Jump to content

I have a PC infected by CryptoWall 3.0 what are my options?


Recommended Posts

I ended up finding the link to what i believe you meant to do by running the FRST.  Here are the logs from those scans.  

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by Mandy (administrator) on RECEPTIONIST-PC on 01-02-2015 14:07:58
Running from C:\Users\Mandy\Downloads
Loaded Profiles: Mandy &  (Available profiles: Mandy & UpdatusUser & scans & Ricoh)
Platform: Windows 7 Enterprise Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Users\Mandy\AppData\Local\Google\Chrome\Application\chrome.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Google Inc.) C:\Users\Mandy\AppData\Local\Google\Chrome\Application\chrome.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Google Inc.) C:\Users\Mandy\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Mandy\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Users\Mandy\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-27] (AVAST Software)
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [searchProtect] => \SearchProtect\bin\cltmng.exe
HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...\Run: [slimCleaner Plus] => "C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe" /minimize
HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...\Command Processor: "C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\IEUpdate\choice.exe" <===== ATTENTION!
HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [slimCleaner Plus] => "C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe" /minimize
HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Command Processor: "C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\IEUpdate\choice.exe" <===== ATTENTION!
HKU\S-1-5-18\...\Run: [searchProtect] => \SearchProtect\bin\cltmng.exe
Startup: C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tolotor.com/N3w8ix
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/?fr=befhp&type=iehp-3.15-1410
HKU\S-1-5-21-146972341-3066755719-1652322373-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
URLSearchHook: HKLM-x32 - (No Name) - {2713b394-286f-4d7c-89ea-4174eeab9f5a} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-146972341-3066755719-1652322373-1000 -> {483EAFD2-3741-4382-991E-C105E62D1C1F} URL = https://search.yahoo.com/search?ei=utf-8&fr=befds&p={searchTerms}&type=ieds-3.15-1410
SearchScopes: HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {483EAFD2-3741-4382-991E-C105E62D1C1F} URL = https://search.yahoo.com/search?ei=utf-8&fr=befds&p={searchTerms}&type=ieds-3.15-1410
SearchScopes: HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {9a216821-0ec5-49a3-85ac-fb72ae79a1e8} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^Y6^xdm003^S11385^us&si=CNaBqpue5MECFQcIaQodBboADw&ptb=8118F051-4EE6-407A-A63E-A19CA6A00873&ind=2014110514&n=780ce332&psa=&st=sb&searchfor={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} ->  No File
BHO-x32: No Name -> {2713b394-286f-4d7c-89ea-4174eeab9f5a} ->  No File
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: No Name -> {a235e1e3-6296-4710-af39-104a7faa6c7c} ->  No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {f236ca79-3123-4afb-9f74-e98117ad5625} ->  No File
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM-x32 - No Name - {2713b394-286f-4d7c-89ea-4174eeab9f5a} -  No File
Toolbar: HKLM-x32 - No Name - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} -  No File
Toolbar: HKU\S-1-5-21-146972341-3066755719-1652322373-1000 -> No Name - {2713B394-286F-4D7C-89EA-4174EEAB9F5A} -  No File
Toolbar: HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {2713B394-286F-4D7C-89EA-4174EEAB9F5A} -  No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-146972341-3066755719-1652322373-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-146972341-3066755719-1652322373-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @tools.google.com/Google Update;version=3 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @tools.google.com/Google Update;version=9 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-01-22]
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://www.msn.com/?pc=AV01"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-06-13]
CHR Extension: (Google Drive) - C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-06-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-13]
CHR Extension: (YouTube) - C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-06-13]
CHR Extension: (Google Search) - C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-13]
CHR Extension: (Google Wallet) - C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-06-13]
CHR Extension: (Gmail) - C:\Users\Mandy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-06-13]
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-01-22]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-01-22]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-22] (AVAST Software)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-01-22] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-01-22] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-01-22] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-01-22] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-01-22] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-01-22] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-01-22] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-01-22] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-01] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-01 14:07 - 2015-02-01 14:08 - 00014525 _____ () C:\Users\Mandy\Downloads\FRST.txt
2015-02-01 14:07 - 2015-02-01 14:07 - 00000000 ____D () C:\FRST
2015-02-01 14:06 - 2015-02-01 14:07 - 02131456 _____ (Farbar) C:\Users\Mandy\Downloads\FRST64.exe
2015-01-30 12:48 - 2015-02-01 13:41 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-30 12:47 - 2015-01-30 12:47 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-30 12:47 - 2015-01-30 12:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-30 12:47 - 2015-01-30 12:47 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-30 12:47 - 2015-01-30 12:47 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-30 12:47 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-30 12:47 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-30 12:47 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-30 12:43 - 2015-01-30 12:45 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Mandy\Downloads\mbam-setup-2.0.4.1028.exe
