Solved Department of Justice / Windows security pro

adrenalinesaint · 2013/08/27

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-08-2013
Ran by #2 at 2013-08-27 08:53:35 Run:1
Running from C:\Users\#2\Desktop\ransomware
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
HKLM\...\Run: [SmartMenu] - D [x]
HKCU\...\Runonce: [TopArcadeHits256] - cmd.exe /c reg delete HKCU\Software\AppDataLow\Software\toparcadehitsconfig /f [x]
HKLM-x32\...\Run: [] - [x]
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
C:\Program Files (x86)\Google\Desktop\Install\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36}
C:\Users\#2\msconfig.exe
C:\Users\#2\vlcplayer.exe
C:\Users\#2\AppData\Local\Temp\HitmanPro.exe
C:\Users\#2\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\#2\AppData\Local\Temp\oi_{6CAA10BF-D25E-41DE-9BA4-AD76AD18FB2E}.exe
C:\Users\#2\AppData\Local\Temp\rtdrvmon.exe
C:\Users\#2\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\#2\AppData\Local\Temp\is-Q960N.tmp\UninstallPromote.exe
C:\Users\#2\AppData\Local\Temp\is-Q960N.tmp\_isetup\_shfoldr.dll
C:\Users\#2\AppData\Local\Temp\is-N1RER.tmp\UninstallPromote.exe
C:\Users\#2\AppData\Local\Temp\is-N1RER.tmp\_isetup\_shfoldr.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\avg-secure-search-installer.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\lip.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\PostInstall.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\Uninstall.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\vprot.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\15.4.0.5\AVG SafeGuard toolbar_toolbar.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\ConfigFiles\avguidx.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\ConfigFiles\MachineIdCreator.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\avgdttbx.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\AVGRewardsWorker.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\DriverInstaller.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\DriverInstaller_64.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\helper.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\log4cplusU.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\loggingserver.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\npsitesafety.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\ScriptHelper.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\SiteSafety.dll
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\ToolbarUpdater.exe
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\ViProtocol.dll
C:\Users\#2\AppData\Local\Temp\avg_a00892\avg-secure-search-installer.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\lip.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\PostInstall.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\Uninstall.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\vprot.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\14.0.0.12\AVG SafeGuard toolbar_toolbar.dll
C:\Users\#2\AppData\Local\Temp\avg_a00892\ConfigFiles\avguidx.dll
C:\Users\#2\AppData\Local\Temp\avg_a00892\ConfigFiles\MachineIdCreator.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\avgdttbx.dll
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\AVGRewardsWorker.dll
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\DriverInstaller.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\DriverInstaller_64.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\npsitesafety.dll
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\ScriptHelper.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\SiteSafety.dll
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\ToolbarUpdater.exe
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\ViProtocol.dll
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
Task: {88519575-57D0-4591-AE63-A98523D250CE} - System32\Tasks\IE10 => C:\Windows\System32\reg No File

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SmartMenu => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\\TopArcadeHits256 => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKCR\PROTOCOLS\Handler\dssrequest => Key deleted successfully.
HKCR\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => Key not found.
HKCR\PROTOCOLS\Handler\sacore => Key deleted successfully.
HKCR\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=euc-jp => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=ISO-8859-1 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS936 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS949 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS950 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF-8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=euc-jp => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=ISO-8859-1 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS936 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS949 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS950 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF-8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\ica => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
C:\Program Files (x86)\Google\Desktop\Install\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36} => Moved successfully.
C:\Users\#2\msconfig.exe => Moved successfully.
C:\Users\#2\vlcplayer.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\HitmanPro.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\oi_{6CAA10BF-D25E-41DE-9BA4-AD76AD18FB2E}.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\rtdrvmon.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\UNINSTALL.EXE => Moved successfully.
C:\Users\#2\AppData\Local\Temp\is-Q960N.tmp\UninstallPromote.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\is-Q960N.tmp\_isetup\_shfoldr.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\is-N1RER.tmp\UninstallPromote.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\is-N1RER.tmp\_isetup\_shfoldr.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\avg-secure-search-installer.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\lip.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\PostInstall.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\Uninstall.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\vprot.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\ProgFiles\AVG SafeGuard toolbar\15.4.0.5\AVG SafeGuard toolbar_toolbar.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\ConfigFiles\avguidx.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\ConfigFiles\MachineIdCreator.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\avgdttbx.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\AVGRewardsWorker.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\DriverInstaller.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\DriverInstaller_64.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\helper.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\log4cplusU.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\loggingserver.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\npsitesafety.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\ScriptHelper.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\SiteSafety.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\ToolbarUpdater.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a01080\CommonFiles\AVG SafeGuard toolbar\ViProtocol.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\avg-secure-search-installer.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\lip.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\PostInstall.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\Uninstall.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\vprot.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\ProgFiles\AVG SafeGuard toolbar\14.0.0.12\AVG SafeGuard toolbar_toolbar.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\ConfigFiles\avguidx.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\ConfigFiles\MachineIdCreator.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\avgdttbx.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\AVGRewardsWorker.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\DriverInstaller.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\DriverInstaller_64.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\npsitesafety.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\ScriptHelper.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\SiteSafety.dll => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\ToolbarUpdater.exe => Moved successfully.
C:\Users\#2\AppData\Local\Temp\avg_a00892\CommonFiles\AVG SafeGuard toolbar\ViProtocol.dll => Moved successfully.

The operation completed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{88519575-57D0-4591-AE63-A98523D250CE} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{88519575-57D0-4591-AE63-A98523D250CE} => Key deleted successfully.
C:\Windows\System32\Tasks\IE10 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\IE10 => Key deleted successfully.

==== End of Fixlog ====

adrenalinesaint · 2013/08/27

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-08-2013
Ran by #2 (administrator) on 27-08-2013 08:54:21
Running from C:\Users\#2\Desktop\ransomware
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) =================

(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [lxbkbmgr.exe] - C:\Program Files (x86)\Lexmark X1100 Series\lxbkbmgr.exe [74408 2008-02-28] (Lexmark International, Inc.)
HKLM\...\Run: [McAfee Host Intrusion Prevention Tray] - \FIRETRAY.EXE" [x]
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM-x32\...\RunOnce: [ (cleanup)] - rundll32.exe "C:\ProgramData\Malwarebytes' Anti-Malware (portable)\cleanup.dll ",ProcessCleanupScript "C:\ProgramData\Malwarebytes' Anti-Malware (portable)" [1563448 2013-08-07] (Malwarebytes Corporation)
HKLM-x32\...\Run: [StartCCC] - c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [102400 2010-05-12] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [PDF Complete] - C:\Program Files (x86)\PDF Complete\pdfsty.exe [664600 2010-09-28] (PDF Complete Inc)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [362432 2011-12-22] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [McAfeeUpdaterUI] - C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [333376 2011-11-15] (McAfee, Inc.)
HKLM-x32\...\Run: [ShStatEXE] - C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [215656 2012-08-14] (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NWepo.lnk
ShortcutTarget: NWepo.lnk -> C:\Program Files (x86)\Network Associates\NWePO.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.windowsbbs.com/malware-v...-justice-windows-security-pro.html#post611765
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130711111316.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130711111316.dll (McAfee, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Advanced SystemCare Browser Protection - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~2\IObit\ADVANC~1\BROWER~1\ASCPLU~1.DLL (IObit)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} https://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {9916D178-71C8-4764-969C-95B9B67A1F76} https://onestop.nationwide.com/one-stop-web/scan/OneStopScan.CAB
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://nationwidenh.webex.com/client/T26L10NSP49EP9/webex/ieatgpc1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://agents.nationwide.com/dana-cached/sc/JuniperSetupClient.cab
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll "
Winsock: Catalog5 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll "
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll "
Winsock: Catalog5-x64 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll "
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

