgramData\opencpn 2013-07-08 15:00 - 2013-06-24 21:38 - 00019607 ____A C:\Users\Jim\Documents\Blood Pressure.ods 2013-07-08 14:53 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-07-08 14:53 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-07-08 14:46 - 2011-05-20 16:20 - 00000437 ____A C:\Windows\System32\Drivers\etc\hosts.ics 2013-07-08 14:45 - 2013-06-28 17:08 - 00002184 ____A C:\Windows\setupact.log 2013-07-08 14:45 - 2013-06-08 03:18 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job 2013-07-08 14:45 - 2013-06-03 00:06 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job 2013-07-08 14:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-07-08 05:03 - 2009-07-13 21:13 - 00738832 ____A C:\Windows\System32\PerfStringBackup.INI 2013-07-08 04:08 - 2011-06-07 23:02 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype 2013-07-06 22:05 - 2012-02-18 13:08 - 00000000 ____D C:\Windows\pss 2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST 2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url 2013-07-05 15:08 - 2013-06-19 01:56 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods 2013-07-04 20:10 - 2013-07-04 20:09 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg 2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log 2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy 2013-07-04 19:35 - 2013-07-04 19:33 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe 2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip 2013-07-03 19:57 - 2013-01-06 19:33 - 00000000 ____D C:\Program Files (x86)\SupportAppCB 2013-07-03 14:02 - 2011-05-19 05:21 - 00000272 ____A C:\Users\Jim\Documents\spider.sav 2013-06-30 22:11 - 2012-09-05 22:45 - 00000000 ____D C:\Users\Jim\AppData\Local\Avg2013 2013-06-30 21:23 - 2012-09-05 23:10 - 00000000 ____D C:\Program Files (x86)\Java 2013-06-30 21:15 - 2013-06-30 21:16 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2013-06-30 21:15 - 2012-09-05 23:11 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll 2013-06-30 21:15 - 2011-05-20 20:43 - 00789416 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll 2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log 2013-06-28 15:56 - 2011-07-15 17:10 - 00000000 ____D C:\Users\Jim\AppData\Roaming\uTorrent 2013-06-27 20:50 - 2012-09-05 22:55 - 00000000 ____D C:\ProgramData\AVG Secure Search 2013-06-26 23:27 - 2012-09-05 22:54 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys 2013-06-26 23:27 - 2012-09-05 22:54 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search 2013-06-25 19:17 - 2013-06-25 18:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-25 15:18 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV 2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics 2013-06-21 04:29 - 2011-08-01 01:31 - 00000000 ____D C:\Users\Jim\AppData\Local\Mirillis 2013-06-20 01:21 - 2011-07-15 17:12 - 00000000 ____D C:\Program Files (x86)\uTorrent 2013-06-18 02:38 - 2013-06-01 15:05 - 00013451 ____A C:\Users\Jim\Documents\Forecast Data.ods 2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url 2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg 2013-06-15 05:20 - 2011-05-20 19:50 - 00000000 ____D C:\Program Files\CCleaner 2013-06-14 14:28 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ___RD C:\Program Files (x86)\Skype 2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ____D C:\ProgramData\Skype 2013-06-11 20:29 - 2012-04-02 04:21 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-06-11 20:29 - 2011-05-27 18:10 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-06-11 20:28 - 2013-06-11 19:19 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2013-06-11 14:56 - 2011-05-17 03:58 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 4095.24 MB Available physical RAM: 3450.07 MB Total Pagefile: 4093.39 MB Available Pagefile: 3444.22 MB Total Virtual: 8192 MB Available Virtual: 8191.86 MB ==================== Drives ================================ Drive c: (WIN7) (Fixed) (Total:80 GB) (Free:32.21 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)] Drive d: (DATA) (Fixed) (Total:203.05 GB) (Free:188.26 GB) NTFS (Disk=0 Partition=3) Drive f: () (Removable) (Total:0.1 GB) (Free:0.1 GB) FAT (Disk=2 Partition=1) Drive g: (CD_ROM) (CDROM) (Total:0.19 GB) (Free:0 GB) CDFS Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 05DA1A21) Partition 1: (Not Active) - (Size=15 GB) - (Type=1B) Partition 2: (Active) - (Size=80 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=203 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=39 MB) - (Type=EF) ======================================================== Disk: 2 (Size: 100 MB) (Disk ID: CD37E914) Partition 1: (Active) - (Size=100 MB) - (Type=06) LastRegBack: 2013-05-03 22:36 ==================== End Of Log ============================ Cheers, Jim
  9. Maniac, the error message still appears on normal booting: Rundll There was a problem starting c:\PROGRA~3\q6zniri.dat The specified module could not be found Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-07-2013 Ran by SYSTEM at 2013-07-09 08:43:52 Run:2 Running from F:\ Boot Mode: Recovery ============================================== C:\PROGRA~3\q6zniri.dat not found. ==== End of Fixlog ====