2015-01-27 09:24 - 2015-01-27 09:26 - 01769472 _____ () C:\Users\Mandy\Documents\Contacts web database2.accdb
2015-01-22 13:28 - 2015-01-22 13:28 - 00001924 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-01-22 13:28 - 2015-01-22 13:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-01-22 13:26 - 2015-01-28 13:26 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-01-22 13:25 - 2015-01-22 13:27 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2015-01-22 13:25 - 2015-01-22 13:27 - 00087912 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2015-01-22 13:25 - 2015-01-22 13:24 - 00436624 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-01-22 13:25 - 2015-01-22 13:24 - 00267632 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2015-01-22 13:25 - 2015-01-22 13:24 - 00116728 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-01-22 13:25 - 2015-01-22 13:24 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-01-22 13:25 - 2015-01-22 13:24 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2015-01-22 13:25 - 2015-01-22 13:24 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2015-01-22 13:24 - 2015-01-22 13:24 - 00364512 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-01-22 13:24 - 2015-01-22 13:24 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-01-22 13:18 - 2015-01-22 13:18 - 00000000 ____D () C:\Program Files\AVAST Software
2015-01-22 12:52 - 2015-01-22 12:55 - 05006864 _____ (AVAST Software) C:\Users\Public\Desktop\avast_free_antivirus_setup_online.exe
2015-01-21 12:02 - 2015-01-21 12:02 - 00008516 _____ () C:\Users\scans\HELP_DECRYPT.HTML
2015-01-21 12:02 - 2015-01-21 12:02 - 00008516 _____ () C:\Users\scans\AppData\Local\HELP_DECRYPT.HTML
2015-01-21 12:02 - 2015-01-21 12:02 - 00008516 _____ () C:\Users\scans\AppData\HELP_DECRYPT.HTML
2015-01-21 12:02 - 2015-01-21 12:02 - 00004198 _____ () C:\Users\scans\HELP_DECRYPT.TXT
2015-01-21 12:02 - 2015-01-21 12:02 - 00004198 _____ () C:\Users\scans\AppData\Local\HELP_DECRYPT.TXT
2015-01-21 12:02 - 2015-01-21 12:02 - 00004198 _____ () C:\Users\scans\AppData\HELP_DECRYPT.TXT
2015-01-21 12:02 - 2015-01-21 12:02 - 00000268 _____ () C:\Users\scans\HELP_DECRYPT.URL
2015-01-21 12:02 - 2015-01-21 12:02 - 00000268 _____ () C:\Users\scans\AppData\Local\HELP_DECRYPT.URL
2015-01-21 12:02 - 2015-01-21 12:02 - 00000268 _____ () C:\Users\scans\AppData\HELP_DECRYPT.URL
2015-01-21 11:59 - 2015-01-21 11:59 - 00008516 _____ () C:\Users\Ricoh\HELP_DECRYPT.HTML
2015-01-21 11:59 - 2015-01-21 11:59 - 00008516 _____ () C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.HTML
2015-01-21 11:59 - 2015-01-21 11:59 - 00008516 _____ () C:\Users\Ricoh\AppData\HELP_DECRYPT.HTML
2015-01-21 11:59 - 2015-01-21 11:59 - 00004198 _____ () C:\Users\Ricoh\HELP_DECRYPT.TXT
2015-01-21 11:59 - 2015-01-21 11:59 - 00004198 _____ () C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.TXT
2015-01-21 11:59 - 2015-01-21 11:59 - 00004198 _____ () C:\Users\Ricoh\AppData\HELP_DECRYPT.TXT
2015-01-21 11:59 - 2015-01-21 11:59 - 00000268 _____ () C:\Users\Ricoh\HELP_DECRYPT.URL
2015-01-21 11:59 - 2015-01-21 11:59 - 00000268 _____ () C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.URL
2015-01-21 11:59 - 2015-01-21 11:59 - 00000268 _____ () C:\Users\Ricoh\AppData\HELP_DECRYPT.URL
2015-01-21 11:58 - 2015-01-21 11:58 - 00008516 _____ () C:\Users\Mandy\HELP_DECRYPT.HTML
2015-01-21 11:58 - 2015-01-21 11:58 - 00004198 _____ () C:\Users\Mandy\HELP_DECRYPT.TXT
2015-01-21 11:58 - 2015-01-21 11:58 - 00000268 _____ () C:\Users\Mandy\HELP_DECRYPT.URL
2015-01-21 11:57 - 2015-01-21 11:57 - 00008516 _____ () C:\Users\Mandy\Downloads\HELP_DECRYPT.HTML
2015-01-21 11:57 - 2015-01-21 11:57 - 00004198 _____ () C:\Users\Mandy\Downloads\HELP_DECRYPT.TXT
2015-01-21 11:57 - 2015-01-21 11:57 - 00000268 _____ () C:\Users\Mandy\Downloads\HELP_DECRYPT.URL
2015-01-21 11:56 - 2015-01-21 11:56 - 00004198 _____ () C:\Users\Mandy\Documents\HELP_DECRYPT.TXT
2015-01-21 10:16 - 2015-01-21 10:16 - 00008516 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-21 10:16 - 2015-01-21 10:16 - 00008516 _____ () C:\Users\Mandy\AppData\HELP_DECRYPT.HTML
2015-01-21 10:16 - 2015-01-21 10:16 - 00004198 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-21 10:16 - 2015-01-21 10:16 - 00004198 _____ () C:\Users\Mandy\AppData\HELP_DECRYPT.TXT
2015-01-21 10:16 - 2015-01-21 10:16 - 00000268 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.URL
2015-01-21 10:16 - 2015-01-21 10:16 - 00000268 _____ () C:\Users\Mandy\AppData\HELP_DECRYPT.URL
2015-01-21 10:06 - 2015-01-21 10:06 - 00008516 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.HTML
2015-01-21 10:06 - 2015-01-21 10:06 - 00004198 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.TXT
2015-01-21 10:06 - 2015-01-21 10:06 - 00000268 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.URL
2015-01-21 09:48 - 2015-01-21 09:48 - 00008516 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-21 09:48 - 2015-01-21 09:48 - 00004198 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-21 09:48 - 2015-01-21 09:48 - 00000268 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-21 09:46 - 2015-01-22 12:45 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-01-14 08:36 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 08:36 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 08:36 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 08:36 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 08:36 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 08:35 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 08:35 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 08:35 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 08:35 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 08:35 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 08:35 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 08:35 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 08:35 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-02 09:20 - 2015-01-02 09:20 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-01 13:51 - 2014-06-13 11:28 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-146972341-3066755719-1652322373-1000UA.job
2015-02-01 13:39 - 2009-07-13 23:45 - 00026336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-01 13:39 - 2009-07-13 23:45 - 00026336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-01 13:38 - 2011-10-11 11:18 - 01613125 _____ () C:\Windows\WindowsUpdate.log