==================== Services (Whitelisted) =================

S2 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit)
S2 enterceptAgent; C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [641336 2011-09-12] (McAfee, Inc.)
S2 lxbk_device; C:\Windows\system32\lxbkcoms.exe [565928 2008-02-19] ( )
S2 McAfee SiteAdvisor Enterprise Service; C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [324928 2011-05-12] (McAfee, Inc.)
S2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [132672 2011-11-15] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [201864 2013-07-11] (McAfee, Inc.)
S2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [209760 2011-09-14] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208272 2011-08-09] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [170440 2013-07-11] (McAfee, Inc.)
S2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1119768 2010-09-28] (PDF Complete Inc)
S3 hpqwmiex; "C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe" [x]

==================== Drivers (Whitelisted) ====================

R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-08-20] (AVG Technologies)
S3 FireNfcp; C:\Windows\System32\drivers\FireNfcp.sys [48840 2011-10-07] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [195024 2011-09-12] (McAfee, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32000 2013-08-21] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [36680 2013-08-23] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [36680 2013-08-23] ()
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [160952 2013-07-11] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [274880 2013-07-11] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481504 2011-08-16] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [665768 2013-07-11] (McAfee, Inc.)
R1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-08-16] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [101200 2013-07-11] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [303464 2013-07-11] (McAfee, Inc.)
R1 NEOFLTR_720_21697; C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS [100728 2012-08-23] (Juniper Networks)
R1 NEOFLTR_720_21697; C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS [100728 2012-08-23] (Juniper Networks)
S1 A2DDA; \??\C:\Users\#2\Desktop\ransomware\Run\a2ddax64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-23 09:11 - 2013-08-23 10:40 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-23 09:10 - 2013-08-23 09:10 - 00036680 _____ C:\Windows\system32\Drivers\mbamchameleon.sys
2013-08-22 09:10 - 2013-08-22 09:10 - 00006885 _____ C:\Users\#2\Desktop\RKreport[0]_D_08222013_091052.txt
2013-08-22 09:09 - 2013-08-22 09:09 - 00004949 _____ C:\Users\#2\Desktop\RKreport[0]_S_08222013_090932.txt
2013-08-22 09:08 - 2013-08-22 09:15 - 00000000 ____D C:\Users\#2\Desktop\RK_Quarantine
2013-08-21 10:51 - 2013-08-21 10:51 - 00014519 _____ C:\Users\#2\Desktop\attach.txt
2013-08-21 10:51 - 2013-08-21 10:50 - 00017832 _____ C:\Users\#2\Desktop\dds.txt
2013-08-21 10:37 - 2013-08-21 10:37 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-21 10:37 - 2013-08-21 10:37 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-21 10:37 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-08-21 10:29 - 2013-08-23 10:41 - 00017532 _____ C:\Windows\PFRO.log
2013-08-21 09:45 - 2013-08-21 09:45 - 00032000 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2013-08-21 09:44 - 2013-08-21 09:44 - 00001972 _____ C:\Windows\system32\.crusader
2013-08-21 09:10 - 2013-08-21 09:44 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-20 17:11 - 2013-08-20 17:11 - 00083762 _____ C:\ProgramData\1377033014.bdinstall.bin
2013-08-20 17:08 - 2013-08-20 17:08 - 00000000 ____D C:\Program Files\Common Files\Defender Pro
2013-08-20 17:07 - 2013-08-21 09:44 - 00000000 ____D C:\Users\#2\AppData\Local\TopArcadeHits
2013-08-20 17:07 - 2013-08-20 17:08 - 02458223 _____ C:\Users\#2\Downloads\defender_pro_ultimate.exe
2013-08-20 17:06 - 2013-08-20 17:06 - 00045856 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
2013-08-20 16:54 - 2013-08-21 09:45 - 00000168 _____ C:\Windows\setupact.log
2013-08-20 16:54 - 2013-08-20 16:54 - 00000000 _____ C:\Windows\setuperr.log
2013-08-19 09:56 - 2013-08-19 09:56 - 00001190 _____ C:\Users\#2\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2013-08-19 09:56 - 2013-08-19 09:56 - 00001151 _____ C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-08-19 09:56 - 2013-08-19 09:56 - 00000000 ____D C:\ProgramData\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-08-01 11:00 - 2013-08-21 10:28 - 00000000 ____D C:\Program Files (x86)\IObit
2013-08-01 11:00 - 2013-08-21 10:25 - 00000000 ____D C:\Users\#2\AppData\Roaming\IObit
2013-08-01 11:00 - 2013-08-21 09:16 - 00000000 ____D C:\ProgramData\IObit
2013-08-01 10:37 - 2013-08-01 10:37 - 00000821 _____ C:\AdwCleaner[R2].txt
2013-07-30 09:02 - 2013-07-30 09:02 - 00002214 _____ C:\Users\Public\Desktop\Google Earth.lnk

==================== One Month Modified Files and Folders =======

2013-08-27 08:53 - 2011-05-13 09:39 - 00000000 ____D C:\Users\#2
2013-08-26 09:34 - 2013-08-26 09:34 - 00000000 ____D C:\FRST
2013-08-23 10:46 - 2009-07-14 01:13 - 00727136 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-23 10:41 - 2013-08-21 10:29 - 00017532 _____ C:\Windows\PFRO.log
2013-08-23 10:40 - 2013-08-23 09:11 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-23 09:10 - 2013-08-23 09:10 - 00036680 _____ C:\Windows\system32\Drivers\mbamchameleon.sys
2013-08-22 09:31 - 2011-06-07 15:07 - 00000000 ____D C:\Users\#2\AppData\Local\CrashDumps
2013-08-22 09:19 - 2011-03-02 15:37 - 01293335 _____ C:\Windows\WindowsUpdate.log
2013-08-22 09:15 - 2013-08-22 09:08 - 00000000 ____D C:\Users\#2\Desktop\RK_Quarantine
2013-08-22 09:10 - 2013-08-22 09:10 - 00006885 _____ C:\Users\#2\Desktop\RKreport[0]_D_08222013_091052.txt
2013-08-22 09:09 - 2013-08-22 09:09 - 00004949 _____ C:\Users\#2\Desktop\RKreport[0]_S_08222013_090932.txt
2013-08-21 10:51 - 2013-08-21 10:51 - 00014519 _____ C:\Users\#2\Desktop\attach.txt
2013-08-21 10:50 - 2013-08-21 10:51 - 00017832 _____ C:\Users\#2\Desktop\dds.txt
2013-08-21 10:37 - 2013-08-21 10:37 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-21 10:37 - 2013-08-21 10:37 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-21 10:28 - 2013-08-01 11:00 - 00000000 ____D C:\Program Files (x86)\IObit
2013-08-21 10:25 - 2013-08-01 11:00 - 00000000 ____D C:\Users\#2\AppData\Roaming\IObit
2013-08-21 09:46 - 2011-05-26 09:18 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-21 09:45 - 2013-08-21 09:45 - 00032000 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2013-08-21 09:45 - 2013-08-20 16:54 - 00000168 _____ C:\Windows\setupact.log
2013-08-21 09:45 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-21 09:44 - 2013-08-21 09:44 - 00001972 _____ C:\Windows\system32\.crusader
2013-08-21 09:44 - 2013-08-21 09:10 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-21 09:44 - 2013-08-20 17:07 - 00000000 ____D C:\Users\#2\AppData\Local\TopArcadeHits
2013-08-21 09:19 - 2012-05-22 09:03 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-21 09:16 - 2013-08-01 11:00 - 00000000 ____D C:\ProgramData\IObit
2013-08-21 09:16 - 2011-05-13 10:10 - 00000000 ____D C:\Users\#2\AppData\Roaming\ICAClient
2013-08-21 09:16 - 2011-05-13 09:45 - 00000000 ___RD C:\Users\#2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-21 09:16 - 2011-03-02 15:58 - 00000000 ____D C:\ProgramData\RoxioNow
2013-08-21 09:16 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-08-21 09:16 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2013-08-21 09:16 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\AppCompat
2013-08-20 17:11 - 2013-08-20 17:11 - 00083762 _____ C:\ProgramData\1377033014.bdinstall.bin
2013-08-20 17:08 - 2013-08-20 17:08 - 00000000 ____D C:\Program Files\Common Files\Defender Pro
2013-08-20 17:08 - 2013-08-20 17:07 - 02458223 _____ C:\Users\#2\Downloads\defender_pro_ultimate.exe
2013-08-20 17:06 - 2013-08-20 17:06 - 00045856 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
2013-08-20 17:00 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Resources
2013-08-20 16:54 - 2013-08-20 16:54 - 00000000 _____ C:\Windows\setuperr.log
2013-08-20 16:47 - 2011-07-18 09:03 - 00000000 ____D C:\Windows\Minidump
2013-08-20 16:47 - 2011-05-13 10:57 - 00000000 ____D C:\Users\#2\Desktop\desktop docs
2013-08-20 15:48 - 2009-07-14 00:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-20 15:48 - 2009-07-14 00:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-20 15:43 - 2011-05-13 11:02 - 00000000 ____D C:\Users\#2\AppData\Roaming\SoftGrid Client
2013-08-20 15:14 - 2011-05-26 09:18 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-20 09:28 - 2011-09-26 10:14 - 00000000 ____D C:\Quarantine
2013-08-19 09:56 - 2013-08-19 09:56 - 00001190 _____ C:\Users\#2\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2013-08-19 09:56 - 2013-08-19 09:56 - 00001151 _____ C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-08-19 09:56 - 2013-08-19 09:56 - 00000000 ____D C:\ProgramData\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-08-19 09:56 - 2012-08-27 13:44 - 00000000 ____D C:\Users\#2\AppData\Roaming\Apple Computer
2013-08-16 11:04 - 2011-06-29 10:39 - 00000000 ____D C:\Users\#2\AppData\Local\Paint.NET
2013-08-15 10:05 - 2011-03-02 15:58 - 00000000 ____D C:\ProgramData\PDFC
2013-08-13 15:04 - 2011-08-12 09:09 - 00003210 _____ C:\Windows\System32\Tasks\HPCeeScheduleFor2-HP$
2013-08-13 15:04 - 2011-08-12 09:09 - 00000334 _____ C:\Windows\Tasks\HPCeeScheduleFor2-HP$.job
2013-08-13 09:22 - 2012-01-08 04:02 - 00003168 _____ C:\Windows\System32\Tasks\HPCeeScheduleFor#2
2013-08-13 09:22 - 2012-01-08 04:02 - 00000320 _____ C:\Windows\Tasks\HPCeeScheduleFor#2.job
2013-08-01 10:37 - 2013-08-01 10:37 - 00000821 _____ C:\AdwCleaner[R2].txt
2013-07-31 16:01 - 2011-05-26 09:17 - 00000000 ____D C:\Users\#2\AppData\Local\Google
2013-07-31 16:01 - 2011-05-26 09:17 - 00000000 ____D C:\Program Files (x86)\Google
2013-07-31 10:18 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2013-07-30 09:02 - 2013-07-30 09:02 - 00002214 _____ C:\Users\Public\Desktop\Google Earth.lnk

