Jump to content

CryptoWall 3.0

dutchboi
 Share

Recommended Posts

dutchboi

dutchboi

Posted
Posted
I have been infected with Cryptowall 3.0.  On the server, I have restored the encrypted filed from a previous backup.  These drives were mapped to this infected computer.  I have since removed the map while I clean this machine out as I understand this virus propagates through mapped drives.  Is this true?  I can not wipe with computer and need assistance in cleaning.  .
 
I was not able to get malwarebytes to run so I uninstalled it and tried to reinstall no no avail,  I eventually got it to run once using  mbam-clean-2.1.1.1001.exe and ran a full scan.
 
It rebooted and and was unable to launch mbamgui.exe due to a software restriction policy again.
 
I tried to launch malwarebytes manually and was unable to launch mbam.exe due to a software restriction policy again.
 
I uninstalled using the malwarebyes cleaner and tried re-install malwarebytes agaain and and it would not install.  No error provided. The install process did not start.
 
I have a paid corporate license for all of out computers and I have not yet had a response yet via email.  I am not sure if I am still infected
 
 
So far these are the tools I have tried  ( I realize I should have posted prior to attempting to clean.  I apologize)  Logs attached as well FRST.txt and addition.txt in the body of this post below.
 
combofix
rkill
smitfraud
hijack this
jrt
tds killer 
malwarebytes rootkit
spyware scan
online eset scan (see attached log along with logs for the above)
 
 
After running the full scan with 1.75 it came up with one pup (this pup was from one of the tools I copied from my flash drive and has not been executed yet) see below:
 
Malwarebytes Anti-Malware (Corporate) 1.75.0.1300
 
Database version: v2015.02.28.06
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
gml1337 :: GLORIA2-XP [administrator]
 
Protection: Enabled
 
2/28/2015 6:55:32 PM
mbam-log-2015-02-28 (18-55-32).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 467736
Time elapsed: 59 minute(s), 32 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Documents and Settings\GML1337\Desktop\2-28-15\flash drive\Virus\Unlocker1.9.2.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
 
(end)
 
__________________________________________________________________________________________
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-02-2015 01
Ran by gml1337 (administrator) on GLORIA2-XP on 28-02-2015 12:54:40
Running from C:\Documents and Settings\GML1337\Desktop\2-28-15
Loaded Profiles: gml1337 (Available profiles: CMS0113 & gml1337 & Administrator & PJC0714)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Symantec Corporation) C:\Program Files\Symantec AntiVirus\Smc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Symantec Corporation) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
(Symantec Corporation) C:\Program Files\Symantec AntiVirus\SmcGui.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [igfxhkcmd] => C:\WINDOWS\system32\hkcmd.exe [77824 2006-03-23] (Intel Corporation)
HKLM\...\Run: [igfxpers] => C:\WINDOWS\system32\igfxpers.exe [118784 2006-03-23] (Intel Corporation)
HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115560 2010-04-28] (Symantec Corporation)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [1] => X:\temp\Chris\2-28-15\glo\Chameleon\Windows\mbam-chameleon.exe [761656 2014-10-01] (MalwareBytes) <===== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKU\S-1-5-21-2545601776-398900742-3236737263-1146\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-04-26] (Google Inc.)
Startup: C:\Documents and Settings\GML1337\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\GML1337\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\GML1337\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\GML1337\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torconnectpaycom/10gRY7z
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2545601776-398900742-3236737263-1146\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2545601776-398900742-3236737263-1146\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-2545601776-398900742-3236737263-1146 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @ei.CouponAlert_2p.com/Plugin -> C:\Program Files\CouponAlert_2pEI\Installr\1.bin\NP2pEISB.dll No File
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-11]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-02-21]
 