2015-02-01 13:33 - 2011-10-11 11:34 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-01 13:33 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-01 13:33 - 2009-07-13 23:51 - 00042599 _____ () C:\Windows\setupact.log
2015-01-30 13:47 - 2010-11-20 22:47 - 00701334 _____ () C:\Windows\PFRO.log
2015-01-30 13:46 - 2014-10-21 12:37 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-30 13:23 - 2014-12-09 10:22 - 00000000 ____D () C:\Users\Mandy\Desktop\Scans
2015-01-30 12:24 - 2014-11-07 12:23 - 00000366 _____ () C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Mandy).job
2015-01-29 21:48 - 2013-03-21 15:38 - 00000000 ____D () C:\Users\Mandy\Documents\Outlook Files
2015-01-29 16:51 - 2014-06-13 11:28 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-146972341-3066755719-1652322373-1000Core.job
2015-01-28 09:26 - 2009-07-14 00:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2015-01-27 09:54 - 2014-06-13 11:29 - 00002371 _____ () C:\Users\Mandy\Desktop\Google Chrome.lnk
2015-01-22 13:30 - 2014-10-07 08:07 - 00000000 ____D () C:\Users\Mandy\AppData\Roaming\AVAST Software
2015-01-22 13:18 - 2011-10-11 15:11 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-01-22 11:06 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-21 12:02 - 2013-09-11 09:25 - 00000000 ____D () C:\Users\scans
2015-01-21 11:59 - 2013-09-11 09:24 - 00000000 ____D () C:\Users\Ricoh
2015-01-21 11:58 - 2011-10-11 11:18 - 00000000 ____D () C:\Users\Mandy
2015-01-21 11:56 - 2007-09-25 10:55 - 00000000 ____D () C:\Users\Mandy\Documents\USL Forms
2015-01-21 11:54 - 2014-04-04 09:51 - 00000000 ____D () C:\Users\Mandy\Desktop\Healthcare.gov
2015-01-21 11:46 - 2010-09-10 10:27 - 00000000 ____D () C:\Users\Mandy\Documents\United Health One
2015-01-21 11:42 - 2007-06-19 09:33 - 00000000 ____D () C:\Users\Mandy\Documents\UHC Forms
2015-01-21 11:18 - 2008-07-28 08:25 - 00000000 ____D () C:\Users\Mandy\Documents\Reliance Standard Forms
2015-01-21 11:12 - 2011-09-16 07:20 - 00000000 ____D () C:\Users\Mandy\Documents\Phone System User Guide
2015-01-21 11:12 - 2008-02-26 09:51 - 00000000 ____D () C:\Users\Mandy\Documents\New Groups
2015-01-21 11:11 - 2008-03-13 13:35 - 00000000 ___SD () C:\Users\Mandy\Documents\My Data Sources
2015-01-21 11:11 - 2008-02-26 09:53 - 00000000 ____D () C:\Users\Mandy\Documents\New Business Forms
2015-01-21 11:11 - 2008-02-26 09:52 - 00000000 ____D () C:\Users\Mandy\Documents\Mutual of Omaha
2015-01-21 10:56 - 2009-07-30 14:37 - 00000000 ____D () C:\Users\Mandy\Documents\ICHIA
2015-01-21 10:55 - 2011-09-15 08:08 - 00000000 ____D () C:\Users\Mandy\Documents\Group Quotes
2015-01-21 10:42 - 2008-01-11 08:57 - 00000000 ____D () C:\Users\Mandy\Documents\Golden Rule
2015-01-21 10:34 - 2012-06-20 08:52 - 00000000 ____D () C:\Users\Mandy\Documents\Don Hopster 5_files
2015-01-21 10:34 - 2012-06-20 08:51 - 00000000 ____D () C:\Users\Mandy\Documents\Don Hopster 4_files
2015-01-21 10:32 - 2006-10-12 09:26 - 00000000 ____D () C:\Users\Mandy\Documents\Client & Agent Database
2015-01-21 10:30 - 2008-12-08 07:58 - 00000000 ____D () C:\Users\Mandy\Documents\Best Life
2015-01-21 10:30 - 2008-06-17 07:28 - 00000000 ____D () C:\Users\Mandy\Documents\Ashley
2015-01-21 10:29 - 2010-05-12 15:19 - 00000000 ____D () C:\Users\Mandy\Documents\Arcadia
2015-01-21 10:28 - 2007-06-19 09:31 - 00000000 ____D () C:\Users\Mandy\Documents\Anthem Forms
2015-01-21 10:27 - 2009-12-11 14:12 - 00000000 ____D () C:\Users\Mandy\Documents\Allied
2015-01-21 10:27 - 2008-04-02 07:34 - 00000000 ____D () C:\Users\Mandy\Documents\Agent Licensing
2015-01-21 10:27 - 2008-03-14 09:23 - 00000000 ____D () C:\Users\Mandy\Documents\American Community
2015-01-21 10:24 - 2013-05-15 10:39 - 00000000 ____D () C:\Users\Mandy\Desktop\Anthem Renewals 2013
2015-01-21 10:14 - 2014-10-07 08:43 - 00000000 ____D () C:\Users\Mandy\AppData\Roaming\Dropbox
2015-01-21 10:14 - 2011-10-11 11:28 - 00000000 ____D () C:\Users\Mandy\AppData\Roaming\Adobe
2015-01-21 10:06 - 2011-10-11 11:18 - 00000000 ____D () C:\Users\Mandy\AppData\Local\VirtualStore
2015-01-21 10:05 - 2014-11-07 12:23 - 00000000 ____D () C:\Users\Mandy\AppData\Local\SlimWare Utilities Inc
2015-01-21 09:56 - 2014-06-13 11:28 - 00000000 ____D () C:\Users\Mandy\AppData\Local\Google
2015-01-21 09:49 - 2014-11-05 14:51 - 00000000 ____D () C:\Users\Mandy\AppData\Local\FromDocToPDF_65
2015-01-21 09:48 - 2011-10-18 07:35 - 00000000 ____D () C:\Users\Mandy\AppData\Local\Anthem
2015-01-20 14:59 - 2011-10-12 11:26 - 06586656 _____ () C:\Users\Mandy\Desktop\Client.mdb
2015-01-18 03:47 - 2009-07-14 00:08 - 00032556 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-18 03:24 - 2014-02-25 03:03 - 00774632 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-01-18 03:23 - 2009-07-14 00:13 - 00774632 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-16 17:18 - 2012-08-01 13:07 - 00000000 ____D () C:\Users\Mandy\AppData\Local\Deployment
2015-01-15 03:11 - 2013-08-15 02:01 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 03:01 - 2011-10-11 12:16 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-12 14:32 - 2014-11-22 17:44 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-11 12:24 - 2014-11-07 12:23 - 00003028 _____ () C:\Windows\System32\Tasks\SlimCleaner Plus (Scheduled Scan - Mandy)
2015-01-06 04:36 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2014-12-31 11:49 - 2014-12-31 11:49 - 0015872 _____ () C:\Users\Mandy\AppData\Roaming\chatterer.fye
2015-01-21 10:16 - 2015-01-21 10:16 - 0008516 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-21 10:16 - 2015-01-21 10:16 - 0045575 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-21 10:16 - 2015-01-21 10:16 - 0004198 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-21 10:16 - 2015-01-21 10:16 - 0000268 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.URL
2015-01-21 10:06 - 2015-01-21 10:06 - 0008516 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.HTML
2015-01-21 10:06 - 2015-01-21 10:06 - 0045575 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.PNG
2015-01-21 10:06 - 2015-01-21 10:06 - 0004198 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.TXT
2015-01-21 10:06 - 2015-01-21 10:06 - 0000268 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.URL
2015-01-21 09:48 - 2015-01-21 09:48 - 0008516 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-21 09:48 - 2015-01-21 09:48 - 0045575 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-21 09:48 - 2015-01-21 09:48 - 0004198 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-21 09:48 - 2015-01-21 09:48 - 0000268 _____ () C:\ProgramData\HELP_DECRYPT.URL
 
