Jump to content

beener7

Members
  • Posts

    31
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Today some of my contacts received an email with my name in the subject line, my name in the body of the email and my name in the email address area. The actual email address it was sent from is NOT my email address and I have never seen it before. The body said: Have you seen this http://buddhismaudiobook.com/make.phpbefore? Oprah had been using it for over a year! Jim Sanok One of the receipients sent me the internet header properties. My computer was heavily infected about 8 weeks ago but is now clear and nicely protected. Please look at the internet header properties and let me know if I have anything to be worried about. How can this happen? Thank you! Received: from CDBMBCP05.corp.zoetis.com (172.24.10.26) by CDBMBCP01.corp.zoetis.com (172.24.10.10) with Microsoft SMTP Server (TLS) id 15.0.775.38 via Mailbox Transport; Fri, 29 May 2015 17:39:21 -0500 Received: from kzdzf202.corp.zoetis.com (192.168.138.182) by CDBMBCP05.corp.zoetis.com (172.24.10.87) with Microsoft SMTP Server (TLS) id 15.0.775.38; Fri, 29 May 2015 17:39:21 -0500 Received: by kzdzf202.corp.zoetis.com (Postfix, from userid 600) id 3lz1B94fBMz3BGQ6; Fri, 29 May 2015 22:42:28 +0000 (UTC) Received: from AAAIBEV01.800onemail.com (unknown [10.6.81.198]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by kzdzf202.corp.zoetis.com (Postfix) with ESMTPS id 3lz19r6Bcsz3BGQ0 for <***chomp***>; Fri, 29 May 2015 22:42:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=800onemail.com; s=efw; h=Content-Type:MIME-Version:To:Subject:From:Date:Message-ID; bh=zWe/ooQT4CEwcBNsLqdelpvNHOgQ215qHRdfw2X2+M4=; b=GXkVi8ATmmLjYnXOdFx89Vbp5sPpnI2NZ9rH5J2KABLeqWegA/VMVCmpQ5DSPbhvhYypGECwSALqN2nuLnQDK+onE2LKda4BcqfjOdUNtKWpLuFpO4cNctdUf3bVcaBALH2rLc0szkdOpt5apwztm8mf601nd92PkfPfmo5ajbo=; Received: from [192.168.162.142] (helo=cx282-n02.800onemail.com) by AAAIBEV01.800onemail.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <spam.ndr@ndr.800onemail.com>) id 1YySvf-0007GF-4R for ***chomp***; Fri, 29 May 2015 18:39:03 -0400 Received: from AAACCEV01.800onemail.com ([192.168.162.175]) by cx282-n02.800onemail.com (8.13.8/8.13.8) with ESMTP id t4TMd3dv022105 for <***chomp***>; Fri, 29 May 2015 18:39:03 -0400 Received: from localhost.localdomain (localhost [127.0.0.1]) by AAACCEV01.800onemail.com (Postfix) with ESMTP id 09D04BFC00 for <***chomp***>; Fri, 29 May 2015 18:39:03 -0400 (EDT) Received: from epdmail.epdmail.engr.wisc.edu (unverified [144.92.225.225]) by CX262.800onemail.com (Vircom SMTPRS 5.61.102.18050/10713) with ESMTP id <B0180362122@CX262.800onemail.com> for <***chomp***>; Thu, 28 May 2015 10:27:23 -0400 Received-SPF: none (CX262.800onemail.com: domain of ***chomp*** does not designate any permitted senders) X-Modus-BlackList: 144.92.225.225=OK;***chomp***=OK X-Modus-RBL: 144.92.225.225=OK X-Modus-Trusted: 144.92.225.225=NO X-Modus-Audit: FALSE;0;0;0 Received: from [123.110.186.204] (account ***chomp*** HELO epdmail.engr.wisc.edu) by epdmail.engr.wisc.edu (CommuniGate Pro SMTP 6.0.11) with ESMTPA id 536288; Thu, 28 May 2015 09:22:21 -0500 X-Mailer: YahooMailIosMobile/0.0 YahooMailWebService/0.8.203.740 Message-ID: <7212d80e4744$33f13f27$bc300b1a$@epd.engr.wisc.edu> Date: Thu, 28 May 2015 03:22:10 +0000 From: Jim Sanok <***chomp***> Subject: From: Jim Sanok To: ***bigchomp***> MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Return-Path: spam.ndr@ndr.800onemail.com X-MS-Exchange-Organization-Network-Message-Id: 9f35001b-446f-46e3-f2f4-08d268777084 X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXutTf;1169700;0;This mail has been scanned by Trend Micro ScanMail for Microsoft Exchange; X-MS-Exchange-Organization-SCL: 0 X-MS-Exchange-Organization-AuthSource: CDBMBCP05.corp.zoetis.com X-MS-Exchange-Organization-AuthAs: Anonymous
  2. I ran this at least 4 times. It would not complete and it would stop working after a period of time. This ran 7 hours last night and wouldn't get past 95%. This is the finished log at 95%. Please let me know how you would like me to proceed from here. Thank you, Aileenlog.txt
  3. Thank you, I will read that. I haven't executed your last command yet. What do you want me to do about virus / spyware? Now or later