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-08-13 17:31

==================== End Of Log ============================

broni · 2013/08/27

Very good

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

adrenalinesaint · 2013/08/27

ComboFix 13-08-27.02 - #2 08/27/2013 13:35:16.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.2267 [GMT -4:00]
Running from: c:\users\#2\Desktop\ransomware\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Host Intrusion Prevention Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1377033014.bdinstall.bin
c:\users\#2\AppData\Local\TopArcadeHits
c:\users\#2\AppData\Local\TopArcadeHits\tah.config
c:\users\#2\AppData\Local\TopArcadeHits\uninstaller.exe
c:\windows\PFRO.log
.
.
((((((((((((((((((((((((( Files Created from 2013-07-27 to 2013-08-27 )))))))))))))))))))))))))))))))
.
.
2013-08-27 17:39 . 2013-08-27 17:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-08-27 17:39 . 2013-08-27 17:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-26 13:34 . 2013-08-26 13:34 -------- d-----w- C:\FRST
2013-08-23 13:11 . 2013-08-23 14:40 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-23 13:10 . 2013-08-23 13:10 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-08-21 14:37 . 2013-08-21 14:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-08-21 14:37 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-21 13:45 . 2013-08-21 13:45 32000 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2013-08-21 13:10 . 2013-08-21 13:44 -------- d-----w- c:\programdata\HitmanPro
2013-08-20 21:08 . 2013-08-20 21:08 -------- d-----w- c:\program files\Common Files\Defender Pro
2013-08-20 21:08 . 2013-08-20 21:08 -------- d-----w- c:\program files (x86)\Common Files\Bitdefender
2013-08-20 21:06 . 2013-08-20 21:06 45856 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2013-08-20 21:05 . 2013-08-20 21:05 -------- d--h--w- c:\programdata\Common Files
2013-08-19 13:56 . 2013-08-19 13:56 -------- d-----w- c:\programdata\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-08-01 15:00 . 2013-08-21 13:16 -------- d-----w- c:\programdata\IObit
2013-08-01 15:00 . 2013-08-21 14:25 -------- d-----w- c:\users\#2\AppData\Roaming\IObit
2013-08-01 15:00 . 2013-08-21 14:28 -------- d-----w- c:\program files (x86)\IObit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-11 15:12 . 2013-07-11 15:13 101200 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-07-11 15:12 . 2012-08-28 19:05 303464 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-07-11 15:12 . 2012-08-28 19:05 170440 ----a-w- c:\windows\system32\mfevtps.exe
2013-07-11 15:12 . 2012-08-28 13:14 99352 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2013-07-11 15:12 . 2013-07-11 15:13 10288 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-07-11 15:12 . 2012-08-28 19:05 274880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-07-11 15:12 . 2012-08-28 19:05 665768 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-07-11 15:12 . 2013-07-11 15:13 160952 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-07-11 15:12 . 2012-08-28 13:14 75656 ----a-w- c:\windows\SysWow64\MfeOtlkAddin.dll
2013-07-11 15:12 . 2010-03-26 00:07 23112 ----a-w- c:\windows\SysWow64\MFEOtlk.dll
2013-07-08 18:25 . 2012-05-22 13:03 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-08 18:25 . 2011-05-27 14:27 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 15:19 . 2013-06-12 15:19 8610696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC "= "c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-12 102400]
"HP Software Update "= "c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"PDF Complete "= "c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-09-28 664600]
"Adobe ARM "= "c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ConnectionCenter "= "c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2011-12-22 362432]
"McAfeeUpdaterUI "= "c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-11-15 333376]
"ShStatEXE "= "c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2012-08-15 215656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware "= "c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
"(cleanup) "= "c:\programdata\Malwarebytes' Anti-Malware (portable)\cleanup.dll" [2013-08-07 1563448]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 6 "= "c:\program files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" [2013-04-19 491840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NWepo.lnk - c:\program files (x86)\Network Associates\NWePO.exe [2011-5-13 40960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 5 (0x5)
"ConsentPromptBehaviorUser "= 3 (0x3)
"EnableUIADesktopToggle "= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux "=wdmaud.drv
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\#2\Desktop\ransomware\Run\a2ddax64.sys;c:\users\#2\Desktop\ransomware\Run\a2ddax64.sys [x]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService.exe;c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [x]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [x]
R2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe;c:\windows\SYSNATIVE\lxbkcoms.exe [x]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe;c:\program files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [x]
R2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe [x]
R2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
R3 FireNfcp;McAfee Inc. FireNfcp;c:\windows\system32\drivers\FireNfcp.sys;c:\windows\SYSNATIVE\drivers\FireNfcp.sys [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys;c:\windows\SYSNATIVE\DRIVERS\mfenlfk.sys [x]
S1 NEOFLTR_720_21697;Juniper Networks TDI Filter Driver (NEOFLTR_720_21697);c:\windows\system32\Drivers\NEOFLTR_720_21697.SYS;c:\windows\SYSNATIVE\Drivers\NEOFLTR_720_21697.SYS [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-22 18:25]
.
2013-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 13:17]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 13:17]
.
2013-08-13 c:\windows\Tasks\HPCeeScheduleFor580E26F2A7C08663F13A5F1B4DFA81C76CF2AC61FC445799B1134A81.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
2013-08-13 c:\windows\Tasks\HPCeeScheduleFor2-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"lxbkbmgr.exe "= "c:\program files (x86)\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: agencyanywhere.agency.ni.nwie.net
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
TCP: DhcpNameServer = 192.168.254.254
DPF: {9916D178-71C8-4764-969C-95B9B67A1F76} - hxxps://onestop.nationwide.com/one-stop-web/scan/OneStopScan.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mbamchameleon
HKLM-Run-McAfee Host Intrusion Prevention Tray - \FIRETRAY.EXE
AddRemove-Applet - c:\windows\system32\javaws.exe
AddRemove-JNLP - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\pdfcDispatcher]
"ImagePath "= "c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@= "c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker5 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Shockwave Flash Object "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@= "0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@= "ShockwaveFlash.ShockwaveFlash.11 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "ShockwaveFlash.ShockwaveFlash "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Macromedia Flash Factory Object "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@= "FlashFactory.FlashFactory.1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "FlashFactory.FlashFactory "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker5 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-08-27 13:40:57
ComboFix-quarantined-files.txt 2013-08-27 17:40
.
Pre-Run: 432,045,776,896 bytes free
Post-Run: 431,752,110,080 bytes free
.
- - End Of File - - 0AA7726C8616485BDFEB04C613D3EA2E
7C3F143378CD0D7882C6E613C7399BB8