Some content of TEMP:
====================
C:\Users\Mandy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp9wf4st.dll
C:\Users\Mandy\AppData\Local\Temp\nsk82DD.exe
C:\Users\Mandy\AppData\Local\Temp\SlimCleanerPlus.x64.exe
C:\Users\Mandy\AppData\Local\Temp\tmp38AB.exe
C:\Users\Mandy\AppData\Local\Temp\tmpDA.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-26 15:19
 
==================== End Of Log ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-02-2015
Ran by Mandy at 2015-02-01 14:09:19
Running from C:\Users\Mandy\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.0.0.4080 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.8.800.94 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Anthem Rate Calculator (HKLM-x32\...\{1D058419-203F-4CC7-8DC5-48D85E43C1C1}) (Version: 4.12.0.683 - WellPoint, Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.0.2208 - AVAST Software)
Dropbox (HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...\Dropbox) (Version: 2.6.24 - Dropbox, Inc.)
Dropbox (HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Dropbox) (Version: 2.6.24 - Dropbox, Inc.)
FromDocToPDF Internet Explorer Toolbar  (HKLM-x32\...\FromDocToPDF_65bar Uninstall Internet Explorer) (Version:  - Mindspark Interactive Network) <==== ATTENTION
Google Chrome (HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...\Google Chrome) (Version: 40.0.2214.93 - Google Inc.)
Google Chrome (HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Google Chrome) (Version: 40.0.2214.93 - Google Inc.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
join.me (HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...\JoinMe) (Version: 1.18.0.189 - LogMeIn, Inc.)
join.me (HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\JoinMe) (Version: 1.18.0.189 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
NVIDIA 3D Vision Controller Driver 280.19 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 280.19 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Graphics Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.2.23.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.2.23.3 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.10.0514 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.10.0514 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.43.321.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6251 - Realtek Semiconductor Corp.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{A3364707-2F53-4C83-8F68-C9877A9080C7}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (Version:  - Microsoft) Hidden
WINAllied 10.1 (HKLM-x32\...\WINAllied 10.1) (Version:  - )
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\Wldap32.dll No File
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Mandy\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Mandy\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Mandy\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Mandy\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Mandy\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
 
==================== Restore Points  =========================
 
30-01-2015 05:26:46 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {19336E88-2C5A-4247-80B6-BCE1AA621344} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-01-22] (AVAST Software)
Task: {2024912B-1F1A-402C-AF68-4455AA2FE04A} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {2484E5FB-B968-42CF-AB60-FDF7BDE30978} - System32\Tasks\{2B9CC3E8-D53F-43B1-B451-EFBB531919F4} => C:\Program Files (x86)\Anthem\IndivRateGen\bin\AnthemRates.exe [2010-04-06] (WellPoint, Inc.)
Task: {58B5FE09-9EED-4A87-B722-E2E04A985442} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {84B1CD75-FAF8-4F7A-8BC8-65EB2AA2A3B9} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-146972341-3066755719-1652322373-1000UA => C:\Users\Mandy\AppData\Local\Google\Update\GoogleUpdate.exe [2014-06-13] (Google Inc.)
Task: {9C5D3B6B-E66C-41C3-AF26-8EDE0CCF5AFD} - System32\Tasks\{E62DE645-F207-494B-B5C6-5C9E1352C651} => pcalua.exe -a D:\Setup.exe -d D:\
Task: {E23B8493-8692-4A66-99E5-9D0DAB2B74CC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-146972341-3066755719-1652322373-1000Core => C:\Users\Mandy\AppData\Local\Google\Update\GoogleUpdate.exe [2014-06-13] (Google Inc.)
Task: {EB384F67-8174-4BB6-9AB9-A75C4DCB8F3C} - System32\Tasks\SlimCleaner Plus (Scheduled Scan - Mandy) => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-146972341-3066755719-1652322373-1000Core.job => C:\Users\Mandy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-146972341-3066755719-1652322373-1000UA.job => C:\Users\Mandy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Mandy).job => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe
 
==================== Loaded Modules (whitelisted) =============
 
2012-11-20 03:02 - 2013-01-18 10:00 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2015-01-30 10:04 - 2015-01-30 10:04 - 02913280 _____ () C:\Program Files\AVAST Software\Avast\defs\15013000\algo.dll
2015-02-01 13:34 - 2015-02-01 13:34 - 02913280 _____ () C:\Program Files\AVAST Software\Avast\defs\15020100\algo.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2015-01-22 13:23 - 2015-01-22 13:24 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2015-01-27 09:54 - 2015-01-25 01:08 - 01117512 _____ () C:\Users\Mandy\AppData\Local\Google\Chrome\Application\40.0.2214.93\libglesv2.dll
2015-01-27 09:54 - 2015-01-25 01:08 - 00211272 _____ () C:\Users\Mandy\AppData\Local\Google\Chrome\Application\40.0.2214.93\libegl.dll
2015-01-27 09:54 - 2015-01-25 01:08 - 09170760 _____ () C:\Users\Mandy\AppData\Local\Google\Chrome\Application\40.0.2214.93\pdf.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\Windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Mandy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^choice.lnk => C:\Windows\pss\choice.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Mandy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk => C:\Windows\pss\Dropbox.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Mandy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Mandy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^sbunattend.lnk => C:\Windows\pss\sbunattend.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: ShopAtHomeUpdater => C:\Users\Mandy\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeUpdater.exe
MSCONFIG\startupreg: ShopAtHomeWatcher => C:\Users\Mandy\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-146972341-3066755719-1652322373-500 - Administrator - Disabled)
Guest (S-1-5-21-146972341-3066755719-1652322373-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-146972341-3066755719-1652322373-1003 - Limited - Enabled)
Mandy (S-1-5-21-146972341-3066755719-1652322373-1000 - Administrator - Enabled) => C:\Users\Mandy
Ricoh (S-1-5-21-146972341-3066755719-1652322373-1005 - Limited - Enabled) => C:\Users\Ricoh
scans (S-1-5-21-146972341-3066755719-1652322373-1004 - Limited - Enabled) => C:\Users\scans
UpdatusUser (S-1-5-21-146972341-3066755719-1652322373-1001 - Limited - Enabled) => C:\Users\UpdatusUser
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/01/2015 01:34:42 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 01:49:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 00:41:03 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program helppane.exe version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1610
 
Start Time: 01d03cb39eb26c91
 
Termination Time: 4
 
Application Path: C:\Windows\helppane.exe
 
Report Id: f4ad96c1-a8a6-11e4-9c5f-14dae929b07f
 
Error: (01/30/2015 00:19:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 11:27:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 11:26:20 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/29/2015 01:12:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 32f0
 
Start Time: 01d03bec4dc7541a
 
Termination Time: 6822
 
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Report Id:
 
Error: (01/29/2015 01:10:44 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 5fc
 
Start Time: 01d03be9d255aeef
 
Termination Time: 5319
 
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Report Id:
 
Error: (01/29/2015 00:52:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 2384
 
Start Time: 01d03beb9b487241
 
Termination Time: 40
 
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Report Id:
 
Error: (01/29/2015 00:41:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 2b34
 
Start Time: 01d03bea3be159fa
 
Termination Time: 30
 
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Report Id:
 
 
System errors:
=============
Error: (02/01/2015 01:36:04 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/01/2015 01:35:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069
 
Error: (02/01/2015 01:35:56 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: 
%%1330
 
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
 
Error: (01/30/2015 01:49:58 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069
 
Error: (01/30/2015 01:49:58 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: 
%%1330
 
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
 
Error: (01/30/2015 01:49:03 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (01/30/2015 01:01:14 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.
 
Error: (01/30/2015 01:00:19 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.
 
Error: (01/30/2015 00:25:05 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (01/30/2015 00:21:18 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error: 
%%1069
 
 
Microsoft Office Sessions:
=========================
Error: (02/01/2015 01:34:42 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 01:49:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 00:41:03 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: helppane.exe6.1.7600.16385161001d03cb39eb26c914C:\Windows\helppane.exef4ad96c1-a8a6-11e4-9c5f-14dae929b07f
 
Error: (01/30/2015 00:19:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 11:27:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/30/2015 11:26:20 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/29/2015 01:12:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE11.0.9600.1749632f001d03bec4dc7541a6822C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Error: (01/29/2015 01:10:44 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE11.0.9600.174965fc01d03be9d255aeef5319C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Error: (01/29/2015 00:52:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE11.0.9600.17496238401d03beb9b48724140C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Error: (01/29/2015 00:41:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE11.0.9600.174962b3401d03bea3be159fa30C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core i3-2100 CPU @ 3.10GHz
Percentage of memory in use: 47%
Total physical RAM: 4078.32 MB
Available physical RAM: 2153.71 MB
Total Pagefile: 8154.82 MB
Available Pagefile: 5963.54 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.66 GB) (Free:378.44 GB) NTFS
Drive e: (Network Store) (Fixed) (Total:465.76 GB) (Free:458 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 553A1D4A)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 4151F8DD)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
Link to post
Share on other sites

Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 
We can remove the infection, but your encrypted files cannot be saved at this time. Everything about this infections you can find on this link --> http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015

Ran by Mandy at 2015-02-01 15:28:48 Run:1

Running from C:\Users\Mandy\Downloads

Loaded Profiles: Mandy &  (Available profiles: Mandy & UpdatusUser & scans & Ricoh)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

closeprocesses:

HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...\Command Processor: "C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\IEUpdate\choice.exe" <===== ATTENTION!

HKU\S-1-5-21-146972341-3066755719-1652322373-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!

HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Command Processor: "C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\IEUpdate\choice.exe" <===== ATTENTION!

HKU\S-1-5-18\...\Run: [searchProtect] => \SearchProtect\bin\cltmng.exe

Startup: C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()

Startup: C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()

InternetURL: C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tolotor.com/N3w8ix

KLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://search.tb.ask...r={searchTerms}

SearchScopes: HKU\S-1-5-21-146972341-3066755719-1652322373-1000 -> {483EAFD2-3741-4382-991E-C105E62D1C1F} URL = http://search.tb.ask...r={searchTerms}

SearchScopes: HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {483EAFD2-3741-4382-991E-C105E62D1C1F} URL = http://search.tb.ask...r={searchTerms}

BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} ->  No File

BHO-x32: No Name -> {2713b394-286f-4d7c-89ea-4174eeab9f5a} ->  No File

BHO-x32: No Name -> {a235e1e3-6296-4710-af39-104a7faa6c7c} ->  No File

BHO-x32: No Name -> {f236ca79-3123-4afb-9f74-e98117ad5625} ->  No File

Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File

Toolbar: HKLM-x32 - No Name - {2713b394-286f-4d7c-89ea-4174eeab9f5a} -  No File

Toolbar: HKLM-x32 - No Name - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} -  No File

Toolbar: HKU\S-1-5-21-146972341-3066755719-1652322373-1000 -> No Name - {2713B394-286F-4D7C-89EA-4174EEAB9F5A} -  No File

Toolbar: HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {2713B394-286F-4D7C-89EA-4174EEAB9F5A} -  No File

CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path

2015-01-21 12:02 - 2015-01-21 12:02 - 00008516 _____ () C:\Users\scans\HELP_DECRYPT.HTML

2015-01-21 12:02 - 2015-01-21 12:02 - 00008516 _____ () C:\Users\scans\AppData\Local\HELP_DECRYPT.HTML

2015-01-21 12:02 - 2015-01-21 12:02 - 00008516 _____ () C:\Users\scans\AppData\HELP_DECRYPT.HTML

2015-01-21 12:02 - 2015-01-21 12:02 - 00004198 _____ () C:\Users\scans\HELP_DECRYPT.TXT

2015-01-21 12:02 - 2015-01-21 12:02 - 00004198 _____ () C:\Users\scans\AppData\Local\HELP_DECRYPT.TXT

2015-01-21 12:02 - 2015-01-21 12:02 - 00004198 _____ () C:\Users\scans\AppData\HELP_DECRYPT.TXT

2015-01-21 12:02 - 2015-01-21 12:02 - 00000268 _____ () C:\Users\scans\HELP_DECRYPT.URL

2015-01-21 12:02 - 2015-01-21 12:02 - 00000268 _____ () C:\Users\scans\AppData\Local\HELP_DECRYPT.URL

2015-01-21 12:02 - 2015-01-21 12:02 - 00000268 _____ () C:\Users\scans\AppData\HELP_DECRYPT.URL

2015-01-21 11:59 - 2015-01-21 11:59 - 00008516 _____ () C:\Users\Ricoh\HELP_DECRYPT.HTML

2015-01-21 11:59 - 2015-01-21 11:59 - 00008516 _____ () C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.HTML

2015-01-21 11:59 - 2015-01-21 11:59 - 00008516 _____ () C:\Users\Ricoh\AppData\HELP_DECRYPT.HTML

2015-01-21 11:59 - 2015-01-21 11:59 - 00004198 _____ () C:\Users\Ricoh\HELP_DECRYPT.TXT

2015-01-21 11:59 - 2015-01-21 11:59 - 00004198 _____ () C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.TXT

2015-01-21 11:59 - 2015-01-21 11:59 - 00004198 _____ () C:\Users\Ricoh\AppData\HELP_DECRYPT.TXT

2015-01-21 11:59 - 2015-01-21 11:59 - 00000268 _____ () C:\Users\Ricoh\HELP_DECRYPT.URL

2015-01-21 11:59 - 2015-01-21 11:59 - 00000268 _____ () C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.URL

2015-01-21 11:59 - 2015-01-21 11:59 - 00000268 _____ () C:\Users\Ricoh\AppData\HELP_DECRYPT.URL

2015-01-21 11:58 - 2015-01-21 11:58 - 00008516 _____ () C:\Users\Mandy\HELP_DECRYPT.HTML

2015-01-21 11:58 - 2015-01-21 11:58 - 00004198 _____ () C:\Users\Mandy\HELP_DECRYPT.TXT

2015-01-21 11:58 - 2015-01-21 11:58 - 00000268 _____ () C:\Users\Mandy\HELP_DECRYPT.URL

2015-01-21 11:57 - 2015-01-21 11:57 - 00008516 _____ () C:\Users\Mandy\Downloads\HELP_DECRYPT.HTML