  4. It is my husbands laptop and I am cleaning it up for him and putting on antivirus and anti spyware based on your recommendation. It doesn't matter to me if I install the protection software now or after its clean. That direction will come from you. If I have to disable the software to run all of your programs and the wifi is always off and the computer is not being used otherwise does it matter when I install the antivirus and anti spyware programs? Do you know why/how the cryptowall 3.0 would run again on 4/17 after the 3/31 attack if I am not looking at or opening email on that laptop? I turned on the wifi to download combofix, to execute your recommendations, and to download the fixlist? Can Cryptowall survivor on the backup external drive? As far as I knew that drive was isolated and never showed any activity from the 3/31 attack. It started to show the help_decrypt files when I plugged it into the laptop onthe morning of 4/16. I turned the wifi off and the encryption of files seemed to stop progressing alphabetically through the folders on that drive. I deleted all the folders that were encrypted (thankfully it did not get to the VIP backup folders) I need to protect the remaining folders on that drive and am striving to better understand how to manage and protect 17 years of my husbands backup data on the backup drive since the entire laptop was encrypted by cryptowall and everything on the laptop was lost. I also need to clean and protect his current files on the laptop going forward. I am very nervous having only one copy of the backup files on the external drive and the external drive having been attacked and stopped mid attack. Therefore, 1) need to clean and set up antivirus and anti spyware protection on the laptop 2) need to clean and protect data on backup drive 3) would like to get a simple better understanding of cryptowall 3.0 4)need some antivirus antispyware recommendations to protect whole house of machines In my house, among husband, myself and kids we have about 6 computers connected to the wifi and a wireless type of network that includes wifi printing. We have various thumb drives we are using to manage until main laptop is usable and we have a few external hard drives and a new western digital mycloud EX2, personal cloud storage high performance NAS that is set up but not yet connected to the Internet. Thank you! Aileen
  5. Thank you! There are a few questions I have first. Am I plugging in the external hard drive and running this on the laptop and external drive? Unfortunately, this laptop has no protection software installed at all. I would like a suggestion there. I have only been manually using the free malewarebytes on a weekly basis. Are you able to explain anything about cryptowall? I'm afraid to do anything on any drive/computer wondering if this is in my home wireless network free to unleash into anybody's connected computer. I don't understand how it is still on my laptop after everything we did. Thank you!
  6. Well after I sent you the last report, cryptowall executed itself on that laptop again. Cryptowall has now attacked that computer on 3/31 and then again 4/17. I basically turn on the wifi on the laptop, look for your replies and execute your instructions and then turn the wifi off again. With the exception of plugging in the external portable drive yesterday ( cryptowall starting running through those files on the external hard drive yesterday morning, I turned off the wifi and it seemed to stop running through that drive. I deleted the help_decrypt files from the external drive when it was plugged into the laptop then emptied the recycle bin on the laptop) and downloading combo fix and your fixlist.txt I have not downloaded anything on this laptop in days. As I look at the laptop from this afternoon, I sent you the fix file at 1:22. There are the help_decrypt files time stamped at 1:31 today and help_decrypt files at 2:00. If I look in the download folder I see cryptowall files downloaded at 1:30 today. I don't understand much about cryptowall, where it came from, where it hides, how and when it executes how long it stays dormant on the computer, etc. What should we do now?