Chrome: 
=======
CHR Profile: C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-09-02]
CHR Extension: (Google Docs) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-20]
CHR Extension: (Google Drive) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-20]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-02]
CHR Extension: (YouTube) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-20]
CHR Extension: (Google Search) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-20]
CHR Extension: (Google Sheets) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-09-02]
CHR Extension: (Google Wallet) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-20]
CHR Extension: (Gmail) - C:\Documents and Settings\GML1337\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-20]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-04-28] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-04-28] (Symantec Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2012-02-21] (Sun Microsystems, Inc.)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2009-07-13] (Symantec Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
R2 SmcService; C:\Program Files\Symantec AntiVirus\Smc.exe [1864888 2010-04-28] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec AntiVirus\SNAC.EXE [341320 2010-04-28] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2477304 2010-04-28] (Symantec Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2004-12-13] (Adaptec, Inc.) [File not signed]
S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23888 2010-04-28] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [54360 2015-02-28] (Malwarebytes Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130405.069\NAVENG.SYS [93296 2013-01-16] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130405.069\NAVEX15.SYS [1603824 2013-01-16] (Symantec Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2010-04-28] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [281648 2010-04-28] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [320560 2010-04-28] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43696 2010-04-28] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [124976 2010-04-29] (Symantec Corporation)
S3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2010-04-28] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2010-04-28] (Symantec Corporation)
R3 catchme; \??\C:\DOCUME~1\GML1337\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 mbr; \??\C:\ComboFix\mbr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-28 12:54 - 2015-02-28 12:54 - 00000000 ____D () C:\FRST
2015-02-28 12:52 - 2015-02-28 12:52 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-28 12:52 - 2015-02-28 12:52 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2015-02-28 12:50 - 2015-02-28 12:50 - 00000591 _____ () C:\Documents and Settings\GML1337\Desktop\JRT.txt
2015-02-28 12:31 - 2015-02-28 12:55 - 00000000 ____D () C:\Documents and Settings\GML1337\Local Settings\temp
2015-02-28 12:31 - 2015-02-28 12:31 - 00007041 _____ () C:\ComboFix.txt
2015-02-28 12:31 - 2015-02-28 12:31 - 00000000 ____D () C:\Documents and Settings\PJC0714\Local Settings\temp
2015-02-28 12:31 - 2015-02-28 12:31 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2015-02-28 12:31 - 2015-02-28 12:31 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2015-02-28 12:31 - 2015-02-28 12:31 - 00000000 ____D () C:\Documents and Settings\cms0113\Local Settings\temp
2015-02-28 12:31 - 2015-02-28 12:31 - 00000000 ____D () C:\Documents and Settings\administrator\Local Settings\temp
2015-02-28 11:48 - 2015-02-28 11:55 - 00000000 ____D () C:\AdwCleaner
2015-02-28 11:12 - 2015-02-28 11:12 - 00000000 _RSHD () C:\cmdcons
2015-02-28 11:12 - 2014-12-12 09:11 - 00000211 _____ () C:\Boot.bak
2015-02-28 11:12 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2015-02-28 11:09 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2015-02-28 11:09 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2015-02-28 11:09 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2015-02-28 11:09 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2015-02-28 11:09 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2015-02-28 11:09 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2015-02-28 11:09 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2015-02-28 11:09 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2015-02-28 11:09 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2015-02-28 11:08 - 2015-02-28 12:31 - 00000000 ____D () C:\Qoobox
2015-02-28 11:07 - 2015-02-28 11:29 - 00000000 ____D () C:\WINDOWS\erdnt
2015-02-28 10:08 - 2015-02-28 12:54 - 00000000 ____D () C:\Documents and Settings\GML1337\Desktop\2-28-15
2015-02-28 10:07 - 2015-02-28 10:08 - 00000046 _____ () C:\WINDOWS\wiaservc.log
2015-02-28 10:07 - 2015-02-28 10:07 - 00005264 _____ () C:\WINDOWS\setupapi.log
