Jump to content

Ransomware'd


Recommended Posts

  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

DrWeb is done. There were no items with the icon you showed. They all had a single blank white page icon next to them. One item, which it said was deleted, had no icon at all.

I have the options to "Select All" (or I can individually select items), "Cure" "Rename" "Move" and "Delete"

It says that there were 3 infected objects and 14 suspicious.

It deleted one of the infected and says "Incurable. Moved" for the other two.

I made the report file, and when I go to exit the program, it warns me that nothing has been done with the suspicious files.

Should I exit anyway?

Or should I do a "Select All" and "Move" ?

When I have all of the objects selected, the "Cure" button is greyed out.

Link to post
Share on other sites

Select Move.

Then post a copy of the log.

By-the-way, If laptop has a screensaver, you should turn it off until after we are all finished.

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Link to post
Share on other sites

RKreport:

RogueKiller V7.6.3 [07/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Tama06 [Admin rights]

Mode: Remove -- Date: 07/12/2012 12:17:25

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤

[sUSP PATH] {8269C180-C8B6-4486-8AEE-CAEC83FDF84B}.job @ : C:\Users\Tama06\Desktop\Gampad_Pro.exe -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS ATA Device +++++

--- User ---

[MBR] a8881ba5916fc08d980df47ee42eb746

[bSP] 476df2a6a58edcea29ab582f9f1820f3 : Windows Vista/7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 226085 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 463431680 | Size: 12189 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Link to post
Share on other sites

DrWeb.csv:

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4FPY;Probably SCRIPT.Virus;Moved.;

xvdohukqaugtf[1].pdf;C:\Documents and Settings\Tama06\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4FPY;Exploit.PDF.2597;Deleted.;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IFV6;Probably SCRIPT.Virus;Moved.;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2AF;Probably SCRIPT.Virus;Moved.;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Application Data\Temporary Internet Files\Low\Content.IE5\4FPY8SQ6;Probably SCRIPT.Virus;Invalid path to file ;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Application Data\Temporary Internet Files\Low\Content.IE5\IFV6S1TI;Probably SCRIPT.Virus;Invalid path to file ;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Application Data\Temporary Internet Files\Low\Content.IE5\N2AFYDCK;Probably SCRIPT.Virus;Invalid path to file ;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4FPY8SQ6;Probably SCRIPT.Virus;Invalid path to file ;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IFV6S1TI;Probably SCRIPT.Virus;Invalid path to file ;

getInPageJSProcess[1].htm;C:\Documents and Settings\Tama06\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2AFYDCK;Probably SCRIPT.Virus;Invalid path to file ;

00000001.@.vir;C:\Documents and Settings\Tama06\Desktop\RK_Quarantine;BackDoor.Siggen.46158;Incurable.Moved.;

00000001.@.vir;C:\Documents and Settings\Tama06\DoctorWeb\Quarantine;BackDoor.Siggen.46158;Incurable.Moved.;

muimsc.dll.vir;C:\Qoobox\Quarantine\C\Users\Tama06\AppData\Roaming;Probably Trojan.Packed;Moved.;

ohevts.dll.vir;C:\Qoobox\Quarantine\C\Users\Tama06\AppData\Roaming;Probably Trojan.Packed;Moved.;

getInPageJSProcess[1].htm;C:\Users\Tama06\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4FPY8SQ6;Probably SCRIPT.Virus;Invalid path to file ;

getInPageJSProcess[1].htm;C:\Users\Tama06\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IFV6S1TI;Probably SCRIPT.Virus;Invalid path to file ;

getInPageJSProcess[1].htm;C:\Users\Tama06\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2AFYDCK;Probably SCRIPT.Virus;Invalid path to file ;

Link to post
Share on other sites

mbam log:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.13.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tama06 :: UTANO2 [administrator]

Protection: Enabled

7/13/2012 9:56:23 AM

mbam-log-2012-07-13 (09-56-23).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 211395

Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

That is a good result from MBAM. You also got the newest version, 1.62, that is why there was the additional prompt for another Update run.

Now, then,

Online scan at F-secure

Turn off your antivirus so that it does not interfere. Leave your firewall on.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.

Follow the directions in the F-Secure page for proper Installation.

You may receive an alert on the address bar at this point to install the ActiveX control.

Click on that alert and then click "Install ActiveX component".

Read the license agreement and click "Accept".

Click "Custom Scan" and be sure the following are checked:

  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Use advanced heuristics

When the scan completes, click the "I want to decide item by item" button.

For each item found, Select "Disinfect" and click "Next".

When done, click the "Show Report" button, then copy and paste the entire report into your next reply

Re-enable your antivirus.

Step 2

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

Step 3

Make a new run of DDS and copy and Paste the DDS.txt + Attach.txt

Also, Tell me, Is the "ransom" rogue showing? or all gone?

If you have not installed an antivirus, and cost is an issue: Three good antivirus programs free for non-commercial home use are Avira Free Antivirus and Microsoft Security Essentials and Avast!.

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

I would suggest you get either Avira or MSE.

My sense of Avast is that it is a 'bit' too finicky.

Link to post
Share on other sites

F-Secure is currently scanning.

If by "ransom" rogue, you mean the pop up that told me where to send the money, that's been gone since before we started. When I ran MBAM after updating it the first time, before I left for Europe, it killed the file that made the message pop up.

Right now, I have Avast downloaded but have not installed it on the laptop (since you want me to disable my antivirus for most steps, anyway).

I'm curious what you mean about Avast being finicky?

Link to post
Share on other sites

Just from observations helping folks, when we needed to fully turn off Avast (to do other scans) it has been harder to do.

That is not the case with Avira antivirus.

The choice is all yours. After what I listed, you need to make sure an antivirus is installed and updated.

Never, again, be without an antivirus program.

Link to post
Share on other sites

F-Secure has been at 99% for 700,000 files...

My laptop is where I keep all my media; music, vacation photos, ebooks, PDFs, Word documents, files for work, etc... Lots of files to individually scan.

Sorry these scans are taking so long.

Thank you for sticking with me.

Link to post
Share on other sites

F-Secure Log:

Scanning Report

Friday, July 13, 2012 11:01:45 - 18:11:22

Computer name: UTANO2

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

10 malware found

Trojan.Sirefef.HD (spyware)

System (Disinfected)

Trojan.Sirefef.HC (virus)

C:\Users\Tama06\DoctorWeb\Quarantine\00000001.0.vir (Renamed & Submitted)

Trojan.Sirefef.HD (virus)

C:\Users\Tama06\Desktop\RK_Quarantine\80000000.@.vir (Not cleaned)

Java.Exploit.CVE-2010-0840.F (virus)

C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2\json\Option.class (Not cleaned)

Java.Exploit.CVE-2010-0840.F (virus)

C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2\json\Parser.class (Not cleaned)

Java.Exploit.CVE-2010-0840.F (virus)

C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2\json\SmartyPointer.class (Not cleaned)

Java.Exploit.CVE-2010-0840.F (virus)

C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2\json\ThreadParser.class (Not cleaned)

Java.Exploit.CVE-2010-0840.F (virus)

C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2\json\XML.class (Not cleaned)

Java.Exploit.CVE-2010-0840.F (virus)

C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2 (Renamed & Submitted)

Trojan.Generic.KDV.343079 (virus)

C:\Users\Tama06\Adobe\Adobe CS 5.5 Master Collection Keygen.exe (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 1354362

System: 5699

Not scanned: 265

Actions:

Disinfected: 1

Renamed: 3

Deleted: 0

Not cleaned: 6

Submitted: 3

Files not scanned:

C:\HIBERFIL.SYS

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTDIAGLOG.ETL

C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTEVENTLOG-APPLICATION.ETL

C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTEVENTLOG-SYSTEM.ETL

C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTEVENTLOG-SECURITY.ETL

C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTMSMPPSSESSION7.ETL

C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTUBPM.ETL

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG1

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG2

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG1

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG2

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG1

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG2

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG1

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG2

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG1

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG2

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\NTUSER.DAT

C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\NTUSER.DAT.LOG1

C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\NTUSER.DAT.LOG2

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\NTUSER.DAT

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\NTUSER.DAT.LOG1

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\NTUSER.DAT.LOG2

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\ROAMING\PEERNETWORKING\3E52760B1AD0567CC1165395829C0C2B148A2378.HOMEGROUPCLASSIFIER\86E353819D404D8E213E365BCDB555D4\GROUPING\DB.MDB

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\ROAMING\PEERNETWORKING\3E52760B1AD0567CC1165395829C0C2B148A2378.HOMEGROUPCLASSIFIER\86E353819D404D8E213E365BCDB555D4\GROUPING\EDB.LOG

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\ROAMING\PEERNETWORKING\3E52760B1AD0567CC1165395829C0C2B148A2378.HOMEGROUPCLASSIFIER\86E353819D404D8E213E365BCDB555D4\GROUPING\TMP.EDB

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\LASTALIVE0.DAT

C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\LASTALIVE1.DAT

C:\USERS\TAMA06\NTUSER.DAT

C:\USERS\TAMA06\NTUSER.DAT.LOG1

C:\USERS\TAMA06\NTUSER.DAT.LOG2

C:\Users\Tama06\Pictures\Suit!\IMG_1443.JPG.crypt\Öæ£Îþ…_ó ›¤{¿ä/Öà¯üUåÒϬ.ý­ˆàÚ«+jÁ[©œ¡ eä’àRæ†8>ðxII祭pã•°*ZUmZ¿›¶‚ž¡†7†DɶhÁIÖj Wà#·3AOnøýÈC‹äe§&£3'8­EÊ t|_Ï9ûµ~.1„Ï)/½`´B€³zE&ÉÙGJ\”x #ì‰Òû!Ù«&¨[TwÉ´Úâð:i­'§‰ìàgÔªìÖ o›

C:\Users\Tama06\D&D\Amethyst\Carnelian.jpg.crypt\Carnelian.jpg

C:\USERS\TAMA06\APPDATA\LOCAL\TEMP\FML25F4.TMP

C:\USERS\TAMA06\APPDATA\LOCAL\TEMP\FML4073.TMP

C:\USERS\TAMA06\APPDATA\LOCAL\TEMP\~DF74FA4FF2940AEFB7.TMP

C:\USERS\TAMA06\APPDATA\LOCAL\TEMP\~DFD9A76D91605CE639.TMP

C:\USERS\TAMA06\APPDATA\LOCAL\TEMP\HSPERFDATA_TAMA06\3712

C:\USERS\TAMA06\APPDATA\LOCAL\TEMP\HSPERFDATA_TAMA06\3892

C:\USERS\TAMA06\APPDATA\LOCAL\MICROSOFT\WINDOWS\USRCLASS.DAT

C:\USERS\TAMA06\APPDATA\LOCAL\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG1

C:\USERS\TAMA06\APPDATA\LOCAL\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG2

C:\USERS\TAMA06\APPDATA\LOCAL\MICROSOFT\INTERNET EXPLORER\RECOVERY\ACTIVE\RECOVERYSTORE.{8C0BEBA5-CD0A-11E1-8D83-001F16E4E501}.DAT

C:\USERS\TAMA06\APPDATA\LOCAL\MICROSOFT\INTERNET EXPLORER\RECOVERY\ACTIVE\{8C0BEBA6-CD0A-11E1-8D83-001F16E4E501}.DAT

C:\SYSTEM VOLUME INFORMATION\SYSCACHE.HVE

C:\SYSTEM VOLUME INFORMATION\SYSCACHE.HVE.LOG1

C:\SYSTEM VOLUME INFORMATION\SYSCACHE.HVE.LOG2

C:\SYSTEM VOLUME INFORMATION\{05D40FBB-B639-11E1-B9FF-001F16E4E501}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{05D41025-B639-11E1-B9FF-001F16E4E501}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{05D41167-B639-11E1-B9FF-001F16E4E501}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{5E2CD4EB-B4B2-11E1-B09D-001F16E4E501}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{6EF27613-CC27-11E1-A3EC-001F16E4E501}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{F2EF970D-B09C-11E1-8976-001F16E4E501}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\QOOBOX\BACKENV\APPDATA.FOLDER.DAT

C:\QOOBOX\BACKENV\CACHE.FOLDER.DAT

C:\QOOBOX\BACKENV\COOKIES.FOLDER.DAT

C:\QOOBOX\BACKENV\DESKTOP.FOLDER.DAT

C:\QOOBOX\BACKENV\FAVORITES.FOLDER.DAT

C:\QOOBOX\BACKENV\HISTORY.FOLDER.DAT

C:\QOOBOX\BACKENV\LOCALAPPDATA.FOLDER.DAT

C:\QOOBOX\BACKENV\LOCALSETTINGS.FOLDER.DAT

C:\QOOBOX\BACKENV\MUSIC.FOLDER.DAT

C:\QOOBOX\BACKENV\NETHOOD.FOLDER.DAT

C:\QOOBOX\BACKENV\PERSONAL.FOLDER.DAT

C:\QOOBOX\BACKENV\PICTURES.FOLDER.DAT

C:\QOOBOX\BACKENV\PRINTHOOD.FOLDER.DAT

C:\QOOBOX\BACKENV\PROFILES.FOLDER.DAT

C:\QOOBOX\BACKENV\PROFILES.FOLDER.FOLDER.DAT

C:\QOOBOX\BACKENV\PROGRAMS.FOLDER.DAT

C:\QOOBOX\BACKENV\RECENT.FOLDER.DAT

C:\QOOBOX\BACKENV\SENDTO.FOLDER.DAT

C:\QOOBOX\BACKENV\SETPATH.BAT

C:\QOOBOX\BACKENV\STARTMENU.FOLDER.DAT

C:\QOOBOX\BACKENV\STARTUP.FOLDER.DAT

C:\QOOBOX\BACKENV\SYSPATH.DAT

C:\QOOBOX\BACKENV\TEMPLATES.FOLDER.DAT

C:\QOOBOX\BACKENV\VIKPEV00

C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\IMPSERVICE925A3ACA-C353-458A-AC8D-A7E5EB378092.LOCK

C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\SCANS\HISTORY\CACHEMANAGER\MPSFC.BIN

C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\MSS.LOG

C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\MSSTMP.LOG

C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\TMP.EDB

C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\WINDOWS.EDB

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0023A09930FCB1F1F059D14EB0DE492A_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\004E32627294529491480FBBE153EF24_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\015C1F80A7403708A4AB1861181999E1_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\037E042A34815B40C14F16B223D34F25_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\054D86EF426DE41AD0E8309DA00567D4_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\059178C90CC53A035DE5C895C49DEA03_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\05A7D7FE9669EB11C031FC43D1CB92E2_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0751E435D121D1AD0D7B91963CC4D423_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0A8039BFEA011916597091AFD866DAFC_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0AA4B30D56E05E01D74915D2C4DB4859_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0D2667727A0457329E1735092B10D2AC_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0DFBE1E2370FFBE97F455F1EEAD364A4_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0E673C390E5297994D6CAA36B646C461_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1047AE68586FA7C6D9FCC6B32624F742_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\13D7B92FB2DF1CD27B3F4FFF77E62B46_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\14844233771F299EDEDE2792E2A180C8_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\149B507FBE1950DA996A2F1EED60C958_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\166F283D260533A264024012995F60A0_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\173E8C9282BD6D65812067113E351717_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\18A08BF6A58AFDB303726B28BF4CADC4_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\19DDEA38175492BE7B36A7DFFFA31FFC_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1AF83DF7D91FA59936C049AFE97B874A_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1CFDC3D09EA28AE2B367AF6B9795296D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1F05682064715BE44E8CE54DFB6F3088_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1FDF5CBF381017DF5FB5BF857A7AD47F_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\22FECBEB81BC20D93F99FFC6BEA8392D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\24D352DB46D72D90AFFD7C58DB1DCEF5_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\254479635196FA256872654206AF9F14_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\25F311F0AEE6E9B10F8428BB631D02D7_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\26636AAF471B4CDA8CC7CD14D49808BA_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2975604C9DF2724FF598551FEC4778BB_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2A03A66999E3C5C400F0CE26A969E018_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2A704553134981FD3F727F2A54AD1946_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2C75FA390312DB42E3B51F15CEA1295C_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2E475F1F471157F7A17A0C0117A52D1C_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2E809F8E86286FD7993BC887D1FBEE12_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2F581582DB524BF8380C88C5EF144AAD_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\307FB8FDDE71DB117A7F20C564FACD6D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3191E9FC7AA1DA5C2921BA4C8F677BED_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\31BAB8D22518680C7BE2EBC555B30E3D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\337D30977E796DC6858FC921CD279A6E_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\34E400EAC01A9D94780D50CB38E7EFAB_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\37305FE87B34C966E948B7D3491F8288_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\391755304035AE77C07B475E1CF880E9_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3927A91D940750998A519C2426D213C1_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AB104003FE82EA3627667C1407602D2_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AEC4C4AD99649A88A8074D67B598865_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3C3ECC43C315D6919F2E05C669FBADE4_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3DAD63AE2BF59F3D72E168B814EE6EB9_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3EEF90A787A4403D32BA427802131C43_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3C1ED5ED5A632F550DE57028C9C8F833_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\426888E4AAEE3A07B542D707363CEAC6_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\428F80A573E8B9E507B5AAC2E440F2ED_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\442EF5E848053F3C855136CC8EA11741_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\481ACC89BC2FF216D30AE5072EFA363E_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\49A189AE40786F8EE2AAA55F8DB29A51_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4A8F55427279F3A9B466D966FA062DD9_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4D5598A22F24BF4BA13462BD0C2E265E_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4F02527DC0B6ECE937CBA7BA22FF24DF_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4F88B835B4053F4117A1AAFD59C45500_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\51336723B5B0448BADBF82E1E8B2FDC9_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\514308564C3A560A7C5596BE82B8A2E6_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\53D03A2A234E0E6FB300A162BE1D1F3F_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\53FF0FFC5A343969D7BC9EAE4E8FEF9C_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\54FAC8BA6653560BC338C276C8FE64A0_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\555E78B280276C048A68F3FB8A73F905_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5B684FC199621178166F3C7588A25BD3_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5C37E290A11D34DC0752A0EB1A66D36C_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5CF1724D768752E35AD707BE664E08B6_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5EE6ABC571A4D94AA5FD91D2420C25EB_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\627FC01625EB52BC989C6534421440B8_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\63C616E66649021D3783BA97D4061823_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\66937842298C607883D958FBBB5B4F4E_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\67937AC9E6232500B12667EB1222BD65_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\68220E79D81C2B588814AB040767918A_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6C6AFF8CED042568554758E188BE94BF_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6E3C2A1D745AED18DA86E7F6F86F28BE_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6E4697765F36A792FC4A3C23A0C77B1A_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\70324271C5E9D8C3734FA000267B5E0C_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\70431BDC2CE9F58BA3E5818E76589DBB_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\71E02BECABA09080E70A4B0A07FF654C_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\722FC48E76E225207A196DC10701CEE5_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\733E2A55640F01BC53022A1EC8C29E64_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\73DB87CBF000D3A6BD02895146C8027B_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7480936C041CF339D03C27AC6AE75A10_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7C1DA611EFFDAF3DF0CAF5ABEB7F6840_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\76003A7B73E7AE8EC9F242A19FA4E8FC_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7E33A738864C0BC3279E29EBB72C4983_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\8474FAFBC70723CD6C1F01D9B5F3A366_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\86A9A40668CEDDDE7E6BB37730EB4FB7_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\86E98987559D25C1C6DBC5D737AAFD49_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\743F26E029A3ADF60F993E909E6B021D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\87D2380D39AB7B16B7582CB39B7DDCE2_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\88A3D54A7EC9DF2EA952D65086203EFB_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\89EFC6ECD487451665DF97FED1EF54F9_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\8D27D884CD9485CF18398AA45D2279A6_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\90DF7E0EFCC9D3704BCCC3A12D5E1907_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\92A5F283970B47689631294BE03A1CFE_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\91E7B840B443BF6465B6DD07CA0101F9_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\87CCBB936B9BA1366044B2F6DB4FD2BD_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9080802E676539FBC39C1283A5D1AC32_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7CAE54542613F4BFA1879BCC9467E7FA_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\930D9EFDA230E291251D445D60775753_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\939956C8739BC26F04056237C9265DBA_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\939FC98ADDDF9C325B53DA9156D40318_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\962A21942C55DA1A7ADA8A1F14F1462B_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\972FF1AF498B9FBF4ABE61A610C6C6DE_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9836F5E59A45C05AA51A0D72B7096BB5_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9C9EEE0F5C86D382F83B9E97773278AB_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9CB24971D9AE01D36FC45E4BE25BF13E_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\95F06DF930B0E8309CE2D95ECA312DFA_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9DFEC73AFFFED53DB5390EFE39C1873B_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A01E454361C8AACED2C7BBF77E979859_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A1DEAD1A79DF30F1A1C075797152C5D9_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A3A55695D9658C2D5CAB3FECB6615626_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9D0EB9782B6816CE2AB3C945289954B5_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A995EBA14F2DE9C09A0C60770039A034_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\AA3886FF1F0E1F0CAAA287091D4AB8FA_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A683196FAA727E5AD9A4384FA95A23B8_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\AA93757004905B3AA27E41A6DB3092D8_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\AC0E2E98A27C74E66667474CCF37670F_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ACB5B2A991D6CD7FB4EDD8C1CCB19BA7_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\AEEB614C384BAAE42ED3D238EA75B37C_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B148F0E2C4A123390C8A6BA6AE4DCC05_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B225661569272486EF07E857429DD0DE_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B3026D8E3C9B53C72FF1FAE86E99FD20_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B56B7286C135D241CD64396625A247E1_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B9BE975BE07E4A947AD2712ACD7D655A_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\BB7083574F7661E25F12EB1680BD0A34_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\BC78D95A6369022609750E424241994D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\BD2CAE0A1163AE6A458478D14759F311_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\BF78867275F5E37D58B290A73BE5B510_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C53A854B5AD0F9BA0F8228D2CC745CD6_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C5B5DC68D6B635226B1FAC5984E8A97B_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C5CA4685A2C367FAFDAE9D03B3CAB891_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C6C0BCC2CA11CA5BE407C972E7D4B126_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C7120D52F5D3B4534D61A3B97C2D288A_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C7F493DCB4D5A8563E44607421D3DC11_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C836C5A242D9389B969EBB57762E9039_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C91447D127AB192758D21C520845D31E_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CA2FDC19372176E4FB7C9687E0147394_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CE36B79C6BA3F09F8FAC13F28971DE9E_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D109226ADBDBE0A410F7ED8A804D2F55_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D19BD41E8F8FA7F2009EE3FB0042EFDE_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D1AADD4DA52CFC5185A1FDAC873A271D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D458ED380DBF2C57AA77E8F9F835C796_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D4778E975A9CAA0FF4EAAD35607631D1_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D5CBA3DAEB5035C2E9656E089CA1CAB6_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D6DB7D58A08D2B269550D9000D81CAED_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DABF586E428D2363ED8BDDA15F9FDB14_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DCCBE8FC637D4D2259870AC311133980_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E25AD1D3A9B5A6E906E869A1FC059926_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E2DEC7E0A7FBD474CF05F50D17F13BFE_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E405756E72D7E01B0B008D8709B02B1B_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E41B99674FB2FF9A946B107D18A3DBF2_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E5C23FA99E5EE6D9BB120F440BCDA67F_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E82052BEF7CE862D4CE456AC4F07A008_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E9721298D580E21C54F344993F1235E4_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\EAD0D1D8281DAA7BB67F8FA64F222EA6_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\EDF580F42DA2F5A70100A826F4AED6B5_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\EF8F3E65639EF037151FE44BB6A49A44_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F58B69DE34FA9505A517E78A2AEA74D2_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F654B194F57338B3A4C2C85F8B813E54_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F71EBF847CD2CD03A8919568C2C14A4F_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F8C6C525C1B35F71FD25901E6364486D_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F8F7EAC9EDCAA754E82F9DFAF95DEBA1_5A0FB4E9-E40B-468F-B872-05B6345F5862

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FE53D1876D4BE31BB720DCCE105DEE3D_5A0FB4E9-E40B-468F-B872-05B6345F5862

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan all files

Scan inside archives

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure

F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Link to post
Share on other sites

Farbar Service Scanner Version: 08-07-2012

Ran by Tama06 (administrator) on 13-07-2012 at 18:22:35

Running from "C:\Users\Tama06\Desktop"

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Tama06 at 18:25:22 on 2012-07-13

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3003.1624 [GMT -6:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files (x86)\HP\QuickPlay\QPService.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe

C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\taskhost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\vssvc.exe

C:\Windows\system32\WUDFHost.exe

c:\program files\windows defender\MpCmdRun.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb

uInternet Settings,ProxyOverride = *.local

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: hpBHO Class: {abd3b5e1-b268-407b-a150-2641dab8d898} - C:\Program Files (x86)\Common Files\Homepage Protection\HomepageProtection.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

mRun: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"

mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED

mRun: [updatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mRun: [seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

dPolicies-system: WallpaperStyle = 2

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000

IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{6D3FE038-DF9A-4E3D-B6AF-6141A54E2E51} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{6D3FE038-DF9A-4E3D-B6AF-6141A54E2E51}\25166756E6723702E4563747 : DhcpNameServer = 192.168.1.1

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO-X64: HP Print Enhancer - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: hpBHO Class: {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files (x86)\Common Files\Homepage Protection\HomepageProtection.dll

BHO-X64: HelloWorldBHO - No File

BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: SmartSelect - No File

BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

BHO-X64: HP Smart BHO Class - No File

TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

mRun-x64: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"

mRun-x64: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED

mRun-x64: [updatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"

mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin

mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

mRun-x64: [seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

IE-X64: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm

.

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]

R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-7-13 44808]

R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-6-15 249648]

R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-13 655944]

R2 SeagateDashboardService;Seagate Dashboard Service;C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-6-1 14088]

R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]

R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-17 228408]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]

S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-6-5 257696]

S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-7-7 195336]

S3 mbamchameleon;mbamchameleon;\??\C:\Windows\system32\drivers\mbamchameleon.sys --> C:\Windows\system32\drivers\mbamchameleon.sys [?]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]

.

=============== Created Last 30 ================

.

2012-07-14 00:24:47 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{376BCB02-D8D7-4F87-8AE3-BB930CEF8D1C}\offreg.dll

2012-07-14 00:18:08 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2012-07-14 00:18:05 958400 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2012-07-14 00:18:00 71064 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2012-07-14 00:16:40 41224 ----a-w- C:\Windows\avastSS.scr

2012-07-14 00:15:09 -------- d-----w- C:\ProgramData\AVAST Software

2012-07-14 00:15:09 -------- d-----w- C:\Program Files\AVAST Software

2012-07-13 21:29:13 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{376BCB02-D8D7-4F87-8AE3-BB930CEF8D1C}\mpengine.dll

2012-07-13 17:01:46 -------- d-----w- C:\Users\Tama06\AppData\Roaming\f-secure

2012-07-13 17:01:34 -------- d-----w- C:\ProgramData\F-Secure

2012-07-13 15:49:09 711240 ----a-w- C:\Windows\isRS-000.tmp

2012-07-12 18:22:35 -------- d-----w- C:\Users\Tama06\DoctorWeb

2012-07-12 16:58:09 -------- d-----w- C:\$RECYCLE.BIN

2012-07-12 16:34:04 98816 ----a-w- C:\Windows\sed.exe

2012-07-12 16:34:04 518144 ----a-w- C:\Windows\SWREG.exe

2012-07-12 16:34:04 256000 ----a-w- C:\Windows\PEV.exe

2012-07-12 16:34:04 208896 ----a-w- C:\Windows\MBR.exe

2012-07-12 14:00:21 33096 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys

2012-06-27 18:23:04 -------- d-----w- C:\Users\Tama06\AppData\Roaming\Malwarebytes

2012-06-27 18:22:57 -------- d-----w- C:\ProgramData\Malwarebytes

2012-06-27 18:22:56 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-06-27 18:22:56 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-06-27 14:02:49 -------- d-----w- C:\ProgramData\529C50D800046EF3000161F1B4EB2367

2012-06-27 14:02:45 -------- d-----w- C:\Users\Tama06\AppData\Local\About

2012-06-21 13:38:13 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-21 13:37:51 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-21 13:37:24 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-21 13:37:24 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-17 06:19:09 -------- d-----w- C:\Program Files\iPod

2012-06-17 06:19:08 -------- d-----w- C:\Program Files\iTunes

2012-06-17 06:19:08 -------- d-----w- C:\Program Files (x86)\iTunes

2012-06-17 06:13:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-06-17 06:13:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-06-17 06:13:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-06-17 06:13:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-06-17 06:13:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-06-17 06:13:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-06-17 06:13:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll

.

==================== Find3M ====================

.

2012-06-06 00:52:21 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-06 00:52:21 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-05-31 18:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe

2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll

2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-05-15 01:32:33 3146752 ----a-w- C:\Windows\System32\win32k.sys

2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll

2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2012-04-19 02:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2012-04-19 02:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

.

============= FINISH: 18:29:12.26 ===============

Link to post
Share on other sites

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 10/2/2011 3:35:56 PM

System Uptime: 7/13/2012 9:51:08 AM (9 hours ago)

.

Motherboard: Wistron | | 3612

Processor: Intel® Celeron® CPU 900 @ 2.20GHz | CPU | 2194/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 221 GiB total, 105.526 GiB free.

D: is FIXED (NTFS) - 12 GiB total, 2.006 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP82: 6/14/2012 9:28:44 AM - Windows Update

RP83: 6/19/2012 9:24:05 AM - Windows Update

RP84: 6/21/2012 7:36:29 AM - Windows Update

RP85: 6/26/2012 9:09:52 AM - Windows Update

RP86: 7/12/2012 9:06:45 AM - Scheduled Checkpoint

RP88: 7/13/2012 6:14:44 PM - avast! Free Antivirus Setup

RP89: 7/13/2012 6:15:15 PM - avast! Free Antivirus Setup

RP90: 7/13/2012 6:16:13 PM - avast! Free Antivirus Setup

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

7-Zip 9.20

Acrobat.com

Activate Norton Online Backup

ActiveCheck component for HP Active Support Library

Adobe Acrobat X Pro - English, Français, Deutsch

Adobe AIR

Adobe Community Help

Adobe Content Viewer

Adobe Creative Suite 5.5 Design Premium

Adobe Download Assistant

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Reader 9.4.6

Adobe Widget Browser

Amazon Add to Wish List IE Extension 1.2

Amazon MP3 Downloader 1.0.12

Apple Application Support

Apple Software Update

Atheros Driver Installation Program

Audacity 1.3.13 (Unicode)

avast! Free Antivirus

Bing Bar

calibre

Choice Guard

Compatibility Pack for the 2007 Office system

CyberLink DVD Suite

Dropbox

ERUNT 1.1j

GIMP 2.6.11

Homepage Protection

HP Advisor

HP Customer Experience Enhancements

HP DVD Play 3.7

HP Games

HP Quick Launch Buttons

HP Setup

HP Smart Web Printing

HP Support Assistant

HP Update

HP User Guides 0156

HP Wireless Assistant

HPAsset component for HP Active Support Library

Java Auto Updater

Java 6 Update 29

Junk Mail filter update

LabelPrint

LAME v3.98.3 for Audacity

LightScribe System Software

LIMBO

Magic Set Editor 2.0.0

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft Live Search Toolbar

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Works

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

Microsoft_VC90_MFCLOC_x86

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

muvee Reveal

PDF Settings CS5

pdfsam

PictureMover

Power2Go

PowerDirector

PowerRecover

QLBCASL

QuickTime

Realtek 8136 8168 8169 Ethernet Driver

Realtek USB 2.0 Card Reader

Seagate Dashboard

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687267) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Yahoo! Messenger

YouTube Downloader 3.4

.

==== Event Viewer Messages From Past Week ========

.

7/13/2012 9:52:36 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

7/13/2012 9:50:26 AM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.

7/13/2012 11:01:47 AM, Error: Application Popup [1060] - \??\C:\Users\Tama06\AppData\Local\Temp\OnlineScanner\Anti-Virus has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

7/12/2012 9:15:35 PM, Error: Service Control Manager [7011] - A timeout (120000 milliseconds) was reached while waiting for a transaction response from the WinDefend service.

7/12/2012 7:58:23 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.

7/12/2012 12:19:57 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.

7/12/2012 10:51:46 AM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.

7/12/2012 10:50:37 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

7/12/2012 10:49:06 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

.

==== End Of File ===========================

Link to post
Share on other sites

This system had some serious trojans. Sirefef (ZeroAccess) as had been noted by DrWeb Cure-it.

This is a point where you may want to consider whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Consumers – Identity Theft http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Help: I Got Hacked. Now What Do I Do? http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx

Link to post
Share on other sites

Okay.

Passwords changed. Luckily, I don't use the laptop for much more than Facebook and email.

My husband does all the online bank stuff on his computer with his own accounts/passwords.

I'm actually okay with a reformat, because I've done it before on this machine.

Well, I did the installed "restore to factory-ussue," will that work again?

I'd really like to see if any of my files can be decrypted, first.

And then, of course, I'd like to know about whether my portible HD was infected/encrypted.

Can we do that?

Link to post
Share on other sites

The warning was to insure that you change all passwords, and keep a sharp eye for possible identity theft.

Now, I don't believe anything was encrypted. What indications do you have that your files have been so affected?

As to the external drive, you can connect it AND do a full scan with your antivirus on all drives, save results. Immediately followed by a full scan with MBAM on all your drives. and post results of both scans.

Link to post
Share on other sites

I have hundreds of files which now have a .crypt extension.

All my pictures, Word documents, PDFs, Excel sheets, etc.

The original file name is intact ("cat.jpg" or whatever) but the .crypt is tacked on the end and I can't open them with any programs ("cat.jpg.crypt").

On the other boards where I've read about ransomware hacks, they have located the decryption file somewhere on the computer and then used that and some decryption software to restore the files (like in this forum: http://www.bleepingcomputer.com/forums/topic457317.html/page__p__2739192#entry2739192 , where someone named "Fabian" created a program called "decrypt_birele" and used the decryption key, called cconf.txt.enc, to save the guy's files).

Link to post
Share on other sites

Avast! is still running, looks like the two scans will take all day to finish. I had to make a "Custom Scan" for Avast, because it's "Full Scan" doesn't include external drives.

I'll post reports when I get them.

Looking through my files, the ransomware didn't encrypt all my files, by far.

It looks like I caught it before it encrypted most things, in fact.

Most of what IS encrypted is also saved on my external drive (which doesn't seem to have any encrypted files on it that I've found so far).

I'll have to sort through some folders to make sure I have the back-ups, but it should be okay.

So, it looks like, all in all, I only lost about a week's worth of work on a current project, if those files can't be restored.

That's annoying, but it could be so much worse.

Thank you so much for your help!

Then, since I'm going to have to reformat this machine, I really only have one more question:

I keep my iTunes library on the laptop, and after I reformatted the laptop last year, it was a serious pain in the behind to restore my iTunes library and re-sync it with my devices.

Is there a way you know of to make that less painful?

Link to post
Share on other sites

If you reformat and then do a clean/new install, you'd have to re-install all your programs and applications, with antivirus being the first one to install.

I don't see a workaround for iTunes.

If you run this OTL custom scan, I could perhaps see the so-called crypt files in the report.

Please close any of your open windows/programs and exit; saving any open work you have.

I'd like to have you do a special run of OTL to generate some searches & a new log-report.

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %ALLUSERSPROFILE%\Application Data\*.dll /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %APPDATA%\*.dll /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    themeui.dll
    beep.sys
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %USERPROFILE%\..|cconf;true;true;true /FP
    %USERPROFILE%\..|crypt;true;true;true /FP
    %USERPROFILE%\..|.crypt;true;true;true /FP
    %USERPROFILE%\..|smtmp;true;true;true /FP
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on Run Scan.
  • The scan won't take long.
    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of just OTL logst

Edited by Maurice Naggar
Link to post
Share on other sites

Avast! log (full boot-time scan of all drives and removable drives):

07/14/2012 16:35

Scan of all local drives

File C:\HP\BIN\EndProcess.exe is infected by Win32:KillApp-W [PUP], Moved to chest

File C:\Music\iTunes\iTunes Media\Downloads\Bejeweled 2 + Blitz.tmp\download.app|>Payload\Bejeweled2.app\music\BeyondNetwork.caf Error 42125 {ZIP archive is corrupted.}

File C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2.0|>json\Option.class is infected by Java:Agent-ADL [Expl], Moved to chest

File C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2.0|>json\Parser.class is infected by Java:Agent-ZA [Expl], Moved to chest

File C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2.0|>json\SmartyPointer.class is infected by Java:Agent-ZB [Expl], Moved to chest

File C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2.0|>json\ThreadParser.class is infected by Java:Agent-AEH [Expl], Moved to chest

File C:\Users\Tama06\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3e2024ac-3dc94ca2.0|>json\XML.class is infected by Java:Agent-ADT [Expl], Moved to chest

File C:\Users\Tama06\Music\iTunes\iTunes Media\Downloads\Hero Academy.tmp\download.app|>Payload\itactics.app\data\UI_FacebookButton_Pressed.png Error 42125 {ZIP archive is corrupted.}

Number of searched folders: 50768

Number of tested files: 1510134

Number of infected files: 6

Link to post
Share on other sites

MBAM Full Scan (including external drives):

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.13.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tama06 :: UTANO2 [administrator]

Protection: Enabled

7/15/2012 12:35:06 AM

mbam-log-2012-07-15 (00-35-06).txt

Scan type: Full scan (C:\|D:\|G:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 479645

Time elapsed: 1 hour(s), 32 minute(s), 15 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.