broni · 2013/08/27

Looks good.

How is computer doing?

Uninstall Advanced SystemCare 6.
Registry cleaners/optimizers are not recommended for several reasons:

Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry ". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results ".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

Ed Bott's Webog: Why I don't use registry cleaners

Do I need a Registry Cleaner?

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.

Double click on adwcleaner.exe to run the tool.

Click on Scan button.

When the scan has finished click on Clean button.

Your computer will be rebooted automatically. A text file will open after the restart.

Please post the contents of that logfile with your next reply.

You can find the logfile at C:\AdwCleaner[S1].txt as well.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator ".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

adrenalinesaint · 2013/08/27

# AdwCleaner v3.001 - Report created 27/08/2013 at 15:11:41
# Updated 24/08/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : #2 - 2-HP
# Running from : C:\Users\#2\Desktop\ransomware\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16421

*************************

AdwCleaner[R0].txt - [1838 octets] - [27/08/2013 15:00:20]
AdwCleaner[R1].txt - [756 octets] - [27/08/2013 15:11:12]
AdwCleaner[S0].txt - [1927 octets] - [27/08/2013 15:06:11]
AdwCleaner[S1].txt - [678 octets] - [27/08/2013 15:11:41]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [737 octets] ##########

adrenalinesaint · 2013/08/27

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Windows 7 Home Premium x64
Ran by #2 on Tue 08/27/2013 at 15:17:32.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\HPSF_Tasks_RASMANCS

~~~ Files

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\#2\appdata\local\{5C18E026-380A-4375-ADE8-FE89A076332F}
Successfully deleted: [Empty Folder] C:\Users\#2\appdata\local\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36}
Successfully deleted: [Empty Folder] C:\Users\#2\appdata\local\{8ED39DE6-136A-41EB-ABB5-7DD28C219B15}
Successfully deleted: [Empty Folder] C:\Users\#2\appdata\local\{9ECF9068-57B4-462D-AFA7-E4FC228F0D9C}
Successfully deleted: [Empty Folder] C:\Users\#2\appdata\local\{D7CF17C3-D255-41BE-911E-CC633582DC45}

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 08/27/2013 at 15:25:24.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

adrenalinesaint · 2013/08/27

OTL logfile created on: 8/27/2013 3:29:17 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\#2\Desktop\ransomware
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.66 Gb Available Physical Memory | 60.41% Memory free
5.50 Gb Paging File | 4.10 Gb Available in Paging File | 74.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.83 Gb Total Space | 402.78 Gb Free Space | 88.95% Space Free | Partition Type: NTFS
Drive D: | 12.83 Gb Total Space | 1.58 Gb Free Space | 12.28% Space Free | Partition Type: NTFS
Drive E: | 2.59 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: 2-HP | User Name: #2 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/08/27 15:29:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\#2\Desktop\ransomware\OTL.exe
PRC - [2013/05/10 03:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/08/14 20:08:00 | 000,033,944 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2011/12/22 11:37:54 | 000,862,144 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
PRC - [2011/12/22 11:36:50 | 000,362,432 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
PRC - [2011/12/19 14:57:48 | 001,136,512 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
PRC - [2011/11/15 16:06:00 | 001,132,096 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe
PRC - [2011/11/15 16:06:00 | 000,345,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
PRC - [2011/11/15 16:06:00 | 000,333,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
PRC - [2011/11/15 16:06:00 | 000,132,672 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
PRC - [2011/11/15 16:06:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
PRC - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/09/14 20:08:00 | 000,209,760 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2011/05/12 11:48:20 | 000,324,928 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe
PRC - [2010/09/28 12:09:28 | 001,119,768 | ---- | M] (PDF Complete Inc) -- C:\Program Files (x86)\PDF Complete\pdfsvc.exe
PRC - [2010/09/11 05:02:22 | 000,399,344 | ---- | M] (Roxio) -- C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
PRC - [2008/11/20 14:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
PRC - [2008/02/28 11:57:54 | 000,074,408 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files (x86)\Lexmark X1100 Series\LXBKbmgr.exe
PRC - [2008/02/28 11:57:36 | 000,058,024 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files (x86)\Lexmark X1100 Series\LXBKbmon.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV:64bit: - [2013/07/11 11:12:41 | 000,170,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2013/07/11 11:12:39 | 000,201,864 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV:64bit: - [2011/09/12 20:04:34 | 000,641,336 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe -- (enterceptAgent)
SRV:64bit: - [2011/08/09 20:01:28 | 000,208,272 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV:64bit: - [2010/08/05 23:51:08 | 000,291,896 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe -- (HPClientSvc)
SRV:64bit: - [2010/05/11 11:16:12 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2008/02/19 09:12:32 | 000,565,928 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\lxbkcoms.exe -- (lxbk_device)
SRV - [2013/08/27 15:21:22 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/05/10 03:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011/11/15 16:06:00 | 000,132,672 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/09/14 20:08:00 | 000,209,760 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2011/05/12 11:48:20 | 000,324,928 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe -- (McAfee SiteAdvisor Enterprise Service)
SRV - [2010/09/28 12:09:28 | 001,119,768 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files (x86)\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
SRV - [2010/09/11 05:02:22 | 000,399,344 | ---- | M] (Roxio) [Auto | Running] -- C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe -- (RoxioNow Service)
SRV - [2010/06/18 21:59:12 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/02/19 09:12:18 | 000,537,256 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysWOW64\lxbkcoms.exe -- (lxbk_device)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2013/08/23 09:10:36 | 000,036,680 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV:64bit: - [2013/08/21 09:45:38 | 000,032,000 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hitmanpro37.sys -- (hitmanpro37)
DRV:64bit: - [2013/08/20 17:06:32 | 000,045,856 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtpx64.sys -- (avgtp)
DRV:64bit: - [2013/07/11 11:12:41 | 000,303,464 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)
DRV:64bit: - [2013/07/11 11:12:41 | 000,101,200 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2013/07/11 11:12:40 | 000,665,768 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2013/07/11 11:12:40 | 000,274,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2013/07/11 11:12:39 | 000,160,952 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2013/04/04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/08/23 22:39:14 | 000,100,728 | ---- | M] (Juniper Networks) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NEOFLTR_720_21697.SYS -- (NEOFLTR_720_21697)
DRV:64bit: - [2011/10/07 00:37:40 | 000,048,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\FireNfcp.sys -- (FireNfcp)
DRV:64bit: - [2011/10/01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/09/12 20:05:16 | 000,195,024 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HipShieldK.sys -- (HipShieldK)
DRV:64bit: - [2011/08/16 10:04:10 | 000,481,504 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfefirek.sys -- (mfefirek)
DRV:64bit: - [2011/08/16 10:04:10 | 000,075,672 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfenlfk.sys -- (mfenlfk)
DRV:64bit: - [2011/06/29 05:18:16 | 000,091,864 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ctxusbm.sys -- (ctxusbm)
DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 09:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 09:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/09/03 02:59:26 | 000,349,800 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/08/13 09:35:36 | 000,075,904 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata)
DRV:64bit: - [2010/08/13 09:35:36 | 000,038,016 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata)
DRV:64bit: - [2010/05/11 11:46:18 | 006,790,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2010/05/11 10:24:20 | 000,221,184 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/03/10 11:33:52 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie64.sys -- (AtiPcie)
DRV:64bit: - [2009/12/22 05:26:36 | 000,038,456 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
IE:64bit: - HKLM\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
IE - HKLM\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@hulu.com/Hulu Desktop: C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\npHDPlg.dll ()
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\#2\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\ [2012/08/29 14:06:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files (x86)\Common Files\McAfee\SystemCore [2013/07/14 15:44:50 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2013/08/27 13:39:26 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130711111316.dll (McAfee, Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130711111316.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
