Jump to content

Need help removing Randsomware

smithbyrne
 Share

Recommended Posts

smithbyrne

smithbyrne

Posted
Posted

HI there, 

I have a nasty randsomware infection. It will not let me enter safe mode as it pops up in safe mode too. 

I usually use hitman pro's "kickstart" from a flash drive to fix these things, but the kickstart program seems to hang on "read MBR" so i cannot use it. 


I have read a few posts on this forum where the user submits a log from FRST.exe and another user will help them fix it. 

So can someone here help me do that ? 

Much appreciated 

Thanks

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum.

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
  • =========================================
    • On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.

      Note: You need to run the version compatible with your system.

      Plug the flashdrive into the infected PC.

    • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

      If you are using Vista or Windows 7 enter System Recovery Options.

      To enter System Recovery Options from the Advanced Boot Options:

      • Restart the computer.
      • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
      • Use the arrow keys to select the Repair your computer menu item.
      • Select US as the keyboard language settings, and then click Next.
      • Select the operating system you want to repair, and then click Next.
      • Select your user account an click Next.
      Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

      To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

      To enter System Recovery Options by using Windows installation disc:

      • Insert the installation disc.
      • Restart your computer.
      • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
      • Click Repair your computer.
      • Select US as the keyboard language settings, and then click Next.
      • Select the operating system you want to repair, and then click Next.
      • Select your user account and click Next.
    • On the System Recovery Options menu you will get the following options:

      Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

      Select Command Prompt

    • Once in the Command Prompt:
      • In the command window type in notepad and press Enter.
      • The notepad opens. Under File menu select Open.
      • Select "Computer" and find your flash drive letter and close the notepad.
      • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

        Note: Replace letter e with the drive letter of your flash drive.

      • The tool will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press Scan button.
      • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC
Link to post
Share on other sites
smithbyrne

smithbyrne

Posted
  • Author
Posted

thanks for your help, log is pasted below, cheers :)


_________________________________________________________________________________________
 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:11-06-2014 01
Ran by SYSTEM on MININT-0QTVKF1 on 11-06-2014 15:27:51
Running from F:\
Platform: Windows 7 Ultimate (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [OEM02Mon.exe] => C:\Windows\OEM02Mon.exe [36864 2014-02-24] (Creative Technology Ltd.)
HKLM\...\Run: [bCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [517392 2014-04-25] (McAfee, Inc.)
HKU\Stephen\...\Run: [skype] => C:\Program Files\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.)
Startup: C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
ShortcutTarget: explorer.lnk -> C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB\0cljrgio.cpp ()
 
========================== Services (Whitelisted) =================
 
S2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390720 2014-04-11] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1764992 2014-04-11] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [145568 2014-04-25] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [471592 2013-08-02] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [655936 2014-03-17] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169800 2014-04-03] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [179600 2014-04-03] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S2 Winmgmt; C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB\0cljrgio.cpp [168821 2014-06-09] ()
 