2015-02-28 10:07 - 2015-02-28 10:07 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-28 10:07 - 2015-02-28 10:07 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2015-02-28 09:17 - 2015-02-28 09:17 - 00000000 ____D () C:\Documents and Settings\GML1337\Desktop\2-28-15 backup
2015-02-27 17:32 - 2015-02-27 17:32 - 00008630 _____ () C:\Documents and Settings\GML1337\Desktop\HELP_DECRYPT.HTML
2015-02-27 17:32 - 2015-02-27 17:32 - 00004258 _____ () C:\Documents and Settings\GML1337\Desktop\HELP_DECRYPT.TXT
2015-02-27 17:32 - 2015-02-27 17:32 - 00000292 _____ () C:\Documents and Settings\GML1337\Desktop\HELP_DECRYPT.URL
2015-02-27 14:14 - 2015-02-27 14:14 - 00008630 _____ () C:\HELP_DECRYPT.HTML
2015-02-27 14:14 - 2015-02-27 14:14 - 00004258 _____ () C:\HELP_DECRYPT.TXT
2015-02-27 14:14 - 2015-02-27 14:14 - 00000292 _____ () C:\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\PJC0714\Local Settings\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\PJC0714\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\PJC0714\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\PJC0714\Application Data\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00008630 _____ () C:\Documents and Settings\GML1337\HELP_DECRYPT.HTML
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\PJC0714\Local Settings\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\PJC0714\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\PJC0714\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\PJC0714\Application Data\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00004258 _____ () C:\Documents and Settings\GML1337\HELP_DECRYPT.TXT
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\PJC0714\Local Settings\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\PJC0714\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\PJC0714\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\PJC0714\Application Data\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-02-27 14:06 - 2015-02-27 14:06 - 00000292 _____ () C:\Documents and Settings\GML1337\HELP_DECRYPT.URL
2015-02-27 14:05 - 2015-02-27 14:05 - 00008630 _____ () C:\Documents and Settings\GML1337\My Documents\HELP_DECRYPT.HTML
2015-02-27 14:05 - 2015-02-27 14:05 - 00004258 _____ () C:\Documents and Settings\GML1337\My Documents\HELP_DECRYPT.TXT
2015-02-27 14:05 - 2015-02-27 14:05 - 00000292 _____ () C:\Documents and Settings\GML1337\My Documents\HELP_DECRYPT.URL
2015-02-27 14:03 - 2015-02-27 14:03 - 00008630 _____ () C:\Documents and Settings\GML1337\Local Settings\HELP_DECRYPT.HTML
2015-02-27 14:03 - 2015-02-27 14:03 - 00008630 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-27 14:03 - 2015-02-27 14:03 - 00004258 _____ () C:\Documents and Settings\GML1337\Local Settings\HELP_DECRYPT.TXT
2015-02-27 14:03 - 2015-02-27 14:03 - 00004258 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-27 14:03 - 2015-02-27 14:03 - 00000292 _____ () C:\Documents and Settings\GML1337\Local Settings\HELP_DECRYPT.URL
2015-02-27 14:03 - 2015-02-27 14:03 - 00000292 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-27 13:57 - 2015-02-27 13:57 - 00008630 _____ () C:\Documents and Settings\GML1337\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:57 - 2015-02-27 13:57 - 00004258 _____ () C:\Documents and Settings\GML1337\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:57 - 2015-02-27 13:57 - 00000292 _____ () C:\Documents and Settings\GML1337\Application Data\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\cms0113\Local Settings\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\cms0113\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\cms0113\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\cms0113\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00008630 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\cms0113\Local Settings\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\cms0113\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\cms0113\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\cms0113\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00004258 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\cms0113\Local Settings\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\cms0113\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\cms0113\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\cms0113\Application Data\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 00000292 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-02-27 13:25 - 2015-02-27 13:25 - 00008630 _____ () C:\Documents and Settings\administrator\Local Settings\HELP_DECRYPT.HTML
2015-02-27 13:25 - 2015-02-27 13:25 - 00008630 _____ () C:\Documents and Settings\administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:25 - 2015-02-27 13:25 - 00008630 _____ () C:\Documents and Settings\administrator\HELP_DECRYPT.HTML
2015-02-27 13:25 - 2015-02-27 13:25 - 00008630 _____ () C:\Documents and Settings\administrator\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:25 - 2015-02-27 13:25 - 00004258 _____ () C:\Documents and Settings\administrator\Local Settings\HELP_DECRYPT.TXT