  10. Here it is: Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-07-2013 Ran by SYSTEM on 08-07-2013 22:52:15 Running from G:\ Windows 7 Professional (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [390720 2011-02-01] (Acronis) HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-27] (Renesas Electronics Corporation) HKLM-x32\...\Run: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe [195200 2009-12-30] (ASUSTeK Computer Inc.) HKLM-x32\...\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2013-03-15] (Google) HKLM-x32\...\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [5550984 2011-09-22] (Acronis) HKLM-x32\...\Run: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2536760 2011-09-21] (Acronis) HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2236080 2013-06-26] () HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S [740736 2012-08-03] (ASUS Cloud Corporation) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) AppInit_DLLs-x32: c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll [123392 2013-03-15] (Google) Startup: C:\ProgramData\Start Menu\Programs\Startup\LaunchMate.lnk ShortcutTarget: LaunchMate.lnk -> C:\Program Files (x86)\LaunchMate\LnchMate.exe (TDRWare) Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File) ==================== Services (Whitelisted) ================= S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill) S3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1918888 2013-02-18] (Astrill) S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.) S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-17] (AVG Technologies CZ, s.r.o.) S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2013-03-15] (Google) S2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] () S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-03] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-03] (Malwarebytes Corporation) S2 SCM_Service; C:\Windows\SysWOW64\WinService.exe [180224 2007-07-16] () S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search) ==================== Drivers (Whitelisted) ==================== S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] () S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] () S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] () S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] () S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] () S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] () S3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill) S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.) S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-07] (AVG Technologies CZ, s.r.o.) S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-07] (AVG Technologies CZ, s.r.o.) S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.) S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies) S3 EST_BusEnum; C:\Windows\System32\DRIVERS\GenBus.sys [29696 2009-10-05] ( ) S3 EST_Server; C:\Windows\System32\DRIVERS\GenHC.sys [199168 2009-10-05] ( ) S3 IT9135BDA; C:\Windows\System32\Drivers\IT9135BDA.sys [164736 2012-09-30] (ITE ) S3 ITECIRfilter; C:\Windows\System32\DRIVERS\ITECIRfilter.sys [28264 2011-03-21] (ITE Tech. Inc. ) S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] () S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] () S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation) S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation) S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-21] () S3 NUS_Bus; C:\Windows\System32\DRIVERS\NUS_Bus.sys [30208 2010-01-27] (Elite Silicon Technology Inc.) S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-25] (NETGEAR Inc.) S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-08 03:29 - 2013-07-08 03:30 - 00009212 ____A C:\Users\Jim\Documents\Offshore.ods 2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST 2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url 2013-07-04 20:09 - 2013-07-04 20:10 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg 2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log 2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy 2013-07-04 19:33 - 2013-07-04 19:35 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe 2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip 2013-06-30 21:16 - 2013-06-30 21:15 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT 2013-06-28 17:08 - 2013-07-08 04:42 - 00001960 ____A C:\Windows\setupact.log 2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log 2013-06-25 18:18 - 2013-06-25 19:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics 2013-06-24 21:38 - 2013-07-07 21:25 - 00019412 ____A C:\Users\Jim\Documents\Blood Pressure.ods 2013-06-19 01:56 - 2013-07-05 15:08 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods 2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url 2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg 2013-06-11 19:19 - 2013-06-11 20:28 