==================== Drivers (Whitelisted) ====================
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [61400 2014-04-03] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [147912 2013-09-23] (McAfee, Inc.)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [66296 2013-09-09] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [134600 2014-04-03] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [236672 2014-04-03] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [66408 2014-04-03] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [367776 2014-04-03] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [574576 2014-04-03] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [345584 2014-03-17] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [81264 2014-03-17] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [215624 2014-04-03] (McAfee, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-06-11 15:27 - 2014-06-11 15:27 - 00000000 ____D () C:\FRST
2014-06-11 04:56 - 2014-06-11 06:22 - 00011522 _____ () C:\ProgramData\RUNDLL32.EXE-2376-F.txt
2014-06-10 06:09 - 2014-06-10 08:05 - 00015541 _____ () C:\ProgramData\RUNDLL32.EXE-2192-F.txt
2014-06-10 02:38 - 2014-06-10 02:39 - 00000165 _____ () C:\ProgramData\RUNDLL32.EXE-2184-F.txt
2014-06-10 01:57 - 2014-06-10 01:57 - 00000366 _____ () C:\ProgramData\RUNDLL32.EXE-2108-F.txt
2014-06-10 01:57 - 2014-06-10 01:57 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-06-09 23:08 - 2014-06-09 23:15 - 00004319 _____ () C:\ProgramData\RUNDLL32.EXE-2392-F.txt
2014-06-09 14:31 - 2014-06-09 14:33 - 00001686 _____ () C:\ProgramData\RUNDLL32.EXE-2880-F.txt
2014-06-09 14:05 - 2014-06-09 14:09 - 00002409 _____ () C:\ProgramData\RUNDLL32.EXE-3076-F.txt
2014-06-09 13:58 - 2014-06-09 14:02 - 00002613 _____ () C:\ProgramData\RUNDLL32.EXE-3056-F.txt
2014-06-09 13:52 - 2014-06-09 13:54 - 00001370 _____ () C:\ProgramData\RUNDLL32.EXE-2976-F.txt
2014-06-09 13:42 - 2014-06-09 13:42 - 00000000 ____D () C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB
2014-06-07 18:25 - 2014-06-11 04:58 - 00000000 __RSD () C:\Users\Stephen\Documents\McAfee Vaults
2014-05-28 13:09 - 2014-06-10 01:55 - 00000000 ____D () C:\Users\Stephen\AppData\Roaming\Skype
2014-05-28 13:09 - 2014-05-28 13:10 - 00000000 ___RD () C:\Program Files\Skype
2014-05-28 13:09 - 2014-05-28 13:09 - 00002503 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-05-28 13:09 - 2014-05-28 13:09 - 00000000 ____D () C:\Users\Stephen\AppData\Local\Skype
2014-05-28 13:09 - 2014-05-28 13:09 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-05-28 13:08 - 2014-05-28 13:09 - 00000000 ____D () C:\ProgramData\Skype
2014-05-18 22:40 - 2014-05-18 22:40 - 00000000 ____D () C:\Users\Stephen\AppData\Local\McAfee File Lock
2014-05-18 07:35 - 2013-09-09 02:11 - 00066296 _____ (McAfee, Inc.) C:\Windows\System32\Drivers\McPvDrv.sys
2014-05-18 07:33 - 2014-06-11 05:14 - 00001844 _____ () C:\Users\Public\Desktop\McAfee Total Protection.lnk
 
==================== One Month Modified Files and Folders =======
 
2014-06-11 15:27 - 2014-06-11 15:27 - 00000000 ____D () C:\FRST
2014-06-11 06:22 - 2014-06-11 04:56 - 00011522 _____ () C:\ProgramData\RUNDLL32.EXE-2376-F.txt
2014-06-11 05:14 - 2014-05-18 07:33 - 00001844 _____ () C:\Users\Public\Desktop\McAfee Total Protection.lnk
2014-06-11 05:13 - 2014-02-24 08:36 - 00000000 ____D () C:\Users\Stephen\AppData\Local\Temp
2014-06-11 05:04 - 2014-02-24 08:25 - 01705257 _____ () C:\Windows\WindowsUpdate.log
2014-06-11 05:01 - 2009-07-13 20:34 - 00016160 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-11 05:01 - 2009-07-13 20:34 - 00016160 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-11 04:58 - 2014-06-07 18:25 - 00000000 __RSD () C:\Users\Stephen\Documents\McAfee Vaults
2014-06-11 04:56 - 2009-07-13 20:39 - 00024918 _____ () C:\Windows\setupact.log
2014-06-10 08:05 - 2014-06-10 06:09 - 00015541 _____ () C:\ProgramData\RUNDLL32.EXE-2192-F.txt
2014-06-10 02:39 - 2014-06-10 02:38 - 00000165 _____ () C:\ProgramData\RUNDLL32.EXE-2184-F.txt
2014-06-10 01:57 - 2014-06-10 01:57 - 00000366 _____ () C:\ProgramData\RUNDLL32.EXE-2108-F.txt
2014-06-10 01:57 - 2014-06-10 01:57 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-06-10 01:55 - 2014-05-28 13:09 - 00000000 ____D () C:\Users\Stephen\AppData\Roaming\Skype
2014-06-09 23:15 - 2014-06-09 23:08 - 00004319 _____ () C:\ProgramData\RUNDLL32.EXE-2392-F.txt
2014-06-09 14:33 - 2014-06-09 14:31 - 00001686 _____ () C:\ProgramData\RUNDLL32.EXE-2880-F.txt
2014-06-09 14:09 - 2014-06-09 14:05 - 00002409 _____ () C:\ProgramData\RUNDLL32.EXE-3076-F.txt
2014-06-09 14:02 - 2014-06-09 13:58 - 00002613 _____ () C:\ProgramData\RUNDLL32.EXE-3056-F.txt
2014-06-09 13:54 - 2014-06-09 13:52 - 00001370 _____ () C:\ProgramData\RUNDLL32.EXE-2976-F.txt
2014-06-09 13:50 - 2014-03-01 02:35 - 00000000 ____D () C:\Program Files\McAfee
2014-06-09 13:49 - 2014-02-24 08:59 - 00349122 _____ () C:\Windows\PFRO.log
2014-06-09 13:42 - 2014-06-09 13:42 - 00000000 ____D () C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB
2014-06-07 18:28 - 2014-02-24 08:42 - 00781298 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-05-28 13:10 - 2014-05-28 13:09 - 00000000 ___RD () C:\Program Files\Skype
2014-05-28 13:09 - 2014-05-28 13:09 - 00002503 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-05-28 13:09 - 2014-05-28 13:09 - 00000000 ____D () C:\Users\Stephen\AppData\Local\Skype
2014-05-28 13:09 - 2014-05-28 13:09 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-05-28 13:09 - 2014-05-28 13:08 - 00000000 ____D () C:\ProgramData\Skype
2014-05-27 13:10 - 2014-03-01 02:22 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2014-05-22 01:29 - 2014-02-24 09:14 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-05-18 22:40 - 2014-05-18 22:40 - 00000000 ____D () C:\Users\Stephen\AppData\Local\McAfee File Lock
 