O4:64bit: - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)
O4:64bit: - HKLM..\Run: [lxbkbmgr.exe] C:\Program Files (x86)\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
O4:64bit: - HKLM..\Run: [McAfee Host Intrusion Prevention Tray] \FIRETRAY.EXE" File not found
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe (PDF Complete Inc)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [StartCCC] c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\.DEFAULT..\Run: [Advanced SystemCare 6] "C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart File not found
O4 - HKU\S-1-5-18..\Run: [Advanced SystemCare 6] "C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: agencyanywhere.agency.ni.nwie.net ([]http in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: agencyanywhere.agency.ni.nwie.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skilldialogue.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skilldialogue.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skillport.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skillport.com ([]https in Trusted sites)
O16:64bit: - DPF: {AA570693-00E2-4907-B6F1-60A1199B030C} https://juniper.net/dana-cached/sc/JuniperSetupClient64.cab (JuniperSetupClientControl64 Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Value error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {9916D178-71C8-4764-969C-95B9B67A1F76} https://onestop.nationwide.com/one-stop-web/scan/OneStopScan.CAB (OneStopScan.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://nationwidenh.webex.com/client/T26L10NSP49EP9/webex/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://agents.nationwide.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BEFCD235-CB09-49C0-B8BF-01DA28D15903}: DhcpNameServer = 192.168.254.254
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2013/03/08 13:42:43 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/27 15:17:27 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/08/27 15:00:16 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/08/27 13:41:01 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/08/27 13:40:58 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/08/27 13:33:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/08/27 13:33:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/08/27 13:33:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/08/27 13:33:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/08/26 09:34:22 | 000,000,000 | ---D | C] -- C:\FRST
[2013/08/23 09:11:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/08/22 09:08:24 | 000,000,000 | ---D | C] -- C:\Users\#2\Desktop\RK_Quarantine
[2013/08/21 10:37:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/08/21 10:37:28 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/08/21 10:37:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013/08/21 09:10:56 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/08/20 17:08:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Defender Pro
[2013/08/20 17:08:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Bitdefender
[2013/08/20 17:06:54 | 000,045,856 | ---- | C] (AVG Technologies) -- C:\Windows\SysNative\drivers\avgtpx64.sys
[2013/08/20 17:05:20 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2013/08/19 09:56:34 | 000,000,000 | ---D | C] -- C:\ProgramData\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
[2013/08/01 11:00:27 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2013/08/01 11:00:10 | 000,000,000 | ---D | C] -- C:\Users\#2\AppData\Roaming\IObit
[2013/08/01 11:00:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
[2013/07/30 09:02:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/08/27 15:21:24 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/08/27 15:20:00 | 000,727,136 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/08/27 15:20:00 | 000,624,606 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/08/27 15:20:00 | 000,106,724 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/08/27 15:19:52 | 000,018,736 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/08/27 15:19:52 | 000,018,736 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/08/27 15:14:04 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/08/27 15:13:04 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/08/27 15:12:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/08/27 15:12:14 | 2214,027,264 | -HS- | M] () -- C:\hiberfil.sys
[2013/08/27 13:39:26 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/08/23 09:10:36 | 000,036,680 | ---- | M] () -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2013/08/21 10:37:29 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/08/21 09:45:38 | 000,032,000 | ---- | M] () -- C:\Windows\SysNative\drivers\hitmanpro37.sys
[2013/08/21 09:44:28 | 000,001,972 | ---- | M] () -- C:\Windows\SysNative\.crusader
[2013/08/20 17:06:32 | 000,045,856 | ---- | M] (AVG Technologies) -- C:\Windows\SysNative\drivers\avgtpx64.sys
[2013/08/16 14:43:50 | 000,206,043 | ---- | M] () -- C:\Users\#2\Desktop\Jen doc alt.jpg
[2013/08/13 15:04:11 | 000,000,334 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleFor2-HP$.job
[2013/08/13 09:22:05 | 000,000,320 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleFor#2.job
[2013/07/30 09:02:41 | 000,002,214 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/08/27 13:33:32 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/08/27 13:33:32 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/08/27 13:33:32 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/08/27 13:33:32 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/08/27 13:33:32 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/08/23 09:10:36 | 000,036,680 | ---- | C] () -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2013/08/21 10:37:29 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/08/21 09:45:38 | 000,032,000 | ---- | C] () -- C:\Windows\SysNative\drivers\hitmanpro37.sys
[2013/08/21 09:44:28 | 000,001,972 | ---- | C] () -- C:\Windows\SysNative\.crusader
[2013/08/16 14:43:40 | 000,206,043 | ---- | C] () -- C:\Users\#2\Desktop\Jen doc alt.jpg
[2013/07/30 09:02:41 | 000,002,214 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2012/09/11 14:06:35 | 000,000,000 | ---- | C] () -- C:\Users\#2\AppData\Local\¹º»¼½¾¿Ã€ÃÃ‚ÃƒÃ„Ã…Ã†Ã‡ÃˆÃ‰ÃŠÃ‹ÃŒÃÃŽÃÃÃ‘Ã’Ã“Ã”Ã•Ã–Ã—Ã˜Ã™ÃšÃ›ÃœÃÃžÃŸÃ Ã¡Ã¢Ã£Ã¤Ã¥Ã¦Ã§Ã¨Ã©ÃªÃ«Ã¬ÃÃ®Ã¯Ã°Ã±Ã²Ã³Ã´ÃµÃ¶Ã·Ã¸Ã¹ÃºÃ»Ã¼Ã½Ã¾Ã¿
[2011/12/09 15:02:51 | 000,010,164 | -HS- | C] () -- C:\Users\#2\AppData\Local\jrhrvm1u8ily8bsc2duw5r888y6u
[2011/12/09 15:02:51 | 000,010,164 | -HS- | C] () -- C:\ProgramData\jrhrvm1u8ily8bsc2duw5r888y6u
[2011/08/17 08:59:47 | 000,000,000 | ---- | C] () -- C:\Users\#2\AppData\Local\{80DDDA4B-2DD9-485B-87E7-9BDC1EBCB9D5}
[2011/07/28 11:20:58 | 000,000,041 | ---- | C] () -- C:\Users\#2\AppData\Roaming\TheHunterSettings_live.cfg
[2011/06/02 12:02:37 | 000,001,854 | ---- | C] () -- C:\Users\#2\AppData\Roaming\GhostObjGAFix.xml

========== ZeroAccess Check ==========

[2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"ThreadingModel" = Both
" " = C:\Windows\SysNative\shell32.dll -- [2010/11/20 09:27:25 | 014,174,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
" " = C:\Windows\SysNative\shell32.dll -- [2010/11/20 09:27:25 | 014,174,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
" " = %SystemRoot%\system32\shell32.dll -- [2010/11/20 08:21:19 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
" " = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
" " = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
" " = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/08/27 13:43:59 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\Barnes & Noble
[2013/08/21 09:16:20 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\ICAClient
[2013/08/21 10:25:02 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\IObit
[2012/11/28 10:21:47 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\Juniper Networks
[2013/08/20 15:43:07 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\SoftGrid Client
[2011/05/13 11:02:56 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\TP
[2012/01/25 15:55:10 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\webex
[2011/09/26 09:16:49 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\WinBatch
[2012/09/04 16:09:20 | 000,000,000 | ---D | M] -- C:\Users\#2\AppData\Roaming\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1
[2011/05/13 10:10:29 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\ICAClient
[2011/05/13 10:10:29 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\ICAClient

========== Purity Check ==========

< End of report >

adrenalinesaint · 2013/08/27

OTL Extras logfile created on: 8/27/2013 3:29:17 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\#2\Desktop\ransomware
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.66 Gb Available Physical Memory | 60.41% Memory free
5.50 Gb Paging File | 4.10 Gb Available in Paging File | 74.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.83 Gb Total Space | 402.78 Gb Free Space | 88.95% Space Free | Partition Type: NTFS
Drive D: | 12.83 Gb Total Space | 1.58 Gb Free Space | 12.28% Space Free | Partition Type: NTFS