  7. combofix log 4-16-15.txtFRST.txtAddition.txt Please find the latest files attached. If you are recommending that I download any programs in the next step please advise what I should do with that program if I already have it installed on my computer. Thank you! Aileen
  8. I figured that was the case when I looked at the versions. I already downloaded a new one : ) I am about to run frst and will send you both logs shortly. Thank you!
  9. Thank you! If I already have combo fix downloaded from November 2014 do I need to download it again? I have the wifi turned off as the cryptowall continues to try to infect any drives plugged into that computer. I accidentally plugged in my back up drive and cryptowall methodically started to infect my backup folders in order they are listed. I have deleted the infected files but am now unsure as to the safety and security of my external backup drive that has 15 years of data on it. Therefore my questions are 1) do I need new combo fix or can the old one be used? 2) what do I do with my external back up portable drive? Thank you! Aileen
  10. This computer seems to be seriously infected. It is very slow, unresponsive and unpredictable. Please help! Thank you! Aileen FRST.txtAddition.txtmbam protection log.txtmbam scan log.txt
  11. I've previously used your forum successfully, and went to the final post which said that if I had problems again to send a message to a moderator with a link of my previous forum. The response I received was that the old post was closed therefore I am starting a new one. I am unable to download anything to this computer but I already had the farbar recovery scan tool downloaded and used in my previous troubles. However, since I have run this already I will not have the addition.txt because that only runs the first time you execute that file. Thank you! Aileen Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015 Ran by James (administrator) on THOR on 12-03-2015 10:19:59 Running from C:\Users\James\Desktop\Malware issues\Jim malware issues 2014 Loaded Profiles: James & UpdatusUser (Available profiles: James & UpdatusUser) Platform: Microsoft Windows 7 Home Premium Service Pack 1 (X86) OS Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Macrovision) C:\Windows\System32\drivers\CDAC11BA.EXE () C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe () C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe (Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe (AOL Inc.) C:\Program Files\Common Files\AOL\1297912128\ee\aolsoftware.exe (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Akamai Technologies, Inc.) C:\Users\James\AppData\Local\Akamai\netsession_win.exe (Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe (Akamai Technologies, Inc.) C:\Users\James\AppData\Local\Akamai\netsession_win.exe (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1297912128\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.) HKLM\...\Run: [intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [3775800 2014-02-27] (Intuit Inc. All rights reserved.) HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch HKU\S-1-5-21-1040828958-109840045-445669881-1000\...\Run: [steam] => C:\Program Files\Steam\Steam.exe [1940160 2014-11-18] (Valve Corporation) HKU\S-1-5-21-1040828958-109840045-445669881-1000\...\Run: [Akamai NetSession Interface] => C:\Users\James\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.) HKU\S-1-5-21-1040828958-109840045-445669881-1000\...\Run: [skype] => C:\Program Files\Skype\Phone\Skype.exe [18643560 2013-03-01] (Skype Technologies S.A.) HKU\S-1-5-21-1040828958-109840045-445669881-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [878592 2010-11-20] (Microsoft Corporation) HKU\S-1-5-21-1040828958-109840045-445669881-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks! ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll (Autodesk, Inc.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKU\S-1-5-21-1040828958-109840045-445669881-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-1040828958-109840045-445669881-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2014-12-03] (Adobe Systems Incorporated) BHO: PodcastBHO Class -> {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} -> C:\Program Files\Common Files\doubleTwist\IEPodcastPlugin.dll [2010-12-07] (doubleTwist Corporation) BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation) DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://wyethclassroom.webex.com/client/WBXclient-T28L10NSP12EP16-17634/training/ieatgpc1.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll [2014-06-26] (Intuit, Inc.) Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.dll No File [] Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.dll No File [] Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation) Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies) Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{1AFDA97E-EFFA-45D7-A1DA-CD03B267FAF9}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8 Tcpip\..\Interfaces\{2DCBA3A8-2D53-4D1A-9C71-35970FB1D7EF}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8 Tcpip\..\Interfaces\{4C28E53F-A8F7-468A-AF5E-74EDA72B9E84}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8 Tcpip\..\Interfaces\{651D7744-7C1E-42B9-B3AC-FB7A9CB69FF5}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8 Tcpip\..\Interfaces\{7171D91B-BE73-4C30-918E-4F9CD4339C02}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8 FireFox: ======== FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google) FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation) FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-05-12] (NVIDIA Corporation) FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-05-12] (NVIDIA Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-08] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-08] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-1040828958-109840045-445669881-1000: @doubletwist.com/NPPodcast -> C:\Program Files\Common Files\doubleTwist\NPPodcast.dll [2010-12-07] (doubleTwist Corporation) FF Plugin HKU\S-1-5-21-1040828958-109840045-445669881-1000: @tools.google.com/Google Update;version=3 -> C:\Users\James\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll No File FF Plugin HKU\S-1-5-21-1040828958-109840045-445669881-1000: @tools.google.com/Google Update;version=9 -> C:\Users\James\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll No File ========================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46640 2006-10-23] (AOL LLC) R2 C-DillaCdaC11BA; C:\Windows\system32\drivers\CDAC11BA.EXE [54784 2011-07-06] (Macrovision) [File not signed] R2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [202048 2010-09-07] () R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-06-26] (Intuit) [File not signed] S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2013-10-10] (Intuit Inc.) [File not signed] R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-08-19] (Intuit Inc.) [File not signed] S3 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [69632 2007-04-13] (MicroVision Development, Inc.) [File not signed] R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.) R2 CdaC15BA; C:\Windows\system32\drivers\CDAC15BA.SYS [12464 2011-07-06] (Macrovision Europe Ltd) [File not signed] S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV32.sys [105984 2009-10-27] (QUALCOMM Incorporated) R2 iPodDrv; C:\Windows\system32\drivers\iPodDrv.sys [6656 2011-04-14] (Windows ® Codename Longhorn DDK provider) [File not signed] S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-02-08] (Malwarebytes Corporation) S3 motandroidusb; C:\Windows\System32\Drivers\motoandroid.sys [25856 2009-07-10] (Motorola) S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDA.sys [535040 2008-05-14] (eMPIA Technology, Inc.) S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEM.sys [286208 2008-05-14] (eMPIA Technology, Inc.) R3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-29] (America Online, Inc.) U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation) S3 catchme; \??\C:\Users\James\AppData\Local\Temp\catchme.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-10 17:36 - 2015-02-02 23:12 - 01230848 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2015-03-10 17:30 - 2015-02-25 23:11 - 02381312 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2015-03-10 17:30 - 2015-02-23 22:32 - 00342696 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2015-03-10 17:30 - 2015-02-20 20:41 - 12827648 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2015-03-10 17:30 - 2015-02-20 20:27 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2015-03-10 17:30 - 2015-02-20 20:27 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2015-03-10 17:30 - 2015-02-20 20:25 - 19720192 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2015-03-10 17:30 - 2015-02-20 19:32 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2015-03-10 17:30 - 2015-02-19 22:22 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2015-03-10 17:30 - 2015-02-19 22:22 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2015-03-10 17:30 - 2015-02-19 22:09 - 00503296 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2015-03-10 17:30 - 2015-02-19 22:08 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2015-03-10 17:30 - 2015-02-19 22:08 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2015-03-10 17:30 - 2015-02-19 22:06 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll 2015-03-10 17:30 - 2015-02-19 22:03 - 02278400 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2015-03-10 17:30 - 2015-02-19 