2015-01-21 11:57 - 2015-01-21 11:57 - 00004198 _____ () C:\Users\Mandy\Downloads\HELP_DECRYPT.TXT

2015-01-21 11:57 - 2015-01-21 11:57 - 00000268 _____ () C:\Users\Mandy\Downloads\HELP_DECRYPT.URL

2015-01-21 11:56 - 2015-01-21 11:56 - 00004198 _____ () C:\Users\Mandy\Documents\HELP_DECRYPT.TXT

2015-01-21 10:16 - 2015-01-21 10:16 - 00008516 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.HTML

2015-01-21 10:16 - 2015-01-21 10:16 - 00008516 _____ () C:\Users\Mandy\AppData\HELP_DECRYPT.HTML

2015-01-21 10:16 - 2015-01-21 10:16 - 00004198 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.TXT

2015-01-21 10:16 - 2015-01-21 10:16 - 00004198 _____ () C:\Users\Mandy\AppData\HELP_DECRYPT.TXT

2015-01-21 10:16 - 2015-01-21 10:16 - 00000268 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.URL

2015-01-21 10:16 - 2015-01-21 10:16 - 00000268 _____ () C:\Users\Mandy\AppData\HELP_DECRYPT.URL

2015-01-21 10:06 - 2015-01-21 10:06 - 00008516 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.HTML

2015-01-21 10:06 - 2015-01-21 10:06 - 00004198 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.TXT

2015-01-21 10:06 - 2015-01-21 10:06 - 00000268 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.URL

2015-01-21 09:48 - 2015-01-21 09:48 - 00008516 _____ () C:\ProgramData\HELP_DECRYPT.HTML

2015-01-21 09:48 - 2015-01-21 09:48 - 00004198 _____ () C:\ProgramData\HELP_DECRYPT.TXT

2015-01-21 09:48 - 2015-01-21 09:48 - 00000268 _____ () C:\ProgramData\HELP_DECRYPT.URL

2014-12-31 11:49 - 2014-12-31 11:49 - 0015872 _____ () C:\Users\Mandy\AppData\Roaming\chatterer.fye

2015-01-21 10:16 - 2015-01-21 10:16 - 0008516 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.HTML

2015-01-21 10:16 - 2015-01-21 10:16 - 0045575 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.PNG

2015-01-21 10:16 - 2015-01-21 10:16 - 0004198 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.TXT

2015-01-21 10:16 - 2015-01-21 10:16 - 0000268 _____ () C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.URL

2015-01-21 10:06 - 2015-01-21 10:06 - 0008516 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.HTML

2015-01-21 10:06 - 2015-01-21 10:06 - 0045575 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.PNG

2015-01-21 10:06 - 2015-01-21 10:06 - 0004198 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.TXT

2015-01-21 10:06 - 2015-01-21 10:06 - 0000268 _____ () C:\Users\Mandy\AppData\Local\HELP_DECRYPT.URL

2015-01-21 09:48 - 2015-01-21 09:48 - 0008516 _____ () C:\ProgramData\HELP_DECRYPT.HTML

2015-01-21 09:48 - 2015-01-21 09:48 - 0045575 _____ () C:\ProgramData\HELP_DECRYPT.PNG

2015-01-21 09:48 - 2015-01-21 09:48 - 0004198 _____ () C:\ProgramData\HELP_DECRYPT.TXT

2015-01-21 09:48 - 2015-01-21 09:48 - 0000268 _____ () C:\ProgramData\HELP_DECRYPT.URL

C:\Users\Mandy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp9wf4st.dll

C:\Users\Mandy\AppData\Local\Temp\nsk82DD.exe

C:\Users\Mandy\AppData\Local\Temp\SlimCleanerPlus.x64.exe

C:\Users\Mandy\AppData\Local\Temp\tmp38AB.exe

C:\Users\Mandy\AppData\Local\Temp\tmpDA.exe

CustomCLSID: HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?

 

*****************

 

Processes closed successfully.

HKU\S-1-5-21-146972341-3066755719-1652322373-1000\Software\Microsoft\Command Processor\\AutoRun => value deleted successfully.

"HKU\S-1-5-21-146972341-3066755719-1652322373-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.

"HKU\S-1-5-21-146972341-3066755719-1652322373-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.

HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Command Processor\\AutoRun => value deleted successfully.

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect => value deleted successfully.

C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Mandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.

HKU\S-1-5-21-146972341-3066755719-1652322373-1000\Software\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache => value deleted successfully.

HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache => value deleted successfully.

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{2713b394-286f-4d7c-89ea-4174eeab9f5a} => value deleted successfully.

"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.

HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9a216821-0ec5-49a3-85ac-fb72ae79a1e8}" => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{9a216821-0ec5-49a3-85ac-fb72ae79a1e8} => Key not found. 

"HKU\S-1-5-21-146972341-3066755719-1652322373-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{483EAFD2-3741-4382-991E-C105E62D1C1F}" => Key deleted successfully.

HKCR\CLSID\{483EAFD2-3741-4382-991E-C105E62D1C1F} => Key not found. 

"HKU\S-1-5-21-146972341-3066755719-1652322373-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9a216821-0ec5-49a3-85ac-fb72ae79a1e8}" => Key deleted successfully.

HKCR\CLSID\{9a216821-0ec5-49a3-85ac-fb72ae79a1e8} => Key not found. 

"HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{483EAFD2-3741-4382-991E-C105E62D1C1F}" => Key deleted successfully.

HKCR\CLSID\{483EAFD2-3741-4382-991E-C105E62D1C1F} => Key not found. 

"HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9a216821-0ec5-49a3-85ac-fb72ae79a1e8}" => Key deleted successfully.

HKCR\CLSID\{9a216821-0ec5-49a3-85ac-fb72ae79a1e8} => Key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E8A89AD-95D7-40EB-8D9D-083EF7066A01}" => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{0E8A89AD-95D7-40EB-8D9D-083EF7066A01} => Key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2713b394-286f-4d7c-89ea-4174eeab9f5a}" => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{2713b394-286f-4d7c-89ea-4174eeab9f5a} => Key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a235e1e3-6296-4710-af39-104a7faa6c7c}" => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{a235e1e3-6296-4710-af39-104a7faa6c7c} => Key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f236ca79-3123-4afb-9f74-e98117ad5625}" => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{f236ca79-3123-4afb-9f74-e98117ad5625} => Key not found. 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value deleted successfully.

"HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}" => Key deleted successfully.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{2713b394-286f-4d7c-89ea-4174eeab9f5a} => value deleted successfully.

HKCR\Wow6432Node\CLSID\{2713b394-286f-4d7c-89ea-4174eeab9f5a} => Key not found. 

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{c66a678d-5e6c-4af9-8f57-c6192f42cf74} => value deleted successfully.

HKCR\Wow6432Node\CLSID\{c66a678d-5e6c-4af9-8f57-c6192f42cf74} => Key not found. 

HKU\S-1-5-21-146972341-3066755719-1652322373-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2713B394-286F-4D7C-89EA-4174EEAB9F5A} => value deleted successfully.

HKCR\CLSID\{2713B394-286F-4D7C-89EA-4174EEAB9F5A} => Key not found. 

HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\Toolbar: HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{{2713B394-286F-4D7C-89EA-4174EEAB9F5A} => Value not found.

HKCR\CLSID\Toolbar: HKU\S-1-5-21-146972341-3066755719-1652322373-1000-{{2713B394-286F-4D7C-89EA-4174EEAB9F5A} => Key not found. 

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh" => Key deleted successfully.

C:\Users\scans\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\scans\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\scans\AppData\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\scans\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\scans\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\scans\AppData\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\scans\HELP_DECRYPT.URL => Moved successfully.

C:\Users\scans\AppData\Local\HELP_DECRYPT.URL => Moved successfully.

C:\Users\scans\AppData\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Ricoh\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Ricoh\AppData\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Ricoh\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Ricoh\AppData\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Ricoh\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Ricoh\AppData\Local\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Ricoh\AppData\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Mandy\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Mandy\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Mandy\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Mandy\Downloads\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Mandy\Downloads\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Mandy\Downloads\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Mandy\Documents\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Mandy\AppData\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Mandy\AppData\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Mandy\AppData\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Mandy\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.

C:\Users\Mandy\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.

C:\Users\Mandy\AppData\Local\HELP_DECRYPT.URL => Moved successfully.

C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.

C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.

C:\ProgramData\HELP_DECRYPT.URL => Moved successfully.

C:\Users\Mandy\AppData\Roaming\chatterer.fye => Moved successfully.

"C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.

C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.

"C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.TXT" => File/Directory not found.

"C:\Users\Mandy\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.

"C:\Users\Mandy\AppData\Local\HELP_DECRYPT.HTML" => File/Directory not found.

C:\Users\Mandy\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.

"C:\Users\Mandy\AppData\Local\HELP_DECRYPT.TXT" => File/Directory not found.

"C:\Users\Mandy\AppData\Local\HELP_DECRYPT.URL" => File/Directory not found.

"C:\ProgramData\HELP_DECRYPT.HTML" => File/Directory not found.

C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.

"C:\ProgramData\HELP_DECRYPT.TXT" => File/Directory not found.

"C:\ProgramData\HELP_DECRYPT.URL" => File/Directory not found.

C:\Users\Mandy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp9wf4st.dll => Moved successfully.

C:\Users\Mandy\AppData\Local\Temp\nsk82DD.exe => Moved successfully.

C:\Users\Mandy\AppData\Local\Temp\SlimCleanerPlus.x64.exe => Moved successfully.

C:\Users\Mandy\AppData\Local\Temp\tmp38AB.exe => Moved successfully.

C:\Users\Mandy\AppData\Local\Temp\tmpDA.exe => Moved successfully.

HKU\S-1-5-21-146972341-3066755719-1652322373-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found. 

 

 

The system needed a reboot. 

 

==== End of Fixlog 15:28:49 ====

Link to post
Share on other sites

It seems to be back to normal.  Now i know you had said the files are beyond saving... is there anything that can be done to the files that were affected or are they just junk now?  I had a bunch of scans and a client database that would be nice to be able to get back any of it but if not i understand.  I also appreciate the help and it appears the cryptowall is indeed gone.  THanks!  

Link to post
Share on other sites

Currently there is no way to decrypt the files, so basically they are junk now.
 
 
 
Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself :)
 
 

Recommended reading:

 
 
icon_exclaim.gifMUST READ - security tips:

icon_exclaim.gifMUST READ - general maintenance:

The Importance of Software Updating:

 

 
In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.
 
Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

Recommended additional software:

 
 
icon_arrow.gifTFC - to clean unneeded temporary files.
icon_arrow.gifMalwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gifMalwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gifMcShield - to prevent infections spread by removable media.
icon_arrow.gifUnchecky - to prevent from installing additional foistware, implemented in legitimate installations.
icon_arrow.gifAdblock - to surf the web without annoying ads! 
 
 

Post-cleanup procedures:

 

 
Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report. You do not need to attach it.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning. 
 
 
 


My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation: 
btn_donateCC_LG.gif

 

Thank you!

 
 
Stay safe,
TwinHeadedEagle   :)

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.