Some content of TEMP:
====================
C:\Users\Stephen\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\Stephen\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 20%
Total physical RAM: 2038.04 MB
Available physical RAM: 1627.09 MB
Total Pagefile: 2038.04 MB
Available Pagefile: 1627.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1944.62 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.79 GB) (Free:207.22 GB) NTFS
Drive f: (TEST) (Removable) (Total:2.36 GB) (Free:2.36 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: E8000000)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2014-06-07 23:19
 
==================== End Of Log ============================
Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

This should do it...........

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites
smithbyrne

smithbyrne

Posted
  • Author
Posted

thanks, 

here is the fix log

______________________________________________________________________

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:11-06-2014 01
Ran by SYSTEM at 2014-06-11 15:50:07 Run:1
Running from F:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
Startup: C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
ShortcutTarget: explorer.lnk -> C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB\0cljrgio.cpp ()
S2 Winmgmt; C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB\0cljrgio.cpp [168821 2014-06-09] ()
C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB\0cljrgio.cpp 
C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB
C:\ProgramData\RUNDLL32.EXE-2376-F.txt
C:\ProgramData\RUNDLL32.EXE-2192-F.txt
C:\ProgramData\RUNDLL32.EXE-2184-F.txt
C:\ProgramData\RUNDLL32.EXE-2108-F.txt
C:\ProgramData\RUNDLL32.EXE-2392-F.txt
C:\ProgramData\RUNDLL32.EXE-2880-F.txt
C:\ProgramData\RUNDLL32.EXE-3076-F.txt
C:\ProgramData\RUNDLL32.EXE-3056-F.txt
C:\ProgramData\RUNDLL32.EXE-2976-F.txt
C:\Users\Stephen\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\Stephen\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
 
 
*****************
 
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk => Moved successfully.
C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB\0cljrgio.cpp => Moved successfully.
Winmgmt => Service restored successfully.
"C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB\0cljrgio.cpp" => File/Directory not found.
C:\ProgramData\16C79490C19C6D6950E3B00ABF1207AB => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2376-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2192-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2184-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2108-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2392-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2880-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-3076-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-3056-F.txt => Moved successfully.
C:\ProgramData\RUNDLL32.EXE-2976-F.txt => Moved successfully.
C:\Users\Stephen\AppData\Local\Temp\Foxit Reader Updater.exe => Moved successfully.
C:\Users\Stephen\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites
smithbyrne

smithbyrne

Posted
  • Author
Posted

that's great! computer seems to be released from ransom now, thanks a million. 

I am now doing additional scans with MBAM, Super Antispyware and Hitman Pro

I don't have much but i'll send you a few dollars, this really helped me thanks. 

also, do you have any idea why the hitman pro kickstart failed to boot ?

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Using Hitman to remove Ransomware sometimes will result in an unbootable computer due to the driver it installs.

Using it on a bootable computer should be OK, but we usually don't use it as there are much better programs available.