Drive E: | 2.59 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: 2-HP | User Name: #2 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll ",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll ",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1 ",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1CF9606E-37E7-48F2-AFF0-B42EBF11478D}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{254EC095-81D7-441F-A9B9-A631BAC40398}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{59B5B593-E531-430B-BE59-03E71DBD66C9}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{D3D356A4-8617-4B6E-A6E8-00DB0960B440}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{D5F0A393-2564-4AAD-B463-5430948E4B7A}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{F8CA91D7-3746-49ED-A5AC-51B95AEAAC7D}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{2856A1C2-70C5-4EC3-AFF7-E5B51E5530A2}" = HP Client Services
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{7C7A5A92-046C-A38C-AE0F-8F9CCA0F67A8}" = ATI Catalyst Install Manager
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A40F60B1-F1E1-452E-96A5-FF97F9A2D102}" = HP MediaSmart SmartMenu
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{CC4D56B7-6F18-470B-8734-ABCD75BCF4F1}" = HP Auto
"{D2B9C003-A3CD-44A0-9DE5-52FE986C03E5}" = McAfee Host Intrusion Prevention
"{D2B9C003-A3CD-44A0-9DE5-52FE986C03E5}_Uninst" = McAfee Host Intrusion Prevention
"{D79A02E9-6713-4335-9668-AAC7474C0C0E}" = HP Vision Hardware Diagnostics
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{FD9560A8-CB02-1F28-CB9C-487244A28A8B}" = ccc-utility64
"Juniper_Setup_Client Activex Control" = Juniper Networks, Inc. Setup Client 64-bit Activex Control
"Lexmark X1100 Series" = Lexmark X1100 Series
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00FC3F65-86EB-475E-881F-A5B1CF731320}" = McAfee SiteAdvisor Enterprise Plus
"{0655C185-FD48-5EBA-484A-CD530291F44D}" = CCC Help Hungarian
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0BF71387-5AFD-F71B-7353-3AEBD3E8F5F3}" = Catalyst Control Center Graphics Full Existing
"{0E1C256F-6B90-E5A5-F62E-5DAE1AEAE294}" = ccc-core-static
"{0EDEB615-1A60-425E-8306-0E10519C7B55}" = RoxioNow Player
"{120262A6-7A4B-4889-AE85-F5E5688D3683}" = HP MovieStore
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1B01541D-B1B8-8B7E-E82B-70551A1AF961}" = CCC Help Chinese Standard
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{22139F5D-9405-455A-BDEB-658B1A4E4861}" = Catalyst Control Center - Branding
"{246CB06B-308C-4CAE-AD1C-CB8409274261}" = Citrix Receiver(Aero)
"{26070CDA-A7C5-2114-0533-38DE06C65E7F}" = CCC Help Polish
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{2726B6FF-D8F9-8F29-2A7D-8192AAE79D3F}" = Catalyst Control Center Localization All
"{2EA3D6B2-157E-4112-A3AB-BF17E16661C3}" = HP MediaSmart/TouchSmart Netflix
"{3023EBDA-BF1B-4831-B347-E5018555F26E}" = Movie Theme Pack for HP MediaSmart Video
"{3088B508-7EE1-EC64-4FFD-C4901378CE7D}" = CCC Help Russian
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{36CD0606-5C32-457A-B3CA-40B8EBD04689}" = System Information Reporter
"{3778B802-8E2C-04B0-2C1B-7C2A8F981824}" = CCC Help Finnish
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = Recovery Manager
"{465210C4-595A-BD80-44E8-E0457D9D8432}" = Zinio Reader 4
"{48CA048A-3C5B-391E-7FF0-F36F434CB1B6}" = CCC Help Thai
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{504CC891-B140-4E1B-860B-5E4C1DFBA9E3}" = Blio
"{52CD3425-C5E8-C49D-B776-AC85F018C0F6}" = Catalyst Control Center Graphics Previews Vista
"{53469506-A37E-4314-A9D9-38724EC23A75}" = HP Setup
"{597CE475-4F62-89EE-A81E-DB509DA0CBB2}" = CCC Help English
"{5E7A925A-CCE1-4ED5-A0DD-4A821A3F9BC2}" = Catalyst Control Center Core Implementation
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{655C5545-7974-443F-882F-D745607EBB08}" = Citrix Receiver(DV)
"{674DAE26-3C3C-2D20-1BB4-82B380142E78}" = CCC Help Greek
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6A9EF47E-D49A-2EFC-20A1-A92DE7F826DF}" = CCC Help Czech
"{6DAF8CDC-9B04-413B-A0F2-BCC13CF8A5BF}" = HP MediaSmart Photo
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{739A6D0C-CA8D-4955-8E3D-58D1847327AC}" = Online Plug-in
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7A9C67EF-05A8-499F-56A2-C467A4FE6DEE}" = CCC Help Italian
"{7DA0C5CE-9817-CDB2-F061-F72D0CB6EEB3}" = CCC Help German
"{7DB63154-92A4-12AE-364F-DE9C7B459720}" = CCC Help Spanish
"{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}" = HP Support Information
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2A81D8-AABF-673B-08BE-EF7A80295F14}" = CCC Help French
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{9008D736-35CA-40DB-A2BE-5F32D954E5AA}" = HP MovieStore
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{912CED74-88D3-4C5B-ACB0-13231864975E}" = PressReader
"{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}" = HP MediaSmart Music
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{96AD3B61-EAE2-11E2-9E72-B8AC6F98CCE3}" = Google Earth
"{981F6BCD-252E-6A64-9C6D-4E3B10B1B126}" = Catalyst Control Center InstallProxy
"{991057FA-3CA7-42B0-94B6-5B1B2535FBD3}" = Citrix Receiver Inside
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A113003E-8271-4485-ABC1-83FB96BFFF52}" = Citrix Receiver(USB)
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A7CEA571-43AC-95FE-4F08-22C401FC2824}" = CCC Help Japanese
"{A826CCC4-C0BA-97B4-F1DB-E68CD45D1133}" = CCC Help Danish
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.7)
"{AC76BA86-7AD7-2447-0000-A00000000003}" = Chinese Simplified Fonts Support For Adobe Reader X
"{AC9A3F48-8936-40CD-A0B2-7CFA76906143}" = Catalyst Control Center Graphics Full New
"{AE856388-AFAD-4753-81DF-D96B19D0A17C}" = HP Setup Manager
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B68D391C-32C6-798E-C78F-83C1797B162A}" = CCC Help Swedish
"{B8AC1A89-FFD1-4F97-8051-E505A160F562}" = HP Odometer
"{BC728724-882E-4E2D-B3EE-E2C7332DC2F2}" = Citrix Receiver (HDX Flash Redirection)
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}" = McAfee VirusScan Enterprise
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D12E3E7F-1B13-4933-A915-16C7DD37A095}" = HP MediaSmart Video
"{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow!
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DC47D46D-8874-D83A-6612-9DA3175861B2}" = CCC Help Korean
"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE77FE3F-A33D-499A-87AD-5FC406617B40}" = HP Update
"{DE91C193-2611-4BD3-A9F9-DF589C572565}" = McAfee Agent
"{DF09BCD9-3556-77A6-8984-1CA95F8E1078}" = CCC Help Portuguese
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E0DE2996-A443-5FEA-30B7-9395E0F3A7CC}" = CCC Help Chinese Traditional
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EDFA892D-594D-C921-35FF-B6E5CFD2487C}" = CCC Help Dutch
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F56BBEB1-E982-0A07-0004-1CBC8E5B534E}" = CCC Help Turkish
"{F600ED39-BA0C-A127-EAB7-057DF0A327E0}" = CCC Help Norwegian
"{F84B7A2F-2328-A610-89F6-2CC78CF00FFE}" = Catalyst Control Center Graphics Light
"{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}" = DVD Menu Pack for HP MediaSmart Video
"{FD7F0DB8-0E96-4D64-AD4D-9B5A936AF2A8}" = LightScribe System Software
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"BN_DesktopReader" = NOOK for PC
"CitrixOnlinePluginPackWeb" = Citrix Receiver
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}" = Movie Theme Pack for HP MediaSmart Video
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{6DAF8CDC-9B04-413B-A0F2-BCC13CF8A5BF}" = HP MediaSmart Photo
"InstallShield_{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}" = HP MediaSmart Music
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{D12E3E7F-1B13-4933-A915-16C7DD37A095}" = HP MediaSmart Video
"InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow!
"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"InstallShield_{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}" = DVD Menu Pack for HP MediaSmart Video
"Kobo" = Kobo
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"My HP Game Console" = HP Game Console
"Neoteris_Secure_Application_Manager" = Juniper Networks Secure Application Manager
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"PDF Complete" = PDF Complete Special Edition
"WildTangent hp Master Uninstall" = HP Games
"WinLiveSuite" = Windows Live Essentials
"WT087328" = Blackhawk Striker 2
"WT087330" = Bounce Symphony
"WT087335" = Build-a-lot 2
"WT087343" = Dora's World Adventure
"WT087360" = Escape Rosecliff Island
"WT087361" = FATE
"WT087362" = Final Drive Nitro
"WT087372" = Heroes of Hellas 2 - Olympia
"WT087379" = Jewel Quest Solitaire 2
"WT087394" = Penguins!
"WT087395" = Poker Superstars III
"WT087396" = Polar Bowler
"WT087397" = Polar Golfer
"WT087414" = Virtual Families
"WT087415" = Wheel of Fortune 2
"WT087428" = Bejeweled 2 Deluxe
"WT087453" = Chuzzle Deluxe
"WT087501" = Plants vs. Zombies
"WT087533" = Zuma Deluxe
"WT087536" = Diner Dash 2 Restaurant Rescue
"WT089299" = Mystery P.I. - The London Caper
"WT089307" = Virtual Villagers 4 - The Tree of Life
"WT089308" = Blasterball 3
"WT089328" = Farm Frenzy
"WT089359" = Cake Mania
"WT089362" = Agatha Christie - Peril at End House
"ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1" = Zinio Reader 4

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"HuluDesktop" = Hulu Desktop
"Juniper_Setup_Client" = Juniper Networks, Inc. Setup Client
"Neoteris_Host_Checker" = Juniper Networks Host Checker
"UnityWebPlayer" = Unity Web Player

========== Last 20 Event Log Errors ==========

[ Hewlett-Packard Events ]
Error - 12/8/2011 4:11:23 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description = HP Error ID: -2147467261HPSF.exe at HP.SupportFramework.Communicator.MessengerComm.MessengerPublisher.closeConnection()

at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Message: Object
reference not set to an instance of an object. StackTrace: at HP.SupportFramework.Communicator.MessengerComm.MessengerPublisher.closeConnection()

at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: HP.SupportFramework.Communicator