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2013-06-11 15:01 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-06-11 15:01 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-06-11 15:01 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-06-11 15:01 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-06-11 15:01 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-06-11 15:01 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-06-11 15:01 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2013-06-11 15:01 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-06-11 15:01 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-06-11 15:01 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-06-11 15:01 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-06-11 15:01 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-06-11 15:01 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-06-11 15:01 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-06-11 15:01 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-06-11 15:01 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-06-11 15:01 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-06-11 15:01 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-06-11 15:01 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-06-11 15:01 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-06-11 15:01 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-06-11 15:01 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2013-06-11 15:01 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2013-06-11 15:01 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-06-11 15:01 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-06-11 15:01 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2013-06-11 15:01 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2013-06-11 15:01 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-06-11 15:01 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-06-11 15:01 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2013-06-11 15:01 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-06-11 15:01 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll 2013-06-11 14:45 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll 2013-06-11 14:45 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe 2013-06-11 14:45 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe 2013-06-11 14:45 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll 2013-06-11 14:44 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll 2013-06-11 14:44 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll 2013-06-11 14:44 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2013-06-11 14:44 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-06-11 14:44 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-06-11 14:44 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll 2013-06-11 14:44 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2013-06-11 14:44 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll 2013-06-11 14:44 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll 2013-06-08 03:18 - 2013-07-08 04:42 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job ==================== One Month Modified Files and Folders ======= 2013-07-08 04:46 - 2011-05-17 16:23 - 01058728 ____A C:\Windows\WindowsUpdate.log 2013-07-08 04:46 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-07-08 04:46 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-07-08 04:43 - 2011-05-20 16:20 - 00000437 ____A C:\Windows\System32\Drivers\etc\hosts.ics 2013-07-08 04:42 - 2013-06-28 17:08 - 00001960 ____A C:\Windows\setupact.log 2013-07-08 04:42 - 2013-06-08 03:18 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job 2013-07-08 04:42 - 2013-06-03 00:06 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job 2013-07-08 04:42 - 2011-12-10 18:10 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-07-08 04:42 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-07-08 04:17 - 2012-06-11 07:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-07-08 04:10 - 2011-12-10 18:10 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-07-08 04:08 - 2011-06-07 23:02 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype 2013-07-08 03:30 - 2013-07-08 03:29 - 00009212 ____A C:\Users\Jim\Documents\Offshore.ods 2013-07-07 23:59 - 2011-05-18 02:24 - 00000000 ____D C:\ProgramData\MFAData 2013-07-07 21:25 - 2013-06-24 21:38 - 00019412 ____A C:\Users\Jim\Documents\Blood Pressure.ods 2013-07-06 23:20 - 2009-07-13 21:13 - 00738832 ____A C:\Windows\System32\PerfStringBackup.INI 2013-07-06 22:05 - 2012-02-18 13:08 - 00000000 ____D C:\Windows\pss 2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST 2013-07-06 02:19 - 2011-07-03 00:58 - 00000000 ____D C:\ProgramData\opencpn 2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url 2013-07-05 15:08 - 2013-06-19 01:56 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods 2013-07-04 20:10 - 2013-07-04 20:09 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg 2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log 