Here's my tutorial on Ransomeware, not sure if you can get there: (you may have to add some lines to your host file to get there)

http://maddoktor2.com/forums/index.php/topic,55928.0.html

I would use Kaspersky Rescue Disk and Unlocker in place of Hitman.

Do you want to run through all the scans I would normally use or are you good with what we did so far?

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Make sure you have created a restore point and.....

bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    -------------------------------------------

    Please read the directions carefully so you don't end up deleting something that is good!!

    If in doubt about an entry....please ask or choose Skip!!!!

    Don't Delete anything unless instructed to!

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

    Skip and click on Continue

    If a suspicious object is detected, the default action will be Skip, click on Continue

    Please note that TDSSKiller can be run in safe mode if needed.

    Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

      tds2.jpg

    • Put a checkmark beside loaded modules.

      13040712472913819.png

    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.

      clip.jpg

    • Click the Start Scan button.

      19695967.jpg

    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.

      67776163.jpg

      Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

      If in doubt about an entry....please ask or choose Skip

    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

      62117367.jpg

      Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
    • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    Here's a summary of what to do if you would like to print it out:

    If in doubt about an entry....please ask or choose Skip

    Don't Delete anything unless instructed to!

    If a suspicious object is detected, the default action will be Skip, click on Continue

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

    Skip and click on Continue

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    ~~~~~~~~~~~~~~~~~~~~

    You can attach the logs if they're too long:

    Bottom right corner of this page.

    reply1.jpg

    New window that comes up.

    replyer1.jpg

    Then...........

    Please download and run ComboFix.

    The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

    Please visit this webpage for download links, and instructions for running ComboFix

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

    Please make sure you click download buttons that look similar to this, not "sponsored ad links":

    bleep-crop.jpg

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Information on disabling your malware programs can be found Here.

    Make sure you run ComboFix from your desktop.

    Give it at least 30-45 minutes to finish if needed.

    Please include the C:\ComboFix.txt in your next reply for further review.

    ---------->NOTE<----------

    If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

    MrC

Link to post
Share on other sites
tommytuc1

tommytuc1

Posted
Posted

hi

 

I have been reading a lot of forums about helping to get rid of some randsom ware.

 

I get a screen just after boot that say you have been downloading / watching child porn and must pay a fine.  (no locked files)

 

after running a AVG scan from usb this hasn't fixed it.

 

I have followed the instructions above and below is my log file

 

thanks to any one that looks or can advise me on how to get rid of it

 