2015-02-27 13:25 - 2015-02-27 13:25 - 00004258 _____ () C:\Documents and Settings\administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:25 - 2015-02-27 13:25 - 00004258 _____ () C:\Documents and Settings\administrator\HELP_DECRYPT.TXT
2015-02-27 13:25 - 2015-02-27 13:25 - 00004258 _____ () C:\Documents and Settings\administrator\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:25 - 2015-02-27 13:25 - 00000292 _____ () C:\Documents and Settings\administrator\Local Settings\HELP_DECRYPT.URL
2015-02-27 13:25 - 2015-02-27 13:25 - 00000292 _____ () C:\Documents and Settings\administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-27 13:25 - 2015-02-27 13:25 - 00000292 _____ () C:\Documents and Settings\administrator\HELP_DECRYPT.URL
2015-02-27 13:25 - 2015-02-27 13:25 - 00000292 _____ () C:\Documents and Settings\administrator\Application Data\HELP_DECRYPT.URL
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-28 12:39 - 2012-08-03 10:05 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-28 12:31 - 2010-01-11 11:46 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-28 12:28 - 2004-08-04 05:00 - 00000227 _____ () C:\WINDOWS\system.ini
2015-02-28 12:18 - 2010-01-11 11:46 - 00032486 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-28 12:07 - 2014-03-28 07:08 - 00000226 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-02-28 12:07 - 2010-04-26 17:07 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-28 12:07 - 2010-01-11 13:54 - 00000152 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2015-02-28 12:07 - 2004-08-04 05:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-28 12:01 - 2010-01-11 11:07 - 02027389 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-28 11:58 - 2010-01-11 11:06 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-02-28 11:56 - 2010-01-11 13:55 - 00000278 ___SH () C:\Documents and Settings\GML1337\ntuser.ini
2015-02-28 11:56 - 2010-01-11 13:55 - 00000000 ____D () C:\Documents and Settings\GML1337
2015-02-28 11:33 - 2010-01-11 16:47 - 00000283 _____ () C:\WINDOWS\hpbafd.ini
2015-02-28 11:30 - 2010-01-11 05:44 - 00000000 ____D () C:\WINDOWS\repair
2015-02-28 11:12 - 2010-01-11 05:50 - 00000327 __RSH () C:\boot.ini
2015-02-28 10:56 - 2010-01-11 13:55 - 00000000 __SHD () C:\WINDOWS\CSC
2015-02-28 10:19 - 2010-04-26 17:07 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-28 09:23 - 2010-01-11 05:51 - 00263824 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-02-27 16:06 - 2014-08-20 15:18 - 00032039 _____ () C:\WINDOWS\pvsw.log
2015-02-27 16:04 - 2010-01-11 16:30 - 00000000 ____D () C:\PFW
2015-02-27 14:14 - 2010-01-13 11:07 - 00000000 ____D () C:\SLIMCD
2015-02-27 14:14 - 2010-01-11 16:36 - 00000000 ____D () C:\PVSW
2015-02-27 14:06 - 2010-01-11 12:03 - 00000000 ____D () C:\Documents and Settings\PJC0714
2015-02-27 14:06 - 2010-01-11 11:46 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-02-27 14:02 - 2015-01-14 13:23 - 00000000 ____D () C:\Documents and Settings\GML1337\Desktop\ALL PO'S E-MAILED
2015-02-27 14:02 - 2013-11-20 11:56 - 00000000 ____D () C:\Documents and Settings\GML1337\Desktop\REPORTS
2015-02-27 13:57 - 2010-01-11 17:09 - 00000000 ____D () C:\Documents and Settings\GML1337\Application Data\Sun
2015-02-27 13:50 - 2013-10-25 07:49 - 00000000 ____D () C:\Documents and Settings\cms0113
2015-02-27 13:50 - 2010-01-13 10:42 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Symantec
2015-02-27 13:50 - 2010-01-11 16:47 - 00000000 ____D () C:\Documents and Settings\GML1337\Application Data\Adobe
2015-02-27 13:49 - 2010-10-22 15:47 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-02-27 13:25 - 2014-10-10 08:59 - 00000000 ____D () C:\Documents and Settings\administrator
2015-02-27 13:25 - 2010-01-11 11:09 - 00000000 ____D () C:\DELL
2015-02-20 16:43 - 2010-01-11 16:28 - 00068256 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-02-20 16:42 - 2010-01-11 15:12 - 00000000 ____D () C:\Program Files\Microsoft Office
2015-02-20 16:42 - 2010-01-11 05:52 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-02-20 00:20 - 2013-04-16 14:44 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-02-19 15:26 - 2010-01-13 10:52 - 00002399 _____ () C:\Documents and Settings\GML1337\Desktop\Crystal Reports 10 for Sage.lnk
2015-02-18 09:58 - 2014-10-13 07:18 - 00151024 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2015-02-11 03:05 - 2013-08-14 02:07 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-11 03:00 - 2010-01-11 14:59 - 113756392 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-08 15:00 - 2014-03-28 07:08 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-02-04 20:39 - 2012-04-10 11:33 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-02-04 20:39 - 2011-10-24 13:43 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-30 16:57 - 2011-09-20 13:59 - 00000668 _____ () C:\Documents and Settings\GML1337\Desktop\2013.lnk
 
==================== Files in the root of some directories =======
 
2010-01-11 16:35 - 2010-01-11 16:35 - 0000190 _____ () C:\Program Files\Common Files\psasetup.log
2015-02-27 13:57 - 2015-02-27 13:57 - 0008630 _____ () C:\Documents and Settings\GML1337\Application Data\HELP_DECRYPT.HTML
2015-02-27 13:57 - 2015-02-27 13:57 - 0046057 _____ () C:\Documents and Settings\GML1337\Application Data\HELP_DECRYPT.PNG
2015-02-27 13:57 - 2015-02-27 13:57 - 0004258 _____ () C:\Documents and Settings\GML1337\Application Data\HELP_DECRYPT.TXT
2015-02-27 13:57 - 2015-02-27 13:57 - 0000292 _____ () C:\Documents and Settings\GML1337\Application Data\HELP_DECRYPT.URL
2014-12-14 03:12 - 2014-12-14 03:12 - 0000664 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\d3d9caps.dat
2015-02-27 14:03 - 2015-02-27 14:03 - 0008630 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-27 14:03 - 2015-02-27 14:03 - 0046057 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-02-27 14:03 - 2015-02-27 14:03 - 0004258 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-27 14:03 - 2015-02-27 14:03 - 0000292 _____ () C:\Documents and Settings\GML1337\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-27 13:50 - 2015-02-27 13:50 - 0008630 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-27 13:50 - 2015-02-27 13:50 - 0046057 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-02-27 13:50 - 2015-02-27 13:50 - 0004258 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-27 13:50 - 2015-02-27 13:50 - 0000292 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
 
Files to move or delete:
====================
X:\temp\Chris\2-28-15\glo\Chameleon\Windows\mbam-chameleon.exe
 
 
Some zero byte size files/folders:
==========================
C:\Windows\System32\dhbavu.dll
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================
 
 
__________________________________________________________________________________-
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-02-2015 01
Ran by gml1337 at 2015-02-28 12:55:53
Running from C:\Documents and Settings\GML1337\Desktop\2-28-15
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Symantec Endpoint Protection (Enabled - Out of date) {FB06448E-52B8-493A-90F3-E43226D3305C}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32 Bit HP BiDi Channel Components Installer (Version: 1.1.0.2 - Hewlett-Packard) Hidden
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.0.0.0 - Adobe Systems Incorporated)
Acrobat.com (Version: 2.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.3.9120 - Adobe Systems Inc.)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Broadcom Gigabit Integrated Controller (HKLM\...\{7E369B27-13E2-41A5-9879-358EE1C8B5AD}) (Version: 9.02.06 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 3.20 - Piriform)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Compliance for GoldMine (HKLM\...\ST6UNST #1) (Version:  - )
Conexant D850 56K V.9x DFVc Modem (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1) (Version:  - )
Crystal Reports 10 for Sage (HKLM\...\{A0DB4D2C-E85B-4C23-A4F2-F1B95D3C3BE8}) (Version: 10.0.0.53327 - Crystal Decisions, Inc.)
GoldMine (HKLM\...\{96EECA13-5877-46D3-AF4D-3FEE97F5F5F9}) (Version: 8.5.2.8 - FrontRange Solutions USA)
Google Chrome (HKLM\...\Google Chrome) (Version: 40.0.2214.115 - Google Inc.)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: 6.14.10.4543 - )
J2SE Runtime Environment 5.0 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0150000}) (Version: 1.5.0 - Sun Microsystems, Inc.)
Java 6 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216031FF}) (Version: 6.0.310 - Oracle)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.92 - Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office 2003 Primary Interop Assemblies (HKLM\...\{91490409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.6553.0 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{91110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Octoshape add-in for Adobe Flash Player (HKU\S-1-5-21-2545601776-398900742-3236737263-1146\...\Octoshape add-in for Adobe Flash Player) (Version:  - )
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Pervasive PSQL OLEDB (HKLM\...\Pervasive PSQL OLEDB_is1) (Version:  - Pervasive Software)
Pervasive System Analyzer (HKLM\...\Pervasive System Analyzer) (Version:  - )
Pervasive.SQL 9 SP1 Client for Windows (9.1) (HKLM\...\{1105C4D0-518B-4223-A2DC-1F889E9D2CA9}) (Version: 9.10.999.999 - Pervasive Software Inc.)
Sage PFW 5.5 Client (HKLM\...\{44738484-F692-448F-AC67-088196EDBCCA}) (Version: 5.5 - Sage Software)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.12.01.5246 - Analog Devices)
STC Utilities (HKLM\...\STC Utilities) (Version:  - )
Symantec Endpoint Protection (HKLM\...\{2EFCC193-D915-4CCB-9201-31773A27BC06}) (Version: 11.0.5002.333 - Symantec Corporation)
Visual Studio 2005 Tools for Office Second Edition Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version:  - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
28-02-2015 11:59:01 System Checkpoint
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2004-08-04 05:00 - 2015-02-28 11:27 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
 
==================== Loaded Modules (whitelisted) ==============
 
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2545601776-398900742-3236737263-1146\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\GML1337\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
DNS Servers: 192.168.1.1
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\Core\smax4pnp.exe
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-57989841-1085031214-725345543-500 - Administrator - Enabled)
Guest (S-1-5-21-57989841-1085031214-725345543-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-57989841-1085031214-725345543-1000 - Limited - Disabled)
PJC0714 (S-1-5-21-57989841-1085031214-725345543-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\PJC0714
SUPPORT_388945a0 (S-1-5-21-57989841-1085031214-725345543-1002 - Limited - Disabled)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/28/2015 00:07:33 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
 
Error: (02/28/2015 00:04:01 PM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a).  The specified server cannot perform the requested operation.
  Enrollment will not be performed.
 
Error: (02/28/2015 00:03:16 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
 
Error: (02/28/2015 11:55:41 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: SSETECHNOLOGIES)
Description: SYMANTEC TAMPER PROTECTION ALERT
 
Target:  C:\Program Files\Symantec AntiVirus\SmcGui.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\GML1337\Desktop\2-28-15\AdwCleaner.exe (PID 440)
Time:  Saturday, February 28, 2015  11:55:41 AM
 
Error: (02/28/2015 11:55:40 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: SSETECHNOLOGIES)
Description: SYMANTEC TAMPER PROTECTION ALERT
 
Target:  C:\Program Files\Symantec AntiVirus\SmcGui.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\GML1337\Desktop\2-28-15\AdwCleaner.exe (PID 440)
Time:  Saturday, February 28, 2015  11:55:40 AM
 
Error: (02/28/2015 11:06:13 AM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
 
Error: (02/28/2015 11:02:38 AM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a).  The specified server cannot perform the requested operation.
  Enrollment will not be performed.
 
Error: (02/28/2015 11:01:55 AM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
 
Error: (02/28/2015 10:25:55 AM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
 
Error: (02/28/2015 10:21:07 AM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a).  The specified server cannot perform the requested operation.
  Enrollment will not be performed.
 
 
System errors:
=============
Error: (02/28/2015 10:11:11 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (02/28/2015 10:11:05 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (02/28/2015 09:24:17 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (02/28/2015 09:18:39 AM) (Source: DCOM) (EventID: 10005) (User: SSETECHNOLOGIES)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (02/28/2015 09:18:38 AM) (Source: DCOM) (EventID: 10005) (User: SSETECHNOLOGIES)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (02/13/2015 10:52:03 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.
 
Error: (02/13/2015 10:51:55 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.64 for the Network Card with network address 0013728DC181 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
 
 
Microsoft Office Sessions:
=========================
Error: (02/28/2015 00:56:38 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: The RPC server is unavailable.
 
Error: (02/28/2015 00:07:33 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: The RPC server is unavailable.
 
Error: (02/28/2015 00:04:01 PM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: local system0x8007003aThe specified server cannot perform the requested operation.
 
Error: (02/28/2015 00:03:16 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: The RPC server is unavailable.
 
Error: (02/28/2015 11:55:41 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: SSETECHNOLOGIES)
Description: SYMANTEC TAMPER PROTECTION ALERT
 
Target:  C:\Program Files\Symantec AntiVirus\SmcGui.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\GML1337\Desktop\2-28-15\AdwCleaner.exe (PID 440)
Time:  Saturday, February 28, 2015  11:55:41 AM
 
Error: (02/28/2015 11:55:40 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: SSETECHNOLOGIES)
Description: SYMANTEC TAMPER PROTECTION ALERT
 
Target:  C:\Program Files\Symantec AntiVirus\SmcGui.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\GML1337\Desktop\2-28-15\AdwCleaner.exe (PID 440)
Time:  Saturday, February 28, 2015  11:55:40 AM
 
Error: (02/28/2015 11:06:13 AM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: The RPC server is unavailable.
 
Error: (02/28/2015 11:02:38 AM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: local system0x8007003aThe specified server cannot perform the requested operation.
 
Error: (02/28/2015 11:01:55 AM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: The RPC server is unavailable.
 
Error: (02/28/2015 10:25:55 AM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: The RPC server is unavailable.
 
 
==================== Memory info =========================== 
 
Processor:  Intel® Celeron® CPU 2.66GHz
Percentage of memory in use: 43%
Total physical RAM: 2038.07 MB
Available physical RAM: 1158.29 MB
Total Pagefile: 3931.02 MB
Available Pagefile: 3385 MB
Total Virtual: 2047.88 MB
Available Virtual: 1936.44 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:149.04 GB) (Free:133.63 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive p: () (Network) (Total:55.67 GB) (Free:8.5 GB) 
Drive s: () (Network) (Total:260.16 GB) (Free:47.73 GB) 
Drive x: () (Network) (Total:260.16 GB) (Free:47.73 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: 8B653A34)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

 

eset scan log.txt

glo combofix log.txt

hijackthis.log

JRT.txt

JRT_1.txt

log.txt

online scanner.txt

rapport.txt

Link to post
Share on other sites
  • 2 months later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.