2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy 2013-07-04 19:35 - 2013-07-04 19:33 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe 2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip 2013-07-03 19:57 - 2013-01-06 19:33 - 00000000 ____D C:\Program Files (x86)\SupportAppCB 2013-07-03 14:02 - 2011-05-19 05:21 - 00000272 ____A C:\Users\Jim\Documents\spider.sav 2013-06-30 22:11 - 2012-09-05 22:45 - 00000000 ____D C:\Users\Jim\AppData\Local\Avg2013 2013-06-30 21:23 - 2012-09-05 23:10 - 00000000 ____D C:\Program Files (x86)\Java 2013-06-30 21:15 - 2013-06-30 21:16 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2013-06-30 21:15 - 2012-09-05 23:11 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll 2013-06-30 21:15 - 2011-05-20 20:43 - 00789416 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll 2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log 2013-06-28 15:56 - 2011-07-15 17:10 - 00000000 ____D C:\Users\Jim\AppData\Roaming\uTorrent 2013-06-27 20:50 - 2012-09-05 22:55 - 00000000 ____D C:\ProgramData\AVG Secure Search 2013-06-26 23:27 - 2012-09-05 22:54 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys 2013-06-26 23:27 - 2012-09-05 22:54 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search 2013-06-25 19:17 - 2013-06-25 18:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-25 15:18 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV 2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics 2013-06-21 04:29 - 2011-08-01 01:31 - 00000000 ____D C:\Users\Jim\AppData\Local\Mirillis 2013-06-20 01:21 - 2011-07-15 17:12 - 00000000 ____D C:\Program Files (x86)\uTorrent 2013-06-18 02:38 - 2013-06-01 15:05 - 00013451 ____A C:\Users\Jim\Documents\Forecast Data.ods 2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url 2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg 2013-06-15 05:20 - 2011-05-20 19:50 - 00000000 ____D C:\Program Files\CCleaner 2013-06-14 14:28 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ___RD C:\Program Files (x86)\Skype 2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ____D C:\ProgramData\Skype 2013-06-11 20:29 - 2012-04-02 04:21 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-06-11 20:29 - 2011-05-27 18:10 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-06-11 20:28 - 2013-06-11 19:19 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2013-06-11 14:56 - 2011-05-17 03:58 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 4095.24 MB Available physical RAM: 3450.04 MB Total Pagefile: 4093.39 MB Available Pagefile: 3436.92 MB Total Virtual: 8192 MB Available Virtual: 8191.86 MB ==================== Drives ================================ Drive c: (WIN7) (Fixed) (Total:80 GB) (Free:32.75 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)] Drive d: (DATA) (Fixed) (Total:203.05 GB) (Free:188.26 GB) NTFS (Disk=0 Partition=3) Drive f: (CD_ROM) (CDROM) (Total:0.19 GB) (Free:0 GB) CDFS Drive g: () (Removable) (Total:0.1 GB) (Free:0.1 GB) FAT (Disk=2 Partition=1) Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 05DA1A21) Partition 1: (Not Active) - (Size=15 GB) - (Type=1B) Partition 2: (Active) - (Size=80 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=203 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=39 MB) - (Type=EF) ======================================================== Disk: 2 (Size: 100 MB) (Disk ID: CD37E914) Partition 1: (Active) - (Size=100 MB) - (Type=06) LastRegBack: 2013-05-03 22:36 ==================== End Of Log ============================ Thanks Maniac
  11. Sorry, forgot to mention that there are files in the that startup folder: desktop.ini, regmonstd
  12. Maniac; when I boot normally there is still the error message regarding 'file not found' from, I think: Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File) Can I now just delete the entire folder C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup? I can also disable it with CCleaner so it doesn't run at startup. Thanks, Jim
  13. Thanks Maniac, here is the text file from the lixlog: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-07-2013 Ran by SYSTEM at 2013-07-07 16:34:33 Run:1 Running from G:\ Boot Mode: Recovery ============================================== HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully. C:\PROGRA~3\q6zniri.dat not found. C:\ProgramData\irinz6q.bat => Moved successfully. C:\ProgramData\irinz6q.pad => Moved successfully. C:\ProgramData\kjhy64.txt => Moved successfully. C:\ProgramData\irinz6q.reg => Moved successfully. C:\Users\Jim\AppData\Roaming\skype.ini => Moved successfully. ==== End of Fixlog ====
  14. Hi Maniac; I can see the offending item at the end of the Registry whitelisted log: ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File) Cheers, Jim