thanks

Tommy

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:11-06-2014 01
Ran by SYSTEM on MININT-A96TNNO on 11-06-2014 22:13:01
Running from G:\
Platform: Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ATIModeChange] => Ati2mdxx.exe
HKLM\...\Run: [soundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-04-23] (Analog Devices, Inc.)
HKLM\...\Run: [iAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [startCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-06-02] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [WavXMgr] => C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [147840 2010-07-21] (Wave Systems Corp.)
HKLM\...\Run: [uSCService] => C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-06-22] (Broadcom Corporation)
HKLM\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)
HKLM\...\Run: [RoxWatchTray] => C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-09-03] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] => C:\Program Files\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe [522736 2010-11-01] ()
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-05] (Adobe Systems Incorporated)
HKLM\...\Run: [switchBoard] => C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5ServiceManager] => C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-21] (Adobe Systems Incorporated)
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [205336 2011-08-12] (Logitech Inc.)
HKLM\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [WinampAgent] => C:\Program Files\Winamp\winampa.exe [74752 2011-12-09] (Nullsoft, Inc.)
HKLM\...\Run: [DLCICATS] => C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll [73728 2006-10-20] ()
HKLM\...\Run: [dlcimon.exe] => C:\Program Files\Dell AIO Printer 946\dlcimon.exe [435080 2006-12-07] (Dell)
HKLM\...\Run: [FaxCenterServer] => C:\Program Files\Dell Fax Solutions\fm3032.exe [312200 2006-12-07] ()
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2013\avgui.exe [4411952 2014-01-20] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [DivXMediaServer] => C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-08-21] (DivX, LLC)
HKLM\...\Run: [vProt] => C:\Program Files\AVG Nation toolbar\vprot.exe [2556744 2014-04-27] ()
HKLM\...\Run: [sDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM\...\Run: [DivXUpdate] => C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1861968 2013-08-28] ()
HKLM\...\Run: [AgentMonitor] => C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe [391040 2013-06-19] ()
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-20] (Apple Inc.)
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\adults\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-07-05] (Google Inc.)
HKU\adults\...\Run: [TomTomHOME.exe] => C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [247768 2012-12-05] (TomTom)
HKU\adults\...\Run: [Google Update] => C:\Users\adults\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-03-21] (Google Inc.)
HKU\adults\...\Run: [AdobeBridge] => [X]
HKU\adults\...\Run: [AVG-Secure-Search-Update_0913b] => C:\Users\adults\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 71077d55925e47d1908b6d791d2bfde0-86dcb60432a8c5c781ce7df8a93fe15c89a06ada --CMPID 0913b
HKU\adults\...\Run: [spybot-S&D Cleaning] => C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [3666224 2013-09-20] (Safer-Networking Ltd.)
HKU\adults\...\Run: [backgroundContainer] => "C:\Windows\system32\Rundll32.exe" "C:\Users\adults\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun <===== ATTENTION
HKU\adults\...\Run: [DellSystemDetect] => C:\Users\adults\AppData\Local\Apps\2.0\3YLVBEHN.964\TX3G8C2J.BX4\dell..tion_0f612f649c4a10af_0005.0005_9914611622934cec\DellSystemDetect.exe [253952 2014-03-09] (Dell)
HKU\adults\...\Run: [JumiController] => C:\Program Files\Jumi\jumi.exe [3665408 2014-02-23] (Jumi Technologies)
HKU\adults\...\Policies\system: [LogonHoursAction] 2
HKU\adults\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\home\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKU\home\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-07-05] (Google Inc.)
HKU\home\...\Run: [searchProtect] => C:\Users\home\AppData\Roaming\SearchProtect\bin\cltmng.exe [3470624 2013-09-22] (Conduit)
HKU\home\...\Policies\system: [LogonHoursAction] 2
HKU\home\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\Users\adults\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1lsznrj.lnk
ShortcutTarget: 1lsznrj.lnk -> C:\ProgramData\jrnzsl1.cpp\jrnzsl1.cpp (Microsoft Corporation)
Startup: C:\Users\adults\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\adults\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
ShortcutTarget: explorer.lnk -> C:\ProgramData\AAC1AB089BED67B21BF70EDB56F837C5\gjdorfflq.cpp ()
Startup: C:\Users\home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1lsznrj.lnk
ShortcutTarget: 1lsznrj.lnk -> C:\ProgramData\jrnzsl1.cpp\jrnzsl1.cpp (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-3443526602-2935257622-3521896687-1001\User: Group Policy restriction detected <======= ATTENTION