22:01 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2015-03-10 17:30 - 2015-02-19 22:00 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2015-03-10 17:30 - 2015-02-19 21:58 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2015-03-10 17:30 - 2015-02-19 21:56 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2015-03-10 17:30 - 2015-02-19 21:56 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2015-03-10 17:30 - 2015-02-19 21:56 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2015-03-10 17:30 - 2015-02-19 21:50 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2015-03-10 17:30 - 2015-02-19 21:41 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2015-03-10 17:30 - 2015-02-19 21:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2015-03-10 17:30 - 2015-02-19 21:30 - 04300288 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2015-03-10 17:30 - 2015-02-19 21:24 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2015-03-10 17:30 - 2015-02-19 21:24 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2015-03-10 17:30 - 2015-02-19 21:24 - 00684544 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2015-03-10 17:30 - 2015-02-19 21:23 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2015-03-10 17:30 - 2015-02-19 21:01 - 01888256 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2015-03-10 17:30 - 2015-02-19 20:57 - 01311232 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2015-03-10 17:30 - 2015-02-19 20:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2015-03-10 17:30 - 2015-02-13 01:26 - 12875264 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll 2015-03-10 17:30 - 2015-01-16 22:30 - 00828928 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll 2015-03-10 17:28 - 2015-03-06 01:15 - 00137656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys 2015-03-10 17:28 - 2015-03-06 01:10 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll 2015-03-10 17:28 - 2015-03-06 01:10 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll 2015-03-10 17:28 - 2015-02-20 00:13 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll 2015-03-10 17:28 - 2015-02-20 00:13 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll 2015-03-10 17:28 - 2015-02-20 00:13 - 00026624 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll 2015-03-10 17:28 - 2015-02-20 00:13 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll 2015-03-10 17:28 - 2015-02-19 23:09 - 00299008 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll 2015-03-10 17:28 - 2015-02-02 23:12 - 00171520 _____ (Microsoft Corporation) C:\Windows\system32\ubpm.dll 2015-03-10 17:27 - 2015-03-06 01:15 - 00067512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys 2015-03-10 17:27 - 2015-03-06 01:10 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll 2015-03-10 17:27 - 2015-03-06 01:10 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll 2015-03-10 17:27 - 2015-03-06 01:09 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe 2015-03-10 17:27 - 2015-03-06 01:09 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe 2015-03-10 17:27 - 2015-03-06 01:07 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll 2015-03-10 17:27 - 2015-03-06 01:07 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll 2015-03-10 17:27 - 2015-03-06 01:06 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll 2015-03-10 17:27 - 2015-02-03 22:54 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll 2015-03-10 17:27 - 2015-02-02 23:16 - 03973048 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe 2015-03-10 17:27 - 2015-02-02 23:16 - 03917760 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2015-03-10 17:27 - 2015-02-02 23:16 - 00078784 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys 2015-03-10 17:27 - 2015-02-02 23:12 - 11411968 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 03209728 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 01329664 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 01174528 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 01005056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00988160 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00744960 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00617984 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00406016 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00354816 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00157184 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00103936 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe 2015-03-10 17:27 - 2015-02-02 23:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00027648 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll 2015-03-10 17:27 - 2015-02-02 23:12 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll 2015-03-10 17:27 - 2015-02-02 23:11 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe 2015-03-10 17:27 - 2015-02-02 23:11 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe 2015-03-10 17:27 - 2015-02-02 23:11 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe 2015-03-10 17:27 - 2015-02-02 23:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe 2015-03-10 17:27 - 2015-02-02 23:11 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe 2015-03-10 17:27 - 2015-02-02 23:11 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe 2015-03-10 17:27 - 2015-02-02 23:11 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\pcawrk.exe 2015-03-10 17:27 - 2015-02-02 23:11 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe 2015-03-10 17:27 - 2015-02-02 23:00 - 00593920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys 2015-03-10 17:27 - 2015-02-02 22:26 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys 2015-03-10 17:27 - 2015-01-30 19:56 - 00370488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys 2015-03-10 17:27 - 2014-10-31 18:22 - 00521384 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe 2015-03-10 17:27 - 2014-06-27 20:21 - 00455752 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe 2015-03-10 17:27 - 2014-06-27 20:21 - 00409272 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll 2015-03-10 17:26 - 2015-02-02 23:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx 2015-03-10 17:26 - 2015-02-02 23:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll 2015-03-10 17:26 - 2015-02-02 23:11 - 12625408 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL 2015-03-10 17:26 - 2015-02-02 23:10 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\pcaevts.dll 2015-03-10 17:26 - 2015-02-02 23:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll 2015-03-10 17:26 - 2015-02-02 23:08 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll 2015-03-06 17:52 - 2015-03-06 17:52 - 00000000 ____D () C:\Users\James\Desktop\sylvan Lake CC 2015-03-05 15:52 - 2015-03-05 16:57 - 01510977 _____ () C:\Users\James\Desktop\141205 Taconic Tennis.skb 2015-03-03 17:38 - 2015-01-08 19:44 - 00419936 _____ () C:\Windows\system32\locale.nls 2015-03-03 09:39 - 2015-01-08 22:48 - 00635904 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll 2015-03-03 09:39 - 2015-01-08 22:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll 2015-03-03 09:39 - 2015-01-08 22:48 - 00027136 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll 2015-02-20 08:27 - 2015-02-20 08:30 - 00000000 ____D () C:\Users\James\Desktop\150220 jims camera 2015-02-14 13:54 - 2015-02-14 13:54 - 01898496 _____ () C:\Users\James\Desktop\Jim SDG Finances (Portable).QBM 2015-02-11 11:28 - 2015-02-11 11:53 - 00093696 _____ () C:\Users\James\Desktop\comm specialist x-photo.VSL 2015-02-11 11:16 - 2015-02-11 11:16 - 00131072 _____ () C:\Windows\Minidump\021115-42167-01.dmp 2015-02-11 10:50 - 2015-02-03 22:54 - 00482304 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll 2015-02-11 10:50 - 2015-02-03 22:53 - 00767488 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll 2015-02-11 10:50 - 2015-02-03 22:53 - 00621056 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll 2015-02-11 10:50 - 2015-02-03 22:53 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll 2015-02-11 10:50 - 2015-02-03 22:53 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll 2015-02-11 10:50 - 2015-02-03 22:53 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll 2015-02-11 10:50 - 2015-02-03 22:49 - 00886784 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll 2015-02-11 10:50 - 2015-01-27 19:36 - 01167520 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe 2015-02-11 10:50 - 2014-11-25 23:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll 2015-02-11 10:50 - 2014-10-03 21:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll 2015-02-11 10:50 - 2014-10-03 21:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll 2015-02-11 10:49 - 2014-12-07 22:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-12 10:20 - 2014-11-18 21:49 - 00000000 ____D () C:\FRST 2015-03-12 10:18 - 2011-02-16 22:10 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI 2015-03-12 10:16 - 2011-03-18 08:13 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2015-03-12 10:15 - 2014-02-08 22:12 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-03-12 10:15 - 2014-01-30 17:05 - 00000000 ____D () C:\Users\James\AppData\Roaming\Skype 2015-03-12 10:15 - 2011-03-18 08:13 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2015-03-12 10:15 - 2011-02-24 10:14 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1040828958-109840045-445669881-1000UA.job 2015-03-12 10:15 - 2011-02-16 23:41 - 01090467 _____ () C:\Windows\WindowsUpdate.log 2015-03-11 20:08 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache 2015-03-11 19:17 - 2014-11-30 23:50 - 21532672 ____R () C:\Users\James\Desktop\Jim SDG Finances.QBW 2015-03-11 19:17 - 2014-11-30 23:50 - 00327680 ____R () C:\Users\James\Desktop\Jim SDG Finances.QBW.TLG 2015-03-11 19:17 - 2014-11-30 23:50 - 00000345 _____ () C:\Users\James\Desktop\Jim SDG Finances.QBW.ND 2015-03-11 19:01 - 2014-03-14 08:43 - 00000000 ____D () C:\Users\James\Desktop\QuickBooksAutoDataRecovery 2015-03-11 18:49 - 2009-07-14 00:34 - 00022592 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-03-11 18:49 - 2009-07-14 00:34 - 00022592 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-03-11 18:43 - 2014-11-12 20:14 - 00000000 ____D () C:\Users\James\AppData\Local\CrashDumps 2015-03-11 18:43 - 2011-04-25 16:41 - 00000000 ____D () C:\Program Files\Steam 2015-03-11 18:41 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2015-03-11 18:41 - 2009-07-14 00:39 - 00068840 _____ () C:\Windows\setupact.log 2015-03-11 18:40 - 2011-10-10 09:05 - 00000000 ____D () C:\ProgramData\NVIDIA 2015-03-10 18:54 - 2009-07-14 00:33 - 00419744 _____ () C:\Windows\system32\FNTCACHE.DAT 2015-03-10 18:46 - 2012-01-22 18:55 - 00000000 ____D () C:\ProgramData\Microsoft Help 2015-03-10 17:11 - 2013-08-14 10:27 - 00000000 ____D () C:\Windows\system32\MRT 2015-03-10 17:04 - 2011-02-17 09:16 - 119837696 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2015-03-10 15:44 - 2011-02-24 10:14 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1040828958-109840045-445669881-1000Core.job 2015-03-10 14:16 - 2012-03-08 08:59 - 00000000 ____D () C:\Users\James\Desktop\Sanok Home Stuff 2015-03-05 17:45 - 2014-12-05 18:50 - 01524159 _____ () C:\Users\James\Desktop\141205 Taconic Tennis.skp 2015-03-04 09:12 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\tracing 2015-03-03 16:26 - 2014-01-31 10:28 - 00372224 ___SH () C:\Users\James\Desktop\Thumbs.db 2015-02-24 04:23 - 2011-02-16 22:22 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe 2015-02-17 17:16 - 2014-01-28 20:54 - 00000000 ____D () C:\Users\James\AppData\Local\Windows Live 2015-02-12 09:27 - 2014-12-12 11:25 - 00000000 ____D () C:\Windows\system32\appraiser 2015-02-12 09:27 - 2014-05-16 10:34 - 00000000 ___SD () C:\Windows\system32\CompatTel 2015-02-11 17:01 - 2014-11-30 23:50 - 00000000 ____D () C:\Users\James\Desktop\Jim SDG Finances.QBW.SearchIndex 2015-02-11 13:01 - 2011-08-25 10:38 - 00000000 ____D () C:\Users\Public\Documents\Visual 2015-02-11 11:16 - 2012-01-16 16:17 - 304725507 _____ () C:\Windows\MEMORY.DMP 2015-02-11 11:16 - 2011-05-25 17:36 - 00000000 ____D () C:\Windows\Minidump ==================== Files in the root of some directories ======= 2013-05-13 06:30 - 2013-05-13 06:30 - 0000288 _____ () C:\Users\James\AppData\Roaming\.backup.dm 2011-04-25 19:17 - 2011-10-10 08:14 - 0027335 _____ () C:\Users\James\AppData\Roaming\nvModes.001 2011-04-25 19:17 - 2011-09-28 22:08 - 0027335 _____ () C:\Users\James\AppData\Roaming\nvModes.dat 2014-11-06 10:09 - 2014-11-25 13:29 - 0036476 _____ () C:\Users\James\AppData\Roaming\QBFileDrTool.log 2014-11-12 05:54 - 2014-11-12 05:54 - 0007605 _____ () C:\Users\James\AppData\Local\Resmon.ResmonCfg 2011-05-21 16:03 - 2011-05-21 16:03 - 0000000 _____ () C:\Users\James\AppData\Local\{C8D2E532-DB84-4E98-A9AF-71E708B0EF2B} 2011-07-05 15:54 - 2011-07-05 15:54 - 0000000 _____ () C:\Users\James\AppData\Local\{F25D8228-609A-4BB3-8B2E-AFAE4C85FF8D} 2011-02-21 14:15 - 2011-02-21 14:15 - 0000127 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-03-05 11:39 ==================== End Of Log ============================
  12. I am glad you had a nice Thanksgiving! Thanks for all of your help! I will try the above steps this weekend. Do you know when the computer was infected with cryptowall so I know how far back to try? Thanks!
  13. Please find requested information attached. Thank you! Aileen Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 12/4/2014 Scan Time: 1:49:52 PM Logfile: log 12-4.txt Administrator: Yes Version: 2.00.4.1028 Malware Database: v2014.12.04.08 Rootkit Database: v2014.12.03.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows XP Service Pack 3 CPU: x86 File System: NTFS User: James Scan Type: Threat Scan Result: Completed Objects Scanned: 369182 Time Elapsed: 1 hr, 18 min, 12 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.DefaultTab.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DefaultTab, , [7ff8d18daece5dd9714492b44bb87987], PUP.Optional.DefaultTab.A, HKU\S-1-5-21-1390067357-1303643608-725345543-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DefaultTab, , [5423f965b4c8f2444a6b59ed649f04fc], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) RKreport_SCN_12052014_090840.log
  14. I hope you had a nice Thanksgiving too! Much better than it ever has! Thank you! Are we ready to try to go back in time for an attempt to recover my hijacked files?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.