  15. Hi Maniac; This is the txt file saved by FRST: Thanks, Jim Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-07-2013 Ran by SYSTEM on 06-07-2013 14:27:07 Running from G:\ Windows 7 Professional (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [390720 2011-02-01] (Acronis) HKLM-x32\...\Winlogon: [shell] C:\PROGRA~3\irinz6q.bat [x ] () HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-27] (Renesas Electronics Corporation) HKLM-x32\...\Run: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe [195200 2009-12-30] (ASUSTeK Computer Inc.) HKLM-x32\...\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2013-03-15] (Google) HKLM-x32\...\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [5550984 2011-09-22] (Acronis) HKLM-x32\...\Run: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2536760 2011-09-21] (Acronis) HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2236080 2013-06-26] () HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S [740736 2012-08-03] (ASUS Cloud Corporation) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) AppInit_DLLs-x32: c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll [123392 2013-03-15] (Google) Startup: C:\ProgramData\Start Menu\Programs\Startup\LaunchMate.lnk ShortcutTarget: LaunchMate.lnk -> C:\Program Files (x86)\LaunchMate\LnchMate.exe (TDRWare) Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File) ==================== Services (Whitelisted) ================= S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill) S3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1918888 2013-02-18] (Astrill) S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.) S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-17] (AVG Technologies CZ, s.r.o.) S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2013-03-15] (Google) S2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] () S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-03] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-03] (Malwarebytes Corporation) S2 SCM_Service; C:\Windows\SysWOW64\WinService.exe [180224 2007-07-16] () S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search) ==================== Drivers (Whitelisted) ==================== S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] () S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] () S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] () S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] () S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] () S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] () S3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill) S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.) S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-07] (AVG Technologies CZ, s.r.o.) S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-07] (AVG Technologies CZ, s.r.o.) S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-07] (AVG Technologies CZ, s.r.o.) S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.) S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies) S3 EST_BusEnum; C:\Windows\System32\DRIVERS\GenBus.sys [29696 2009-10-05] ( ) S3 EST_Server; C:\Windows\System32\DRIVERS\GenHC.sys [199168 2009-10-05] ( ) S3 IT9135BDA; C:\Windows\System32\Drivers\IT9135BDA.sys [164736 2012-09-30] (ITE ) S3 ITECIRfilter; C:\Windows\System32\DRIVERS\ITECIRfilter.sys [28264 2011-03-21] (ITE Tech. Inc. ) S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] () S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] () S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation) S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation) S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-21] () S3 NUS_Bus; C:\Windows\System32\DRIVERS\NUS_Bus.sys [30208 2010-01-27] (Elite Silicon Technology Inc.) S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-25] (NETGEAR Inc.) S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST 2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url 2013-07-04 20:09 - 2013-07-04 20:10 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg 2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log 2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy 2013-07-04 19:33 - 2013-07-04 19:35 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe 2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip 2013-06-30 21:16 - 2013-06-30 21:15 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT 2013-06-28 17:08 - 2013-07-05 20:12 - 00001456 ____A C:\Windows\setupact.log 2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log 2013-06-27 04:19 - 2013-06-28 12:35 - 00000014 ____A C:\ProgramData\irinz6q.bat 2013-06-27 04:19 - 2013-06-27 16:15 - 95023320 ___AT C:\ProgramData\irinz6q.pad 2013-06-27 04:19 - 2013-06-27 16:15 - 00000000 ____A C:\ProgramData\kjhy64.txt 2013-06-27 04:19 - 2013-06-27 04:19 - 00000153 ____A C:\ProgramData\irinz6q.reg 2013-06-25 18:18 - 2013-06-25 19:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics 2013-06-24 21:38 - 2013-07-05 14:58 - 00018471 ____A C:\Users\Jim\Documents\Blood Pressure.ods 2013-06-19 01:56 - 2013-07-05 15:08 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods 2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url 2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg 2013-06-11 19:19 - 2013-06-11 20:28 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2013-06-11 15:01 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-06-11 15:01 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-06-11 15:01 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-06-11 15:01 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-06-11 15:01 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-06-11 15:01 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2013-06-11 15:01 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2013-06-11 15:01 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-06-11 15:01 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2013-06-11 15:01 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2013-06-11 15:01 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-06-11 15:01 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-06-11 15:01 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-06-11 15:01 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-06-11 15:01 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2013-06-11 15:01 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-06-11 15:01 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-06-11 15:01 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-06-11 15:01 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-06-11 15:01 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-06-11 15:01 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-06-11 15:01 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2013-06-11 15:01 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2013-06-11 15:01 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-06-11 15:01 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-06-11 15:01 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2013-06-11 15:01 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2013-06-11 15:01 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-06-11 15:01 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-06-11 15:01 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2013-06-11 15:01 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-06-11 15:01 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll 2013-06-11 14:45 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll 2013-06-11 14:45 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2013-06-11 14:45 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll 2013-06-11 14:45 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe 2013-06-11 14:45 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe 2013-06-11 14:45 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll 2013-06-11 14:44 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll 2013-06-11 14:44 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll 2013-06-11 14:44 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2013-06-11 14:44 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-06-11 14:44 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-06-11 14:44 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll 2013-06-11 14:44 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2013-06-11 14:44 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll 2013-06-11 14:44 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll 2013-06-08 03:18 - 2013-07-05 20:12 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job ==================== One Month Modified Files and Folders ======= 2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST 2013-07-05 20:15 - 2011-05-17 16:23 - 02056482 ____A C:\Windows\WindowsUpdate.log 2013-07-05 20:15 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-07-05 20:15 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-07-05 20:12 - 2013-06-28 17:08 - 00001456 ____A C:\Windows\setupact.log 2013-07-05 20:12 - 2013-06-08 03:18 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job 2013-07-05 20:12 - 2013-06-03 00:06 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job 2013-07-05 20:12 - 2011-12-10 18:10 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-07-05 20:12 - 2011-05-20 16:20 - 00000437 ____A C:\Windows\System32\Drivers\etc\hosts.ics 2013-07-05 20:12 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-07-05 19:17 - 2012-06-11 07:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-07-05 19:10 - 2011-12-10 18:10 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-07-05 18:30 - 2009-07-13 21:13 - 00738832 ____A C:\Windows\System32\PerfStringBackup.INI 2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url 2013-07-05 15:18 - 2011-07-03 00:58 - 00000000 ____D C:\ProgramData\opencpn 2013-07-05 15:08 - 2013-06-19 01:56 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods 2013-07-05 14:58 - 2013-06-24 21:38 - 00018471 ____A C:\Users\Jim\Documents\Blood Pressure.ods 2013-07-05 14:34 - 2011-05-18 02:24 - 00000000 ____D C:\ProgramData\MFAData 2013-07-05 04:39 - 2011-06-07 23:02 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype 2013-07-04 20:10 - 2013-07-04 20:09 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg 2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log 2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy 2013-07-04 19:35 - 2013-07-04 19:33 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe 2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip 2013-07-03 21:11 - 2012-02-18 13:08 - 00000000 ____D C:\Windows\pss 2013-07-03 19:57 - 2013-01-06 19:33 - 00000000 ____D C:\Program Files (x86)\SupportAppCB 2013-07-03 14:02 - 2011-05-19 05:21 - 00000272 ____A C:\Users\Jim\Documents\spider.sav 2013-06-30 22:11 - 2012-09-05 22:45 - 00000000 ____D C:\Users\Jim\AppData\Local\Avg2013 2013-06-30 21:23 - 2012-09-05 23:10 - 00000000 ____D C:\Program Files (x86)\Java 2013-06-30 21:15 - 2013-06-30 21:16 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe 2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll 2013-06-30 21:15 - 2012-09-05 23:11 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll 2013-06-30 21:15 - 2011-05-20 20:43 - 00789416 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll 2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log 2013-06-28 15:56 - 2011-07-15 17:10 - 00000000 ____D C:\Users\Jim\AppData\Roaming\uTorrent 2013-06-28 12:35 - 2013-06-27 04:19 - 00000014 ____A C:\ProgramData\irinz6q.bat 2013-06-27 20:50 - 2012-09-05 22:55 - 00000000 ____D C:\ProgramData\AVG Secure Search 2013-06-27 16:15 - 2013-06-27 04:19 - 95023320 ___AT C:\ProgramData\irinz6q.pad 2013-06-27 16:15 - 2013-06-27 04:19 - 00000000 ____A C:\ProgramData\kjhy64.txt 2013-06-27 04:19 - 2013-06-27 04:19 - 00000153 ____A C:\ProgramData\irinz6q.reg 2013-06-26 23:27 - 2012-09-05 22:54 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys 2013-06-26 23:27 - 2012-09-05 22:54 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search 2013-06-25 19:17 - 2013-06-25 18:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird 2013-06-25 15:18 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV 2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics 2013-06-21 04:29 - 2011-08-01 01:31 - 00000000 ____D C:\Users\Jim\AppData\Local\Mirillis 2013-06-20 01:21 - 2011-07-15 17:12 - 00000000 ____D C:\Program Files (x86)\uTorrent 2013-06-18 02:38 - 2013-06-01 15:05 - 00013451 ____A C:\Users\Jim\Documents\Forecast Data.ods 2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url 2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg 2013-06-15 05:20 - 2011-05-20 19:50 - 00000000 ____D C:\Program Files\CCleaner 2013-06-14 14:28 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ___RD C:\Program Files (x86)\Skype 2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ____D C:\ProgramData\Skype 2013-06-11 20:29 - 2012-04-02 04:21 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-06-11 20:29 - 2011-05-27 18:10 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-06-11 20:28 - 2013-06-11 19:19 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2013-06-11 14:56 - 2011-05-17 03:58 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe Files to move or delete: ==================== C:\Users\Jim\AppData\Roaming\skype.ini C:\ProgramData\irinz6q.bat C:\ProgramData\irinz6q.pad C:\ProgramData\irinz6q.reg ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-07-04 19:53:07 ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 4095.24 MB Available physical RAM: 3448.89 MB Total Pagefile: 4093.39 MB Available Pagefile: 3442.36 MB Total Virtual: 8192 MB Available Virtual: 8191.85 MB ==================== Drives ================================ Drive c: (WIN7) (Fixed) (Total:80 GB) (Free:30.91 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)] Drive d: (DATA) (Fixed) (Total:203.05 GB) (Free:188.26 GB) NTFS (Disk=0 Partition=3) Drive g: () (Removable) (Total:0.1 GB) (Free:0.1 GB) FAT (Disk=2 Partition=1) Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 05DA1A21) Partition 1: (Not Active) - (Size=15 GB) - (Type=1B) Partition 2: (Active) - (Size=80 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=203 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=39 MB) - (Type=EF) ======================================================== Disk: 2 (Size: 100 MB) (Disk ID: CD37E914) Partition 1: (Active) - (Size=100 MB) - (Type=06) LastRegBack: 2013-05-03 22:36 ==================== End Of Log ============================
  16. I didn't get very far, Maniac. Windows was preloaded so no disk and 'F8' only gives me a choice of boot devices (HD/DVD).. I do have a bootable disk that has the drivers and acces to the command prompt. Will that do? Thanks, Jim
  17. Thank you Maniac, I'll get srated straight away. Cheers, Jim
  18. I was infected with the Ransom Trojan. I had Malwarebytes Pro running at the time but I still got infected. I ran Malwarebytes in safe mode with the latest update and it didn't detect it. I then ran Kapersky rescue disk and that removed it, but when booting the computer (win7/pro) I get an error which I believe originates from the run.bat or start.bat? calling on a dll that no longer exists because it was part of the Ransom Trojan. The dll is called by SupportApp.bat. Is there a log I can view that tells me what is happening during boot-up? Can the boot instructions be edited? Thank you, Jim
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.