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-19] (AVG Technologies CZ, s.r.o.)
S3 Blackberry Device Manager; C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited)
S2 dcpsysmgrsvc; c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe [388464 2010-08-24] (Dell Inc.)
S2 dlci_device; C:\Windows\system32\dlcicoms.exe [537480 2006-12-07] ( )
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-09-03] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-09-03] (Sonic Solutions)
S2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [1032192 2010-02-03] (Wave Systems Corp.)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1273856 2008-11-12] ()
S2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [1164648 2010-03-29] (Wave Systems Corp.)
S2 vToolbarUpdater18.1.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [1793536 2014-04-27] (AVG Secure Search)
S2 Winmgmt; C:\ProgramData\jrnzsl1.cpp\jrnzsl1.cpp [124842 2014-04-24] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S1 ASPI32; C:\Windows\System32\Drivers\ASPI32.sys [25244 1999-09-10] (Adaptec)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-11-24] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-07-19] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-10-22] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [171320 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [246072 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-06-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-10-22] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2014-04-15] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [42272 2014-04-27] (AVG Technologies)
S3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [86016 2010-02-10] (Broadcom Corporation)
S3 jumi; C:\Windows\System32\DRIVERS\jumi.sys [13112 2010-06-03] (Windows ® Win 7 DDK provider)
S0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S1 RapportCerberus_68261; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_68261.sys [358008 2014-05-15] ()
S2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [229888 2010-01-19] (Wave Systems Corp.)
S3 vpnrab; system32\DRIVERS\vpnrab.sys [X]
S3 vpntcpt; system32\DRIVERS\vpntcpt.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-11 22:12 - 2014-06-11 22:13 - 00000000 ____D () C:\FRST
2014-06-11 12:43 - 2014-06-11 13:07 - 00013421 _____ () C:\ProgramData\RUNDLL32.EXE-4928-F.txt
2014-06-11 10:05 - 2014-06-11 10:06 - 00000302 _____ () C:\ProgramData\RUNDLL32.EXE-3320-F.txt
2014-06-11 10:02 - 2014-06-11 10:04 - 00001270 _____ () C:\ProgramData\RUNDLL32.EXE-5668-F.txt
2014-06-11 09:54 - 2014-06-11 09:58 - 00002857 _____ () C:\ProgramData\RUNDLL32.EXE-4696-F.txt
2014-06-11 09:54 - 2014-06-11 09:54 - 00000000 ____D () C:\ProgramData\AAC1AB089BED67B21BF70EDB56F837C5
2014-06-11 03:32 - 2014-06-11 03:32 - 00010884 ____N () C:\Users\adults\Desktop\fcccc.TIF
2014-06-10 22:08 - 2014-06-10 22:08 - 00000000 ____D () C:\Users\adults\AppData\Local\{2F3E01B8-C1FA-45A7-BB90-811D235B19A8}
2014-06-06 21:59 - 2014-06-06 21:59 - 00000288 _____ () C:\Users\adults\Desktop\Messages Molly Lines.url
2014-06-05 08:16 - 2014-06-05 08:16 - 00000000 ____D () C:\Users\adults\AppData\Local\{A8BF993C-8354-4BD2-9BE2-234BEB21881A}
2014-06-04 14:16 - 2014-06-04 14:16 - 00000000 ____D () C:\Users\adults\AppData\Local\{AE107AF7-1AD6-41A1-8F85-ADCF7AE01CF2}
2014-06-04 10:05 - 2014-06-04 10:05 - 00000328 _____ () C:\Users\adults\Desktop\CD Drive - Shortcut.lnk
2014-05-31 00:30 - 2014-05-31 00:30 - 00001419 _____ () C:\Users\adults\Desktop\happy turkey meatloaf.txt
2014-05-25 06:24 - 2014-05-25 06:24 - 00123512 _____ (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
2014-05-23 10:59 - 2014-05-23 10:59 - 00000000 ____D () C:\Users\adults\AppData\Local\{701205EE-0985-4D29-8ADD-A9164EA32A8A}
2014-05-19 07:48 - 2014-05-19 07:48 - 00002345 _____ () C:\Users\adults\Desktop\Mysteries of Neverville - The Runestone of Light.lnk
2014-05-19 03:38 - 2014-05-19 03:38 - 00000000 ____D () C:\Users\adults\AppData\Local\{8842F6F9-931F-4CCA-9CC8-E46E071898B5}
2014-05-14 10:51 - 2014-05-14 10:51 - 00000000 ____D () C:\Users\adults\AppData\Local\{CDAABD6D-7DCD-48B4-8FBC-A0CE1D4379EB}
2014-05-13 18:02 - 2014-05-13 18:02 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-05-13 09:21 - 2014-05-13 09:21 - 00000000 ____D () C:\Users\adults\AppData\Local\{83786CF5-3256-4DCD-95D1-06ECA32A1585}

==================== One Month Modified Files and Folders =======

2014-06-11 22:13 - 2014-06-11 22:12 - 00000000 ____D () C:\FRST
2014-06-11 13:34 - 2013-11-01 03:34 - 00000000 ____D () C:\Users\adults\Downloads\usbflash
2014-06-11 13:07 - 2014-06-11 12:43 - 00013421 _____ () C:\ProgramData\RUNDLL32.EXE-4928-F.txt
2014-06-11 13:07 - 2012-04-09 12:03 - 00000000 ___RD () C:\Users\adults\Dropbox
2014-06-11 13:07 - 2009-07-13 20:55 - 01819283 _____ () C:\Windows\WindowsUpdate.log
2014-06-11 13:05 - 2014-01-21 15:31 - 00006569 _____ () C:\Jumi.Log.Run
2014-06-11 12:56 - 2011-06-21 10:46 - 00000000 ____D () C:\Users\adults\AppData\Local\Temp
2014-06-11 12:50 - 2009-07-13 20:34 - 00014256 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-11 12:50 - 2009-07-13 20:34 - 00014256 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-11 12:48 - 2014-04-30 20:25 - 00000000 ____D () C:\Users\adults\AppData\Roaming\DropboxMaster
2014-06-11 12:48 - 2012-04-09 12:00 - 00000000 ____D () C:\Users\adults\AppData\Roaming\Dropbox
2014-06-11 12:43 - 2014-01-21 15:31 - 00004465 ____N () C:\Jumi.Log
2014-06-11 12:42 - 2011-06-21 10:47 - 00000000 _____ () C:\Users\adults\AppData\Local\WavXMapDrive.bat
2014-06-11 12:42 - 2009-07-13 20:39 - 00085775 _____ () C:\Windows\setupact.log
2014-06-11 10:06 - 2014-06-11 10:05 - 00000302 _____ () C:\ProgramData\RUNDLL32.EXE-3320-F.txt
2014-06-11 10:04 - 2014-06-11 10:02 - 00001270 _____ () C:\ProgramData\RUNDLL32.EXE-5668-F.txt
2014-06-11 09:58 - 2014-06-11 09:54 - 00002857 _____ () C:\ProgramData\RUNDLL32.EXE-4696-F.txt
2014-06-11 09:57 - 2011-06-21 12:12 - 00000000 ____D () C:\ProgramData\MFAData
2014-06-11 09:54 - 2014-06-11 09:54 - 00000000 ____D () C:\ProgramData\AAC1AB089BED67B21BF70EDB56F837C5
2014-06-11 08:59 - 2011-06-21 10:21 - 00000000 ____D () C:\Users\home\AppData\Local\Temp
2014-06-11 08:58 - 2011-06-21 10:21 - 00000000 _____ () C:\Users\home\AppData\Local\WavXMapDrive.bat
2014-06-11 03:32 - 2014-06-11 03:32 - 00010884 ____N () C:\Users\adults\Desktop\fcccc.TIF
2014-06-10 23:19 - 2011-06-21 10:21 - 00000000 ____D () C:\users\home
2014-06-10 22:08 - 2014-06-10 22:08 - 00000000 ____D () C:\Users\adults\AppData\Local\{2F3E01B8-C1FA-45A7-BB90-811D235B19A8}
2014-06-10 18:08 - 2011-06-29 14:06 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-06-10 18:07 - 2013-08-15 18:02 - 00000000 ____D () C:\Windows\System32\MRT
2014-06-10 18:02 - 2011-06-21 13:20 - 92708840 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-06-10 09:34 - 2014-05-11 00:00 - 00000000 ____D () C:\ProgramData\TEMP
2014-06-06 21:59 - 2014-06-06 21:59 - 00000288 _____ () C:\Users\adults\Desktop\Messages Molly Lines.url
2014-06-06 12:14 - 2011-06-22 13:32 - 00000000 ____D () C:\Users\adults\AppData\Roaming\BitTorrent
2014-06-06 10:48 - 2011-07-06 14:06 - 00000000 ____D () C:\Users\adults\Documents\ConvertXtoDVD
2014-06-06 09:35 - 2012-01-16 12:47 - 00000000 ____D () C:\Program Files\Dl_cats
2014-06-05 08:16 - 2014-06-05 08:16 - 00000000 ____D () C:\Users\adults\AppData\Local\{A8BF993C-8354-4BD2-9BE2-234BEB21881A}
2014-06-04 14:16 - 2014-06-04 14:16 - 00000000 ____D () C:\Users\adults\AppData\Local\{AE107AF7-1AD6-41A1-8F85-ADCF7AE01CF2}
2014-06-04 10:05 - 2014-06-04 10:05 - 00000328 _____ () C:\Users\adults\Desktop\CD Drive - Shortcut.lnk
2014-06-01 02:34 - 2011-06-27 01:22 - 00000000 ____D () C:\Windows\System32\Adobe
2014-06-01 02:32 - 2011-01-18 17:53 - 00234904 _____ () C:\Windows\PFRO.log
2014-05-31 00:30 - 2014-05-31 00:30 - 00001419 _____ () C:\Users\adults\Desktop\happy turkey meatloaf.txt
2014-05-25 06:24 - 2014-05-25 06:24 - 00123512 _____ (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
2014-05-25 03:53 - 2014-02-17 08:15 - 00000000 ____D () C:\Users\home\AppData\Roaming\DivX
2014-05-23 10:59 - 2014-05-23 10:59 - 00000000 ____D () C:\Users\adults\AppData\Local\{701205EE-0985-4D29-8ADD-A9164EA32A8A}
2014-05-20 15:30 - 2012-06-09 01:37 - 00000000 ____D () C:\users\Default
2014-05-19 07:48 - 2014-05-19 07:48 - 00002345 _____ () C:\Users\adults\Desktop\Mysteries of Neverville - The Runestone of Light.lnk
2014-05-19 07:47 - 2014-05-10 22:45 - 00000000 ____D () C:\Program Files\Oberon Media SIDR
2014-05-19 03:38 - 2014-05-19 03:38 - 00000000 ____D () C:\Users\adults\AppData\Local\{8842F6F9-931F-4CCA-9CC8-E46E071898B5}
2014-05-19 02:16 - 2011-07-06 14:00 - 00000671 _____ () C:\Users\adults\AppData\Roaming\vso_ts_preview.xml
2014-05-19 02:16 - 2011-07-06 13:59 - 00000000 ____D () C:\Users\adults\AppData\Roaming\Vso
2014-05-18 09:45 - 2011-06-27 00:39 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR
2014-05-15 04:16 - 2011-06-27 00:40 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-05-14 10:51 - 2014-05-14 10:51 - 00000000 ____D () C:\Users\adults\AppData\Local\{CDAABD6D-7DCD-48B4-8FBC-A0CE1D4379EB}
2014-05-13 18:02 - 2014-05-13 18:02 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-05-13 13:56 - 2012-06-06 07:42 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-05-13 13:56 - 2011-07-19 23:23 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-05-13 09:21 - 2014-05-13 09:21 - 00000000 ____D () C:\Users\adults\AppData\Local\{83786CF5-3256-4DCD-95D1-06ECA32A1585}

Files to move or delete:
====================
C:\Users\Public\AlexaNSISPlugin.125060.dll

Some content of TEMP:
====================
C:\Users\adults\AppData\Local\Temp\CmdLineExt03.dll
C:\Users\adults\AppData\Local\Temp\DivXSetup.exe
C:\Users\adults\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp40kfhr.dll
C:\Users\adults\AppData\Local\Temp\eltth.dll
C:\Users\adults\AppData\Local\Temp\InnoTab_GB_Eng_Setup.exe
C:\Users\adults\AppData\Local\Temp\JumiAutoUpdateAgent.exe
C:\Users\adults\AppData\Local\Temp\nppvw.dll
C:\Users\adults\AppData\Local\Temp\nscA995.exe
C:\Users\adults\AppData\Local\Temp\nscB970.exe
C:\Users\adults\AppData\Local\Temp\nscE9EF.exe
C:\Users\adults\AppData\Local\Temp\nss5E18.exe
C:\Users\adults\AppData\Local\Temp\nsx2588.exe
C:\Users\adults\AppData\Local\Temp\SPStub.exe
C:\Users\home\AppData\Local\Temp\CmdLineExt03.dll
C:\Users\home\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\home\AppData\Local\Temp\MSNE8CA.exe
C:\Users\home\AppData\Local\Temp\SIntf16.dll
C:\Users\home\AppData\Local\Temp\SIntf32.dll
C:\Users\home\AppData\Local\Temp\SIntfNT.dll
C:\Users\home\AppData\Local\Temp\ZDATAI51.DLL
C:\Users\home\AppData\Local\Temp\_WUTL951.DLL

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-05-25 10:00:36
Restore point made on: 2014-06-01 10:00:35
Restore point made on: 2014-06-08 10:00:46
Restore point made on: 2014-06-09 07:00:38
Restore point made on: 2014-06-10 18:00:48

==================== Memory info ===========================

Percentage of memory in use: 22%
Total physical RAM: 2045.55 MB
Available physical RAM: 1581.29 MB
Total Pagefile: 2045.55 MB
Available Pagefile: 1586.23 MB
Total Virtual: 2047.88 MB
Available Virtual: 1948.62 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:222.42 GB) (Free:86.81 GB) NTFS
Drive d: (Photos and Films) (Fixed) (Total:149.01 GB) (Free:94.95 GB) NTFS
Drive g: () (Removable) (Total:1.88 GB) (Free:1.26 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:10.29 GB) (Free:5.72 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 48000000)
Partition 1: (Not Active) - (Size=118 MB) - (Type=DE)
Partition 2: (Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=222 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 1978CDB2)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 2 GB) (Disk ID: 018DCB92)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)

LastRegBack: 2014-06-07 15:27

==================== End Of Log ============================

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.