Name:
HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
Framework\HPSF.exe Format: en-US RAM: 2815 Ram Utilization: TargetSite: Void closeConnection()

Error - 12/8/2011 4:11:23 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description = HP Error ID: -2147467261HPSF.exe at HP.SupportFramework.Communicator.MessengerComm.MessengerPublisher.closeConnection()

at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Message: Object
reference not set to an instance of an object. StackTrace: at HP.SupportFramework.Communicator.MessengerComm.MessengerPublisher.closeConnection()

at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: HP.SupportFramework.Communicator

Name:
HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
Framework\HPSF.exe Format: en-US RAM: 2815 Ram Utilization: TargetSite: Void closeConnection()

Error - 1/8/2012 4:00:23 AM | Computer Name = 2-HP | Source = hpsa_service.exe | ID = 2000
Description =

Error - 1/8/2012 4:00:53 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 1/8/2012 4:01:11 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 1/8/2012 4:01:17 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 1/8/2012 4:01:21 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 1/8/2012 4:01:35 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 2/8/2012 4:05:20 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 2/8/2012 4:05:20 AM | Computer Name = 2-HP | Source = HPSF.exe | ID = 4000
Description =

< End of report >

adrenalinesaint · 2013/08/27

hey broni,

I have been keeping the computer in safe mode with networking until your last post, now I have let the computer reboot like normal after running the Adwcleaner and all seems to be running very well.

broni · 2013/08/27

Very good

Run OTL

Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O4 - HKU\.DEFAULT..\Run: [Advanced SystemCare 6]  "C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart File not found
O4 - HKU\S-1-5-18..\Run: [Advanced SystemCare 6]  "C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart File not found
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: agencyanywhere.agency.ni.nwie.net ([]http in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: agencyanywhere.agency.ni.nwie.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skilldialogue.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skilldialogue.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skillport.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-242976623-2615718514-4156711866-1000\..Trusted Domains: skillport.com ([]https in Trusted sites)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2013/08/20 17:08:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Defender Pro
[2013/08/01 11:00:27 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2013/08/01 11:00:10 | 000,000,000 | ---D | C] -- C:\Users\#2\AppData\Roaming\IObit
[2013/08/01 11:00:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
[2012/09/11 14:06:35 | 000,000,000 | ---- | C] () -- C:\Users\#2\AppData\Local\¹º»¼½¾¿Ã€ÃÃ‚ÃƒÃ„Ã…Ã†Ã‡ÃˆÃ‰ÃŠÃ‹ÃŒÃÃŽÃÃÃ‘Ã’Ã“Ã”Ã•Ã–Ã—Ã˜Ã™ÃšÃ›ÃœÃÃžÃŸÃ Ã¡Ã¢Ã£Ã¤Ã¥Ã¦Ã§Ã¨Ã© ÃªÃ«Ã¬ÃÃ®Ã¯Ã°Ã±Ã²Ã³Ã´ÃµÃ¶Ã·Ã¸Ã¹ÃºÃ»Ã¼Ã½Ã¾Ã¿
[2011/12/09 15:02:51 | 000,010,164 | -HS- | C] () -- C:\Users\#2\AppData\Local\jrhrvm1u8ily8bsc2duw5r888y6u
[2011/12/09 15:02:51 | 000,010,164 | -HS- | C] () -- C:\ProgramData\jrhrvm1u8ily8bsc2duw5r888y6u


:Services

:Reg

:Files
C:\FRST

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Last scans....

Download Security Check from here or here and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Other Services

Press "Scan ".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

adrenalinesaint · 2013/08/28

All processes killed
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced SystemCare 6 deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced SystemCare 6 not found.
Registry key HKEY_USERS\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\agencyanywhere.agency.ni.nwie.net\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\agencyanywhere.agency.ni.nwie.net\ not found.
Registry key HKEY_USERS\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skilldialogue.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skilldialogue.com\ not found.
Registry key HKEY_USERS\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skillport.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-242976623-2615718514-4156711866-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skillport.com\ not found.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
File Protocol\Handler\livecall - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
File Protocol\Handler\msnim - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
File Protocol\Handler\wlmailhtml - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ deleted successfully.
File Protocol\Handler\wlpg - No CLSID value found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
C:\Program Files\Common Files\Defender Pro\SetupInformation\{34480DEE-54D6-4985-A817-CA30E9BBC94C}\lang folder moved successfully.
C:\Program Files\Common Files\Defender Pro\SetupInformation\{34480DEE-54D6-4985-A817-CA30E9BBC94C}\core\Plugins folder moved successfully.
C:\Program Files\Common Files\Defender Pro\SetupInformation\{34480DEE-54D6-4985-A817-CA30E9BBC94C}\core folder moved successfully.
C:\Program Files\Common Files\Defender Pro\SetupInformation\{34480DEE-54D6-4985-A817-CA30E9BBC94C} folder moved successfully.
C:\Program Files\Common Files\Defender Pro\SetupInformation folder moved successfully.
C:\Program Files\Common Files\Defender Pro folder moved successfully.
C:\ProgramData\IObit\ASCDownloader folder moved successfully.
C:\ProgramData\IObit\Advanced SystemCare V6 folder moved successfully.
C:\ProgramData\IObit folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\Smart Defrag 2 folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\IObit Uninstaller\Log folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\IObit Uninstaller folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\IObit Malware Fighter folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\Advanced SystemCare V6\Log folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\Advanced SystemCare V6\Internet Booster folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\Advanced SystemCare V6\Boottime folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\Advanced SystemCare V6\Backup folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit\Advanced SystemCare V6 folder moved successfully.
C:\Users\#2\AppData\Roaming\IObit folder moved successfully.
C:\Program Files (x86)\IObit\IObit Malware Fighter\Quarantine Zone folder moved successfully.
C:\Program Files (x86)\IObit\IObit Malware Fighter\log\scan folder moved successfully.
C:\Program Files (x86)\IObit\IObit Malware Fighter\log\realtime folder moved successfully.
C:\Program Files (x86)\IObit\IObit Malware Fighter\log folder moved successfully.
C:\Program Files (x86)\IObit\IObit Malware Fighter folder moved successfully.
C:\Program Files (x86)\IObit\Advanced SystemCare 6\LatestNews folder moved successfully.
C:\Program Files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images folder moved successfully.
C:\Program Files (x86)\IObit\Advanced SystemCare 6\BrowerProtect folder moved successfully.
C:\Program Files (x86)\IObit\Advanced SystemCare 6 folder moved successfully.
C:\Program Files (x86)\IObit folder moved successfully.
File C:\Users\#2\AppData\Local\¹º»¼½¾¿Ã€ÃÃ‚ÃƒÃ„Ã…Ã†Ã‡ÃˆÃ‰ÃŠÃ‹ÃŒÃÃŽÃÃÃ‘Ã’Ã“Ã”Ã•Ã–Ã—Ã˜Ã™ÃšÃ›ÃœÃÃžÃŸÃ Ã¡Ã¢Ã£Ã¤Ã¥Ã¦Ã§Ã¨Ã© ÃªÃ«Ã¬ÃÃ®Ã¯Ã°Ã±Ã²Ã³Ã´ÃµÃ¶Ã·Ã¸Ã¹ÃºÃ»Ã¼Ã½Ã¾Ã¿ not found.
C:\Users\#2\AppData\Local\jrhrvm1u8ily8bsc2duw5r888y6u moved successfully.
C:\ProgramData\jrhrvm1u8ily8bsc2duw5r888y6u moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Folder move failed. C:\FRST\Quarantine\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36}\ \... scheduled to be moved on reboot.
C:\FRST\Quarantine\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36}\ folder moved successfully.
Folder move failed. C:\FRST\Quarantine\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36} scheduled to be moved on reboot.
C:\FRST\Quarantine folder moved successfully.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives\Users\00000002 folder moved successfully.
C:\FRST\Hives\Users\00000001 folder moved successfully.
C:\FRST\Hives\Users folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: #2
->Temp folder emptied: 4391671 bytes
->Temporary Internet Files folder emptied: 11620385 bytes
->Java cache emptied: 17079220 bytes
->Flash cache emptied: 506 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 8292 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 52866290 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 82.00 mb

[EMPTYJAVA]

User: #2
->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: #2
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 08282013_085631

Files\Folders moved on Reboot...
File\Folder C:\FRST\Quarantine\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36}\ \... not found!
File\Folder C:\FRST\Quarantine\{80cee346-12d4-f5c1-e08f-c1b4f7f8ad36} not found!
C:\Users\#2\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\#2\AppData\Local\Temp\VGX81AD.tmp moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

adrenalinesaint · 2013/08/28

Results of screen317's Security Check version 0.99.73
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
McAfee SiteAdvisor Enterprise Plus
Malwarebytes Anti-Malware version 1.75.0.1300
Java(TM) 6 Update 31
Java version out of Date!
Adobe Flash Player 11.8.800.94
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise mfeann.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 6%
````````````````````End of Log``````````````````````

