Jump to content

Ransomware


Recommended Posts

looks like I have been hit by something like the DoJ ransomware, with the addition that it took a majority of my files and added .html to them and are now encrypted. it's time for a full reformat and reinstall of win 7, so as long as it's not hiding on my other drives all I care about is if I can recover these files or are they fully lost to me?

Link to post
Share on other sites

ok well since I never found the initial infected file they couldn't help, looks like I will need your help for this. I did a lot of searching trying to find information on this using the info provided in the scam site that comes up whenever I try to open the corupted files, I could find nothing that was the same as what I had, and since it got past malwarebytes and NIS I am assuming this is something new? could screenshots of the site help you any? again I am planning to reformat my computer after I recover these files or not, so we only need to focus on finding the infected file so I can send it off to DrWeb. as always, thank you for your assistance

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16483 BrowserJavaVersion: 10.21.2

Run by Hellfire at 11:22:39 on 2013-05-15

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6142.2329 [GMT -7:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\XSrvSetup.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

D:\Steam\Steam.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

C:\Windows\system32\java.exe

D:\Steam\steamapps\common\Terraria\TerrariaServer.exe

C:\Program Files (x86)\PowerISO\PWRISOVM.EXE

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\taskhost.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe

C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://us.blizzard.com/en-us/

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ips\ipsbho.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\coieplg.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\coieplg.dll

uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

uRun: [steam] "D:\Steam\Steam.exe" -silent

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [instaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\Users\Hellfire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip

StartupFolder: C:\Users\Hellfire\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MINECR~1.LNK - C:\Users\Hellfire\AppData\Roaming\.minecraft\Multiplayer\Server.bat

StartupFolder: C:\Users\Hellfire\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PS3MED~1.LNK - C:\Program Files (x86)\PS3 Media Server\PMS.exe

StartupFolder: C:\Users\Hellfire\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TERRAR~1.LNK - D:\Steam\steamapps\common\Terraria\Terrariaserver.bat

uPolicies-Explorer: NoDrives = dword:0

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

TCP: NameServer = 192.168.2.1

TCP: Interfaces\{7076D7A2-2FFA-4CD9-ABA6-6FD5AD8A59B4} : DHCPNameServer = 192.168.2.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} - hxxp://clients.futuremark.com/calico/systeminfodeploy/FMSI_v415.cab

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Hellfire\AppData\Roaming\Mozilla\Firefox\Profiles\g1ijgwmp.default\

FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll

FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll

FF - plugin: C:\Users\Hellfire\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1403010.016\symds64.sys [2013-4-15 493656]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1403010.016\symefa64.sys [2013-4-15 1139800]

R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2013-2-26 39768]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130502.001\BHDrvx64.sys [2013-5-7 1390680]

R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\drivers\NISx64\1403010.016\ccsetx64.sys [2013-4-15 168096]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130514.001\IDSviA64.sys [2013-5-14 513184]

R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1403010.016\ironx64.sys [2013-4-15 224416]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1403010.016\symnets.sys [2013-4-15 432800]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]

R2 JMB36X;JMB36X;C:\Windows\SysWOW64\XSrvSetup.exe [2012-11-5 65536]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-27 418376]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-27 701512]

R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ccsvchst.exe [2013-4-15 144520]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-3-2 138912]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-2-27 25928]

R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2009-9-25 73728]

R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2009-9-25 178688]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-11-5 239616]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]

S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2013-3-10 137488]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-5-13 19456]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-13 57856]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-11-6 1255736]

S4 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2013-2-26 968880]

.

=============== Created Last 30 ================

.

2013-05-15 15:39:12 -------- d-----w- C:\Users\Hellfire\AppData\Roaming\BitTorrent

2013-05-15 10:01:31 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-05-15 10:01:31 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2013-05-14 22:19:15 -------- d-----w- C:\Users\Hellfire\AppData\Local\Amazon

2013-05-14 22:19:09 -------- d-----w- C:\Program Files (x86)\Amazon

2013-05-13 21:21:26 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui

2013-05-13 21:20:56 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll

2013-05-13 21:20:56 366592 ----a-w- C:\Windows\System32\qdvd.dll

2013-05-13 21:20:55 340992 ----a-w- C:\Windows\System32\schannel.dll

2013-05-13 21:20:55 247808 ----a-w- C:\Windows\SysWow64\schannel.dll

2013-05-13 21:20:54 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2013-05-13 21:20:54 458712 ----a-w- C:\Windows\System32\drivers\cng.sys

2013-05-13 21:20:54 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2013-05-13 21:20:54 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2013-05-13 21:20:54 1448448 ----a-w- C:\Windows\System32\lsasrv.dll

2013-05-13 21:08:23 -------- d-----w- C:\Program Files (x86)\ElcomSoft

2013-05-13 17:53:04 -------- d-----w- C:\Users\Hellfire\AppData\Local\Primary Interop Assemblies

2013-05-07 02:26:34 -------- d-----w- C:\Users\Hellfire\AppData\Roaming\.mono

2013-04-26 22:09:14 -------- d-----w- C:\Users\Hellfire\AppData\Roaming\StarDrive

2013-04-26 02:55:32 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-04-23 23:26:55 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2013-04-20 21:58:10 -------- d-----w- C:\Program Files (x86)\Combined Community Codec Pack

2013-04-17 00:39:19 -------- d-----w- C:\Users\Hellfire\AppData\Roaming\SPORE

2013-04-16 01:17:07 432800 ----a-w- C:\Windows\System32\drivers\NISx64\1403010.016\symnets.sys

2013-04-16 01:17:06 796248 ----a-w- C:\Windows\System32\drivers\NISx64\1403010.016\srtsp64.sys

2013-04-16 01:17:06 493656 ----a-w- C:\Windows\System32\drivers\NISx64\1403010.016\symds64.sys

2013-04-16 01:17:06 36952 ----a-w- C:\Windows\System32\drivers\NISx64\1403010.016\srtspx64.sys

2013-04-16 01:17:06 23448 ----a-r- C:\Windows\System32\drivers\NISx64\1403010.016\symelam.sys

2013-04-16 01:17:06 224416 ----a-w- C:\Windows\System32\drivers\NISx64\1403010.016\ironx64.sys

2013-04-16 01:17:06 168096 ----a-w- C:\Windows\System32\drivers\NISx64\1403010.016\ccsetx64.sys

2013-04-16 01:17:06 1139800 ----a-w- C:\Windows\System32\drivers\NISx64\1403010.016\symefa64.sys

2013-04-16 01:16:56 -------- d-----w- C:\Windows\System32\drivers\NISx64\1403010.016

.

==================== Find3M ====================

.

2013-05-15 00:24:16 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-15 00:24:16 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys

2013-04-05 01:08:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2013-04-05 01:00:30 1392128 ----a-w- C:\Windows\System32\wininet.dll

2013-04-05 00:59:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2013-04-05 00:56:16 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2013-04-05 00:55:47 599040 ----a-w- C:\Windows\System32\vbscript.dll

2013-04-04 22:11:34 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-04-04 22:02:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2013-04-04 22:02:17 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-04-04 21:58:51 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2013-04-04 21:57:45 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2013-04-04 21:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-03-25 01:09:57 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-03-25 01:09:57 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-03-24 19:57:48 0 ----a-w- C:\Program Files (x86)\FallenEnchantress.exe

2013-03-21 07:19:35 108144 ----a-w- C:\Windows\SysWow64\CmdLineExt.dll

2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll

2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll

2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe

2013-03-11 05:52:38 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2013-03-11 05:52:38 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2013-03-10 23:23:13 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2013-03-02 01:05:49 121 ----a-w- C:\Windows\DeleteOnReboot.bat

2013-02-27 06:02:44 111448 ----a-w- C:\Windows\System32\consent.exe

2013-02-27 05:48:00 1930752 ----a-w- C:\Windows\System32\authui.dll

2013-02-27 05:47:10 70144 ----a-w- C:\Windows\System32\appinfo.dll

2013-02-27 04:49:24 1796096 ----a-w- C:\Windows\SysWow64\authui.dll

2013-02-27 03:01:38 39768 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys

.

============= FINISH: 11:23:06.89 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 11/5/2012 9:02:24 PM

System Uptime: 5/15/2013 3:25:06 AM (8 hours ago)

.

Motherboard: Gigabyte Technology Co., Ltd. | | X58A-UD3R

Processor: Intel® Core i7 CPU 920 @ 2.67GHz | Socket 1366 | 1596/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 49 GiB total, 9.235 GiB free.

D: is FIXED (NTFS) - 195 GiB total, 39.713 GiB free.

E: is FIXED (NTFS) - 454 GiB total, 8.434 GiB free.

F: is CDROM ()

G: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP199: 5/15/2013 4:14:46 AM - Scheduled Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader XI (11.0.02)

Adobe Shockwave Player 11.6

Amazon Kindle

AMD Accelerated Video Transcoding

AMD APP SDK Runtime

AMD Catalyst Install Manager

AMD Drag and Drop Transcoding

AMD Media Foundation Decoders

Assassin's Creed® III v1.02

Belkin Setup and Router Monitor

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-utility64

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CDisplayEx 1.8

Combined Community Codec Pack 2013-04-20

Curse Client

Darkout

Defense Grid: The Awakening

Diablo III

Dropbox

Eador Masters of the Broken World

Far Cry 2

Far Cry 3

Futuremark SystemInfo

Gigabyte Raid Cinfigurer

Gnumeric Spreadsheet 1.10.16-20110616

Guild Wars 2

Java 7 Update 21

Java 7 Update 9 (64-bit)

Java Auto Updater

Majesty 2 Collection

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Game Studios Common Redistributables Pack 1

Microsoft Office Excel Viewer

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft XML Parser

Microsoft XNA Framework Redistributable 3.1

Microsoft XNA Framework Redistributable 4.0

Mozilla Firefox 20.0.1 (x86 en-US)

Mozilla Maintenance Service

NEC Electronics USB 3.0 Host Controller Driver

Neverwinter

Norton Internet Security

PowerISO

PS3 Media Server

PunkBuster Services

Realtek Ethernet Controller Driver For Windows Vista and Later

Realtek High Definition Audio Driver

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Skype™ 6.3

SPORE™

SPORE™ Creepy & Cute Parts Pack

SPORE™ Galactic Adventures

StarCraft II

StarDrive

Steam

Supreme Commander

Supreme Commander 2

Supreme Commander: Forged Alliance

swMSM

Terraria

Unity Web Player

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Uplay

Visual Studio 2010 x64 Redistributables

VLC media player 2.0.6

WinRAR 4.20 (64-bit)

World of Warcraft

Yahoo! Messenger

.

==== Event Viewer Messages From Past Week ========

.

5/15/2013 4:05:30 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

5/15/2013 3:26:14 AM, Error: Service Control Manager [7003] - The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.

5/15/2013 3:26:14 AM, Error: Service Control Manager [7003] - The Net.Msmq Listener Adapter service depends the following service: msmq. This service might not be installed.

5/15/2013 3:26:14 AM, Error: Service Control Manager [7001] - The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

5/14/2013 2:24:09 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Haven\Hellfire SID (S-1-5-21-1126144918-1096871225-3139060307-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

5/14/2013 2:23:23 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D3DCB472-7261-43CE-924B-0704BD730D5F} and APPID {D3DCB472-7261-43CE-924B-0704BD730D5F} to the user Haven\Hellfire SID (S-1-5-21-1126144918-1096871225-3139060307-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

5/14/2013 2:23:23 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {145B4335-FE2A-4927-A040-7C35AD3180EF} and APPID {145B4335-FE2A-4927-A040-7C35AD3180EF} to the user Haven\Hellfire SID (S-1-5-21-1126144918-1096871225-3139060307-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

5/13/2013 3:02:06 PM, Error: Service Control Manager [7022] - The Windows Search service hung on starting.

5/13/2013 11:35:10 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

5/13/2013 1:19:02 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

5/13/2013 1:19:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

5/13/2013 1:19:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

5/13/2013 1:18:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

5/13/2013 1:18:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

5/13/2013 1:18:53 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

5/13/2013 1:18:46 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

5/13/2013 1:18:38 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx64 ccSet_NIS DfsC discache eeCtrl IDSVia64 NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr SRTSP SRTSPX SymIM SymIRON SymNetS tdx Wanarpv6 WfpLwf ws2ifsl

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

5/13/2013 1:18:38 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

.

==== End Of File ===========================

Link to post
Share on other sites

Run this scan..........

  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
    If you are using Vista or Windows 7 enter System Recovery Options.
    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

  • On the System Recovery Options menu you will get the following options:


      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
        Select Command Prompt
        Once in the Command Prompt:

      [*]In the command window type in notepad and press Enter.

      [*]The notepad opens. Under File menu select Open.

      [*]Select "Computer" and find your flash drive letter and close the notepad.

      [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

      [*]The tool will start to run.

      [*]When the tool opens click Yes to disclaimer.

      [*]Press Scan button.

      [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    MrC

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013

Ran by SYSTEM on 15-05-2013 16:56:55

Running from H:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-21] (Realtek Semiconductor)

HKLM-x32\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-19] ()

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-09-25] (NEC Electronics Corporation)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [instaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1885088 2012-02-23] (Affinegy, Inc.)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [642808 2012-12-19] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup [337432 2013-01-27] (Power Software Ltd)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)

HKU\Default\...\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]

HKU\Default User\...\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]

HKU\Hellfire\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [6595928 2012-05-25] (Yahoo! Inc.)

HKU\Hellfire\...\Run: [steam] "D:\Steam\Steam.exe" -silent [x]

HKU\Hellfire\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)

Startup: C:\Users\Hellfire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()

Startup: C:\Users\Hellfire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Minecraft Server.lnk

ShortcutTarget: Minecraft Server.lnk -> C:\Users\Hellfire\AppData\Roaming\.minecraft\Multiplayer\Server.bat ()

Startup: C:\Users\Hellfire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PS3 Media Server.lnk

ShortcutTarget: PS3 Media Server.lnk -> C:\Program Files (x86)\PS3 Media Server\PMS.exe (PS3 Media Server)

Startup: C:\Users\Hellfire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terraria Server.lnk

ShortcutTarget: Terraria Server.lnk -> D:\Steam\steamapps\common\Terraria\Terrariaserver.bat (No File)

==================== Services (Whitelisted) =================

S4 AffinegyService; C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe [563104 2012-02-23] (Affinegy, Inc.)

S2 JMB36X; C:\Windows\SysWOW64\XSrvSetup.exe [65536 2009-08-05] ()

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)

S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation)

S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-12-03] ()

S4 vToolbarUpdater14.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-26] ()

==================== Drivers (Whitelisted) ====================

S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-26] (AVG Technologies)

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130502.001\BHDrvx64.sys [1390680 2013-04-12] (Symantec Corporation)

S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-18] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-02-26] (Symantec Corporation)

S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130515.001\IDSvia64.sys [513184 2012-11-03] (Symantec Corporation)

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20130515.003\ENG64.SYS [126192 2013-02-26] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20130515.003\EX64.SYS [2087664 2013-02-26] (Symantec Corporation)

S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2012-11-05] (Symantec Corporation)

S1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [43680 2012-09-06] (Symantec Corporation)

S3 catchme; \??\C:\ComboFix\catchme.sys [x]

S1 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1403010.016\ccSetx64.sys [x]

S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [x]

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]

S3 gdrv; \??\C:\Windows\gdrv.sys [x]

S1 SRTSP; \SystemRoot\System32\Drivers\NISx64\1403010.016\SRTSP64.SYS [x]

S1 SRTSPX; \SystemRoot\system32\drivers\NISx64\1403010.016\SRTSPX64.SYS [x]

S0 SymDS; system32\drivers\NISx64\1403010.016\SYMDS64.SYS [x]

S0 SymEFA; system32\drivers\NISx64\1403010.016\SYMEFA64.SYS [x]

S1 SymIRON; \SystemRoot\system32\drivers\NISx64\1403010.016\Ironx64.SYS [x]

S1 SymNetS; \SystemRoot\System32\Drivers\NISx64\1403010.016\SYMNETS.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-15 16:56 - 2013-05-15 16:56 - 00000000 ____D C:\FRST

2013-05-15 15:30 - 2013-05-15 15:30 - 00000318 ____A C:\Users\Hellfire\Desktop\Curse Client.appref-ms

2013-05-15 14:05 - 2013-05-15 14:05 - 01877416 ____A (Farbar) C:\Users\Hellfire\Desktop\FRST64.exe

2013-05-15 10:18 - 2013-05-15 10:18 - 00688992 ____R (Swearware) C:\Users\Hellfire\Desktop\dds.scr

2013-05-15 02:01 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 02:01 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 02:01 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 02:01 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 02:00 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 02:00 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 02:00 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 02:00 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 02:00 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-15 02:00 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-15 02:00 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 02:00 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-15 02:00 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 02:00 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-15 02:00 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 02:00 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 02:00 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-15 02:00 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 02:00 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 02:00 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 02:00 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-05-15 02:00 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 02:00 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 02:00 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-05-15 02:00 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 02:00 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 02:00 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-05-15 02:00 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-05-15 02:00 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 02:00 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 02:00 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-05-15 02:00 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-14 14:19 - 2013-05-14 14:22 - 00000000 ____D C:\Users\Hellfire\Documents\My Kindle Content

2013-05-14 14:19 - 2013-05-14 14:19 - 00001998 ____A C:\Users\Hellfire\Desktop\Kindle.lnk

2013-05-14 14:19 - 2013-05-14 14:19 - 00000000 ____D C:\Users\Hellfire\AppData\Local\Amazon

2013-05-14 14:19 - 2013-05-14 14:19 - 00000000 ____D C:\Program Files (x86)\Amazon

2013-05-14 13:13 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-14 13:13 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-14 13:13 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-14 13:13 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-14 13:13 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-14 13:13 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-14 13:13 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-14 13:13 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-14 13:13 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-14 13:13 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-14 13:13 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-14 13:13 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-14 13:13 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-14 13:13 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-13 13:21 - 2012-08-23 06:13 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\rdpudd.dll

2013-05-13 13:21 - 2012-08-23 06:10 - 00019456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpvideominiport.sys

2013-05-13 13:21 - 2012-08-23 06:07 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\TsUsbFlt.sys

2013-05-13 13:21 - 2012-08-23 05:47 - 00046592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll

2013-05-13 13:21 - 2012-08-23 05:46 - 00016896 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll

2013-05-13 13:21 - 2012-08-23 05:41 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe

2013-05-13 13:21 - 2012-08-23 05:40 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll

2013-05-13 13:21 - 2012-08-23 05:24 - 00015360 ____A (Microsoft Corporation) C:\Windows\System32\RdpGroupPolicyExtension.dll

2013-05-13 13:21 - 2012-08-23 05:20 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\MsRdpWebAccess.dll

2013-05-13 13:21 - 2012-08-23 05:18 - 00037376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll

2013-05-13 13:21 - 2012-08-23 05:17 - 00018432 ____A (Microsoft Corporation) C:\Windows\System32\wksprtPS.dll

2013-05-13 13:21 - 2012-08-23 05:06 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\TsUsbGDCoInstaller.dll

2013-05-13 13:21 - 2012-08-23 04:52 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll

2013-05-13 13:21 - 2012-08-23 03:20 - 00062976 ____A (Microsoft Corporation) C:\Windows\System32\TSWbPrxy.exe

2013-05-13 13:21 - 2012-08-23 03:15 - 00269312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll

2013-05-13 13:21 - 2012-08-23 03:14 - 00384000 ____A (Microsoft Corporation) C:\Windows\System32\wksprt.exe

2013-05-13 13:21 - 2012-08-23 03:12 - 00192000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpendp_winip.dll

2013-05-13 13:21 - 2012-08-23 02:54 - 00322560 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll

2013-05-13 13:21 - 2012-08-23 02:51 - 00228864 ____A (Microsoft Corporation) C:\Windows\System32\rdpendp_winip.dll

2013-05-13 13:21 - 2012-08-23 02:39 - 01048064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe

2013-05-13 13:21 - 2012-08-23 02:22 - 01123840 ____A (Microsoft Corporation) C:\Windows\System32\mstsc.exe

2013-05-13 13:21 - 2012-08-23 01:51 - 03174912 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll

2013-05-13 13:21 - 2012-08-23 00:19 - 04916224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll

2013-05-13 13:21 - 2012-08-23 00:13 - 05773824 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll

2013-05-13 13:20 - 2012-08-24 10:13 - 00154480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2013-05-13 13:20 - 2012-08-24 10:09 - 00458712 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2013-05-13 13:20 - 2012-08-24 10:05 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2013-05-13 13:20 - 2012-08-24 10:03 - 01448448 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll

2013-05-13 13:20 - 2012-08-24 08:57 - 00247808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2013-05-13 13:20 - 2012-08-24 08:57 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2013-05-13 13:20 - 2012-08-24 08:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2013-05-13 13:20 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll

2013-05-13 13:20 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll

2013-05-13 13:08 - 2013-05-13 13:08 - 00000000 ____D C:\Program Files (x86)\ElcomSoft

2013-05-13 10:10 - 2013-05-13 10:10 - 49642894 ____A C:\Users\Public\Warcraft - Orcs and Humans.rar.html

2013-05-13 10:09 - 2013-05-13 10:09 - 00144633 ____A C:\Users\Public\Dragon Quest VIII.txt.html

2013-05-13 10:09 - 2013-05-13 10:09 - 00001793 ____A C:\Users\Public\Desktop\DOSBox 0.74.lnk.html

2013-05-13 10:03 - 2013-05-13 10:03 - 00423568 ____A C:\Users\Hellfire\Desktop\Metroid Prime 3.rtf.html

2013-05-13 10:03 - 2013-05-13 10:03 - 00049701 ____A C:\Users\Hellfire\Desktop\My Little Gir 150x.gif.html

2013-05-13 10:03 - 2013-05-13 10:03 - 00007966 ____A C:\Users\Hellfire\Desktop\GameFAQs Dynasty Warriors 7 (PS3) Dim Sum Location Guide by divini.txt

2013-05-13 10:02 - 2013-05-13 10:03 - 78643472 ____A C:\Users\Hellfire\Desktop\Farcry2 South.bmp.html

2013-05-13 10:02 - 2013-05-13 10:02 - 10129729 ____A C:\Users\Hellfire\Desktop\1_6_4_ghibli_world.zip.html

2013-05-13 09:53 - 2013-05-13 09:53 - 00000000 ____D C:\Users\Hellfire\AppData\Local\Primary Interop Assemblies

2013-05-06 18:26 - 2013-05-06 18:26 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\.mono

2013-05-02 16:51 - 2013-05-02 16:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-04-26 14:09 - 2013-04-26 14:09 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\StarDrive

2013-04-25 18:55 - 2013-04-25 18:55 - 00003915 ____A C:\Windows\SysWOW64\jupdate-1.7.0_21-b11.log

2013-04-25 18:55 - 2013-04-04 04:35 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2013-04-25 18:55 - 2013-04-04 04:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2013-04-25 18:55 - 2013-04-04 04:29 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2013-04-23 15:26 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-23 11:11 - 2013-04-23 11:11 - 42102788 ____A C:\Users\Hellfire\Desktop\Burntoast - Macross Forever.mpeg

2013-04-23 08:46 - 2013-04-24 21:56 - 00000000 ____D C:\Users\Hellfire\Documents\Eador

2013-04-20 13:58 - 2013-04-20 13:58 - 00000000 ____D C:\Program Files (x86)\Combined Community Codec Pack

2013-04-16 16:39 - 2013-04-19 12:17 - 00000000 ____D C:\Users\Hellfire\Documents\My Spore Creations

2013-04-16 16:39 - 2013-04-18 13:17 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\SPORE

2013-04-16 16:35 - 2013-04-16 16:35 - 00000000 __RHD C:\Users\Hellfire\AppData\Roaming\SecuROM

2013-04-16 14:40 - 2013-04-16 14:40 - 00000000 ____D C:\Program Files (x86)\Electronic Arts

==================== One Month Modified Files and Folders =======

2013-05-15 16:56 - 2013-05-15 16:56 - 00000000 ____D C:\FRST

2013-05-15 15:48 - 2013-02-27 19:15 - 00006175 ____A C:\Windows\setupact.log

2013-05-15 15:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-15 15:30 - 2013-05-15 15:30 - 00000318 ____A C:\Users\Hellfire\Desktop\Curse Client.appref-ms

2013-05-15 15:30 - 2012-11-06 08:02 - 00000000 ____D C:\Users\Hellfire\AppData\Local\Deployment

2013-05-15 15:30 - 2012-11-05 21:47 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\Skype

2013-05-15 15:30 - 2009-07-13 20:45 - 00014832 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-15 15:30 - 2009-07-13 20:45 - 00014832 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-15 15:29 - 2013-03-16 12:52 - 00000000 ____D C:\Program Files (x86)\PS3 Media Server

2013-05-15 15:28 - 2013-03-01 12:37 - 00017554 ____A C:\Windows\PFRO.log

2013-05-15 15:27 - 2012-11-05 21:02 - 01605998 ____A C:\Windows\WindowsUpdate.log

2013-05-15 15:26 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-15 15:24 - 2013-01-31 16:25 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-15 14:05 - 2013-05-15 14:05 - 01877416 ____A (Farbar) C:\Users\Hellfire\Desktop\FRST64.exe

2013-05-15 10:21 - 2013-05-15 07:39 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\BitTorrent

2013-05-15 10:18 - 2013-05-15 10:18 - 00688992 ____R (Swearware) C:\Users\Hellfire\Desktop\dds.scr

2013-05-15 08:49 - 2012-11-05 23:41 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\vlc

2013-05-15 03:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-05-15 02:26 - 2009-07-13 20:45 - 00284136 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 02:05 - 2012-11-05 23:27 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-14 16:24 - 2013-01-31 16:25 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-14 16:24 - 2013-01-31 16:25 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-14 14:22 - 2013-05-14 14:19 - 00000000 ____D C:\Users\Hellfire\Documents\My Kindle Content

2013-05-14 14:19 - 2013-05-14 14:19 - 00001998 ____A C:\Users\Hellfire\Desktop\Kindle.lnk

2013-05-14 14:19 - 2013-05-14 14:19 - 00000000 ____D C:\Users\Hellfire\AppData\Local\Amazon

2013-05-14 14:19 - 2013-05-14 14:19 - 00000000 ____D C:\Program Files (x86)\Amazon

2013-05-13 20:54 - 2012-11-05 22:10 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\.minecraft

2013-05-13 13:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-05-13 13:08 - 2013-05-13 13:08 - 00000000 ____D C:\Program Files (x86)\ElcomSoft

2013-05-13 10:28 - 2012-11-05 21:02 - 00000000 ____D C:\users\Hellfire

2013-05-13 10:10 - 2013-05-13 10:10 - 49642894 ____A C:\Users\Public\Warcraft - Orcs and Humans.rar.html

2013-05-13 10:09 - 2013-05-13 10:09 - 00144633 ____A C:\Users\Public\Dragon Quest VIII.txt.html

2013-05-13 10:09 - 2013-05-13 10:09 - 00001793 ____A C:\Users\Public\Desktop\DOSBox 0.74.lnk.html

2013-05-13 10:09 - 2012-11-05 22:10 - 00000000 ____D C:\Users\Hellfire\Documents\StarCraft II

2013-05-13 10:04 - 2012-11-05 22:10 - 00000000 ____D C:\Users\Hellfire\Documents\Diablo III

2013-05-13 10:03 - 2013-05-13 10:03 - 00423568 ____A C:\Users\Hellfire\Desktop\Metroid Prime 3.rtf.html

2013-05-13 10:03 - 2013-05-13 10:03 - 00049701 ____A C:\Users\Hellfire\Desktop\My Little Gir 150x.gif.html

2013-05-13 10:03 - 2013-05-13 10:03 - 00007966 ____A C:\Users\Hellfire\Desktop\GameFAQs Dynasty Warriors 7 (PS3) Dim Sum Location Guide by divini.txt

2013-05-13 10:03 - 2013-05-13 10:02 - 78643472 ____A C:\Users\Hellfire\Desktop\Farcry2 South.bmp.html

2013-05-13 10:03 - 2013-03-01 15:02 - 00000000 ____D C:\Users\Hellfire\Desktop\INVedit

2013-05-13 10:03 - 2012-11-05 22:10 - 00000000 ____D C:\Users\Hellfire\Desktop\Wow Rotations

2013-05-13 10:02 - 2013-05-13 10:02 - 10129729 ____A C:\Users\Hellfire\Desktop\1_6_4_ghibli_world.zip.html

2013-05-13 09:53 - 2013-05-13 09:53 - 00000000 ____D C:\Users\Hellfire\AppData\Local\Primary Interop Assemblies

2013-05-06 21:09 - 2012-11-05 22:10 - 00000000 ____D C:\Users\Hellfire\Documents\majesty2

2013-05-06 18:26 - 2013-05-06 18:26 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\.mono

2013-05-05 13:36 - 2013-05-15 02:01 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-05 13:16 - 2013-05-15 02:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-05 11:25 - 2013-05-15 02:01 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-05 11:12 - 2013-05-15 02:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-02 16:51 - 2013-05-02 16:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-01 21:11 - 2013-03-26 18:44 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\Bioshock

2013-04-30 20:56 - 2013-03-20 22:59 - 00351212 ____A C:\Windows\DirectX.log

2013-04-29 17:32 - 2012-12-10 00:49 - 00000000 ____D C:\Users\Hellfire\.dvdcss

2013-04-29 10:16 - 2013-02-02 03:18 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-04-29 10:16 - 2012-11-05 21:47 - 00000000 ____D C:\ProgramData\Skype

2013-04-26 14:09 - 2013-04-26 14:09 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\StarDrive

2013-04-26 13:33 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-04-25 18:55 - 2013-04-25 18:55 - 00003915 ____A C:\Windows\SysWOW64\jupdate-1.7.0_21-b11.log

2013-04-25 18:55 - 2013-03-24 17:09 - 00000000 ____D C:\Program Files (x86)\Java

2013-04-25 18:48 - 2012-11-05 21:19 - 00000000 ____D C:\ProgramData\Norton

2013-04-24 21:56 - 2013-04-23 08:46 - 00000000 ____D C:\Users\Hellfire\Documents\Eador

2013-04-23 11:11 - 2013-04-23 11:11 - 42102788 ____A C:\Users\Hellfire\Desktop\Burntoast - Macross Forever.mpeg

2013-04-20 13:58 - 2013-04-20 13:58 - 00000000 ____D C:\Program Files (x86)\Combined Community Codec Pack

2013-04-19 12:17 - 2013-04-16 16:39 - 00000000 ____D C:\Users\Hellfire\Documents\My Spore Creations

2013-04-18 13:17 - 2013-04-16 16:39 - 00000000 ____D C:\Users\Hellfire\AppData\Roaming\SPORE

2013-04-16 19:10 - 2012-11-05 22:03 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information

2013-04-16 16:35 - 2013-04-16 16:35 - 00000000 __RHD C:\Users\Hellfire\AppData\Roaming\SecuROM

2013-04-16 14:40 - 2013-04-16 14:40 - 00000000 ____D C:\Program Files (x86)\Electronic Arts

2013-04-16 01:05 - 2012-11-05 21:19 - 00000000 ____D C:\Windows\System32\Drivers\NISx64

Other Malware:

===========

C:\Users\Public\DOSBox0.74-win32-installer.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-15 03:14:57

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 6142.49 MB

Available physical RAM: 5419.24 MB

Total Pagefile: 6140.64 MB

Available Pagefile: 5418.96 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:48.73 GB) (Free:9.19 GB) NTFS (Disk=0 Partition=2)

Drive e: () (Fixed) (Total:195.31 GB) (Free:39.71 GB) NTFS (Disk=0 Partition=3)

Drive f: () (Fixed) (Total:454.5 GB) (Free:8.95 GB) NTFS (Disk=0 Partition=4)

Drive g: (GRMCHPXFREO_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF

Drive h: () (Removable) (Total:1.87 GB) (Free:1.86 GB) FAT (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: EED4EEC7)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=49 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=195 GB) - (Type=07 NTFS)

Partition 4: (Not Active) - (Size=454 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 2 GB) (Disk ID: 04030201)

Partition 1: (Not Active) - (Size=2 GB) - (Type=06)

Last Boot: 2013-05-13 23:47

==================== End Of Log ============================

Link to post
Share on other sites

the dosbox file shouldn't be it, had that file for years. Anything I can do to help you track this down?

like I mentioned I could get you a screenshot of what I see from the ransomware site, I couldn't find any quite like it on my searches for info

Link to post
Share on other sites

yah that looks like the one I am fighting with but the panda decrypt is made for files that have been changed to "locked-nameofthefile.ext.xxxx (where xxxx are random characters)"

it changes mine to nameofthefile.ext.html so it didn't work running it normal or advanced. trying to run any of the encrypted files opens that page I posted pics of, opening a .txt file in notepad gets me;

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='refresh' content='0; url=http://mblblock.in/i.php?uid={873F0E0D-6352-8827-93A6-EFED75227197}' /><title>Index</title></head><body></body><!--`«0s XJÍ<ÀTÕŸŠbÖ^WP'L8DÙ朿ÛTR`íb2

AÀm—~`™ë$ì —Ào²XW‡œ¤y`@¢š=¸=+å/#ç é³ÓM·ÌN-¶/ÈÛH¢ WV£ü˜ýVéÜ1®î€µª=S•œÙ—rrõ¤Þ}€²Ä%XØ`}¥Z#BE˜¾§·(èã"Ƥj €K¤íÇûfá#T!6ãl{6áL0T¤ø?cfbYÞŸuÈx#vbaõ!§Uš³vý3Ë{ã¶îU

¤ƒþb³ÂÓ

šãS’ʵ)Ì™©>»Þঌüó:°F]…þ€Õý`nk¤iÓ¼•OÇ*öø¤xØu9¡Eýý¹v¶'è¤AØ!úIS°ÐrOÕ>Wò€¼+Zw…Ð¥½½æcÍ*æ.g-[a6#eÓ±É,fW»ãÅ')(ø9>ÓÖ­0jâઙ½ ¥™ù …g¹‘½¨Ž\“ÚÛ %¯<$£ƒˆ|õºa‹g²ÑÚñ˜”¯Â¿vÏ/Yo`[h"ú†¿·“•µß³"MR“‹j7·+”ì

9Y

|Ô,V°¥8>å©jíDÛ’ÍþÚ¸'YèõÀªîê{9¸ªo¶ÇØ[`œó½oG"$èõË$#‡>ÅkÄê‰F‹mà\â–®3`¾–ÅJHx¥=ú”†M-,š|qv{ÿEÊ÷©wXëðŸ±A°ß³šûplŠ­{Ÿ¹+Á`MŠ‰X;*¸¥ªóô%Ø…ôîšp

ÍéV; É!—Jœ2»CI÷OBSŠ3Ñ/åØz#‚(/9±üFp‡%WÆú¬(¹=Pà+æh_Ýa

#°¡yIÌ¡R¬jË‘!*CÐœOLœ’Ò§QvïQhåº÷¾^ªàf§b»çf‚pE™zÐîDUì̞żb5Û-€ˆVÚQél‚ëe'ýҕNjº8sNhž?<½¾¢5¨ºÝ7šòÿ‚Mbjy@ˆ—ï]‘å¡

e‰áþv¬‡€Ùƒœ#´3ä[÷2XªhýZ{/f{ý¶"™Ð@ÿüŠð6[­ÅMOÓ3I€üu¦……>½¬öʲVæðʵÝ1jª`e‡Yϲ€¾‘·ükÉAíBòҥĽ“ž”--></html>

so it's not just encrypted but given some html code

Link to post
Share on other sites

oh and like I said before it's time for a full format and reinstall of windows, so no need to go over removing the diagnostic tools you had me download

thats twice now your team has helped me recover my computer, you go above and beyond to help. I have worked my share of Tech support and hated just sending someone a document so they could fix the issue on their own, and this was to people paying for support.

at times like this I wish I wasn't just a house dad now, but sadly I am broke or I would be making a generous donation, sadly all I can afford to give is my thanks

heh I was typing this when you replied, yes I plan to thank them as well, but your the one who found the fix, I had given up

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.