adrenalinesaint · 2013/08/28

Farbar Service Scanner Version: 18-08-2013
Ran by #2 (administrator) on 28-08-2013 at 09:31:01
Running from "C:\Users\#2\Desktop\ransomware "
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware "=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

adrenalinesaint · 2013/08/28

Farbar Service Scanner Version: 18-08-2013
Ran by #2 (administrator) on 28-08-2013 at 09:31:01
Running from "C:\Users\#2\Desktop\ransomware "
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware "=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

adrenalinesaint · 2013/08/28

ESET scanner found no threats

broni · 2013/08/28

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: If you're running 64-bit system make sure you install BOTH, 32-bit and 64-bit Java.

Note 3: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Do NOT post JavaRa log.

=================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.

adrenalinesaint · 2013/08/29

All processes killed
Error: Unable to interpret <Code: > in the current context!
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: #2
->Temp folder emptied: 1483030 bytes
->Temporary Internet Files folder emptied: 194906650 bytes
->Java cache emptied: 37893 bytes
->Flash cache emptied: 506 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 187.00 mb

[EMPTYFLASH]

User: #2
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: #2
->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb

System Restore Service not available.

OTL by OldTimer - Version 3.2.69.0 log created on 08292013_102209

Files\Folders moved on Reboot...
C:\Users\#2\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\#2\AppData\Local\Temp\VGXBE2.tmp moved successfully.
C:\Users\#2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FYGMON35\106024-active-department-justice-windows-security-pro-3[1].htm moved successfully.
C:\Users\#2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FYGMON35\fastbutton[1].htm moved successfully.
C:\Users\#2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FYGMON35\xd_arbiter[1].htm moved successfully.
C:\Users\#2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CZT36HIW\like[1].htm moved successfully.
C:\Users\#2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CZT36HIW\postmessageRelay[3].htm moved successfully.
C:\Users\#2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CBAPG41C\xd_arbiter[2].htm moved successfully.
C:\Users\#2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

adrenalinesaint · 2013/08/29

Thank so very much!
I am so happy to be back on my normal computer here at work!

broni · 2013/08/29

Way to go!!
Good luck and stay safe

Log in or Sign up

Solved Department of Justice / Windows security pro

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Department of Justice / Windows security pro

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

adrenalinesaint Inactive Thread Starter

adrenalinesaint Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches