# My data files have been hacked and encrypted



## AGuyNamedPablo (Oct 16, 2014)

At this point I am looking for advice more than I am actual tech/repair service.

I have an older computer running on Windows XP Pro. I've been using Microsoft Security Essentials for virus protection (although support ended 6 months ago), and the free version of Malwarebytes for malware protection. About two days ago my computer was hacked and something or someone encrypted all of my files... Word, Excel, AutoCAD, PDF, JPEG files... just about everything.

They left a text document instructing me to go to a certain website if I want my files restored. I have not done this. I have actually disconnected my computer from the internet for the time being.

I've tested all of my software and everything seems to be working fine. I can create, save and edit new documents. I just can't open or read my old documents.

I have most of my important work and personal files backed up, although the backup is about a week out of date so I'll lose or have to recreate some of the most recent stuff. Also, I do have a number of items on my desktop (or otherwise) which I'd never backed up. Nothing critical, but just the same I'd rather not lose that stuff. In addition, I don't believe I've got a recent backup of my email (I'm using Outlook 2003).

I can provide more details as needed, but right now I'm just looking for advice on what to do next. Although I do have to get my computer cleaned up, by far my biggest concern is restoring my data files if that is possible. I've been told that it can be done, but that it's hit or miss.

I've spoken to a few tech support companies (Kaspersky, Answers by Gateway, and Geek Squad) about this, but none have given me a lot of confidence that they can decrypt and/or restore my files. So I have not pulled the trigger yet as far as hiring any of them.

I guess my question is, who in here (or out there) has had experience with this sort of issue? Is there a good chance I can get my files restored, or am I SOL? If I have next to zero chance of restoring my files, I'd probably just go ahead and completely clean off my hard drive and start over, reinstalling the OS, software, etc. Maybe even upgrade to Vista. I suppose I could make another, separate backup copy of all my corrupted (encrypted) files first, to see if maybe someone could decrypt them later?

What do you guys think? Also, any opinions or experiences with the above mentioned (or any other) companies, particularly with regards to my main concern (restoring my files)?

Thanks in advance,
Paul


----------



## JSntgRvr (Jul 1, 2003)

Welcome to TSG.

It is called Ransomware. There is not much we can do to decrypt these files. Many experts are working on a solution.

Download the IdTool from *here*. Run the tool and post its report.


----------



## AGuyNamedPablo (Oct 16, 2014)

Thanks for the quick reply.

Since I'm having trouble with the internet, can I download it and then disconnect from the internet, and THEN run it?


----------



## AGuyNamedPablo (Oct 16, 2014)

Also, is this the same utility or different from the one on the "read this first" post, which says to download and run something called Sysinfo.exe?


----------



## JSntgRvr (Jul 1, 2003)

It is not Sysinfo.exe. This program is only used to determine the type of ransomware that has infected your computer. Chances are the tool will download .NET 5.0 from Microsoft prior to running.

Lets take a look at the computer with a tool you can download and run without a connection:

Please download Farbar Recovery Scan Tool and save it to your desktop.

*Note*: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click *Yes* to disclaimer.
Make sure that under *Optional Scans*, there is a checkmark on Addition.txt and Shortcut.
Press *Scan* button.
It will make a log (*FRST.txt*) in the same directory the tool is run. Please copy and paste it to your reply.
The tool will also produce another two logs (*Addition.txt and Shortcut.txt*). Please attach these to your reply.


----------



## AGuyNamedPablo (Oct 16, 2014)

I have not run the IdTool yet, although it's downloaded and installed on my computer (it appeared to download .NET 4.0, but I'm not certain of that).

Should I still run the IdTool, or just Farbar? Or both?


----------



## AGuyNamedPablo (Oct 16, 2014)

By the way, I just read a fairly new article/post (from Wednesday) on bleepingcomputer.com about the ransomeware CryptoWall 2.0 which was just unleashed. This is EXACTLY what attacked my computer. The sample text document (Decrypt Instruction) they show is word-for-word exactly the same as the document it left in each of my affected folders.

It said the newer encryption method is virtually impossible to crack, so users are left with the choice of either restoring from backup, or paying the ransom.

Your take on this?


----------



## JSntgRvr (Jul 1, 2003)

There are many versions, Cryptowall, Cryptolocker, Torrentlocker and others. The purpose of the IDTool is to identify which ransomware infected the computer.


----------



## AGuyNamedPablo (Oct 16, 2014)

So should I run BOTH of the tools you've linked me to? I've already downloaded both of the , so I can do that if it will be helpful.


----------



## JSntgRvr (Jul 1, 2003)

Yes, please. The IDtool should be ran while connected to the Internet. No need to open a browser, but it needs an Internet Connection.


----------



## AGuyNamedPablo (Oct 16, 2014)

I ran the IdTool and here is the result log:

nfection Detection Tool v1.0 - Nathan Scott
--------------------------------------------
Date/Time: 10/20/2014 1:29:29 AM
Operating System: Windows XP
Service Pack: Service Pack 3
Version Number: 5.1
Product Type: Workstation
--------------------------------------------
[Detected Flags]
1.| Possible CryptoWall Flag , HKCU\Software\90D80402C58CB60C643B159855838E92\12334555688899BE
2.| Possible CryptoWall Flag , C:\Documents and Settings\Paul Kane\My Documents\My Pictures\DECRYPT_INSTRUCTION.HTML


----------



## AGuyNamedPablo (Oct 16, 2014)

I should add that this scan only took about a second (if even that long). Is this normal? Do you think it scanned my entire computer? I have a lot of stuff on my computer.


----------



## AGuyNamedPablo (Oct 16, 2014)

OK, I ran the FarberRecoveryScanTool. Got two very long logs. I will post the first one (called FRST) here, and the second log (called Addition) in the following post.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-10-2014
Ran by Paul Kane (administrator) on HOME-89B9F847D7 on 20-10-2014 01:51:46
Running from C:\Documents and Settings\Paul Kane\Desktop\Computer\Cyber Attack October 2014
Loaded Profile: Paul Kane (Available profiles: Paul Kane & Guest)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
() C:\Program Files\EVGA Precision X\EVGAPrecision.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(CyberLink) C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
(cyberlink) C:\Program Files\CyberLink\Shared files\brs.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\WINDOWS\system32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\system32\regsvr32.exe
(Microsoft) C:\DOCUME~1\PAULKA~1\LOCALS~1\Temp\conhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SkyTel] => C:\WINDOWS\SkyTel.EXE [2879488 2006-05-16] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [EVGAPrecision] => C:\Program Files\EVGA Precision X\EVGAPrecision.exe [553800 2012-06-29] ()
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16264192 2006-09-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
HKLM\...\Run: [CLMLServer] => C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe [107816 2011-03-09] (CyberLink)
HKLM\...\Run: [UpdateP2GoShortCut] => C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [UpdatePDRShortCut] => C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [222504 2011-02-01] (CyberLink Corp.)
HKLM\...\Run: [RemoteControl10] => C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe [87336 2011-03-30] (CyberLink Corp.)
HKLM\...\Run: [BDRegion] => C:\Program Files\Cyberlink\Shared files\brs.exe [75048 2011-12-13] (cyberlink)
HKLM\...\Run: [UpdatePSTShortCut] => C:\Program Files\CyberLink\Media Suite\MUITransfer\MUIStartMenu.exe [222504 2011-09-29] (CyberLink Corp.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-05-07] (Oracle Corporation)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [.tluafed** <*>] => C:\Documents and Settings\Paul Kane\Application Data\{00002454-230D-5716-4EDF-F11687C9B491}.ex <===== ATTENTION (Value Name with invalid characters)
HKLM\...\Run: [wkoxgkfhnax] => C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\vvtcyhy.exe <===== ATTENTION
HKLM\...\Run: [rjvbsdsnjqyqphbsivt] => C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\hebkcxn.dll" update
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 220 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^k4QAAA==n{[email protected]#@&l{xAPzmOk7+p6(L+1O`r?1.rwDRUtnVsE*[email protected]#@&S4k^+cne'[email protected]#@&`@#@&[email protected]#@&i @#@&di (the data entry has 33863 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [Power2GoExpress] => NA
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [Akamai NetSession Interface] => "C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Akamai\netsession_win.exe"
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [Otmics] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Ohvdics\symcrtPath.dll"
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [YVZPack Update] => regsvr32.exe "C:\Documents and Settings\Paul Kane\Local Settings\Application Data\YVZPack\dxMainio16.dll"
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [ChromeUpdate] => C:\Documents and Settings\Paul Kane\Application Data\ChromeUpdate.exe [16086006 2014-10-13] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [90d804] => C:\90d8040\90d8040.exe [314880 2014-10-13] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [90d8040] => C:\Documents and Settings\Paul Kane\Application Data\90d8040.exe [314880 2014-10-13] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [svchost86x.sys] => C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe [153088 2014-10-15] (Microsoft) <===== ATTENTION
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe [697272 2013-01-07] (Adobe Systems Incorporated)
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\MountPoints2: {64a7706a-589b-11e2-a6f0-00044b02416c} - E:\RunClubSanDisk.exe
HKU\S-1-5-18\...\Run: [svchost86x.sys] => C:\WINDOWS\TEMP\conhost.exe [153088 2014-10-15] (Microsoft) <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe [697272 2013-01-07] (Adobe Systems Incorporated)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
ShortcutTarget: AutoCAD Startup Accelerator.lnk -> C:\Program Files\Common Files\Autodesk Shared\acstart16.exe (Autodesk, Inc)
Startup: C:\Documents and Settings\Paul Kane\Start Menu\Programs\Startup\90d8040.exe (Microsoft Corporation)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\WINDOWS\system32\AcSignIcon.dll (Autodesk)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utsandiego.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/...ls/en/x86/client/wuweb_site.cab?1357544801687
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
FireFox:
========
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.60.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.60.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-17]
Chrome: 
=======
CHR Profile: C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (RemoteDeskHelpSessionMgr Class) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2014-10-02]
CHR Extension: (Google Docs) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-05]
CHR Extension: (Google Drive) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-05]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-05]
CHR Extension: (YouTube) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-05]
CHR Extension: (Google Search) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-05]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-05]
CHR Extension: (Gmail) - C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-05]
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 CLKMSVC10_B91CB6D3; C:\Program Files\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [241648 2011-04-20] (CyberLink)
R2 DcomLaunch; C:\WINDOWS\system32\rpcss.dll [408576 2009-02-09] (Microsoft Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-06-26] (Oracle Corporation)
S3 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [65536 2004-03-18] (HP) [File not signed]
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [247152 2011-12-13] ()
R2 RpcSs; C:\WINDOWS\system32\rpcss.dll [408576 2009-02-09] (Microsoft Corporation) [File not signed]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [51088 2004-06-22] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2004-06-22] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21744 2004-06-22] (HP)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\NPF.sys [50704 2014-10-13] (CACE Technologies, Inc.)
R0 nvata; C:\WINDOWS\System32\DRIVERS\nvata.sys [105344 2006-09-21] (NVIDIA Corporation)
R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [52736 2006-08-07] (NVIDIA Corporation)
R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [18944 2006-08-07] (NVIDIA Corporation)
S3 PUSBODD; C:\WINDOWS\System32\drivers\PIUSBODD.SYS [26448 2011-12-13] (Pioneer Corporation.)
R3 RTCore32; C:\Program Files\EVGA Precision X\RTCore32.sys [5632 2011-09-06] () [File not signed]
S1 bilbfznj; \??\C:\WINDOWS\system32\drivers\bilbfznj.sys [X]
S1 ciknxxpx; \??\C:\WINDOWS\system32\drivers\ciknxxpx.sys [X]
S4 IntelIde; No ImagePath
S1 mcyuxrhl; \??\C:\WINDOWS\system32\drivers\mcyuxrhl.sys [X]
S1 pkukqyug; \??\C:\WINDOWS\system32\drivers\pkukqyug.sys [X]
S1 qqvibyjc; \??\C:\WINDOWS\system32\drivers\qqvibyjc.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U1 WS2IFSL; No ImagePath
==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-10-20 01:51 - 2014-10-20 01:51 - 00000000 ____D () C:\FRST
2014-10-20 01:28 - 2014-10-20 01:28 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\IDTool
2014-10-19 01:02 - 2014-10-19 11:22 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\TEMP and NEW Files October 2014
2014-10-18 00:24 - 2014-10-20 01:50 - 00087200 _____ () C:\Documents and Settings\All Users\Application Data\wrnhoah.tmp
2014-10-17 23:51 - 2014-10-17 23:51 - 00090112 _____ () C:\WINDOWS\Minidump\Mini101714-01.dmp
2014-10-16 01:49 - 2014-10-19 12:48 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Health Issues 2014
2014-10-16 00:40 - 2014-10-16 00:42 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Weather
2014-10-14 15:42 - 2014-10-14 15:42 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVAST Software
2014-10-14 02:05 - 2014-10-14 11:30 - 00000000 _____ () C:\avenger.txt
2014-10-14 02:05 - 2014-10-14 02:05 - 00000000 ____D () C:\Avenger
2014-10-14 00:36 - 2014-10-14 00:36 - 00008226 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-10-14 00:36 - 2014-10-14 00:36 - 00004158 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-10-14 00:36 - 2014-10-14 00:36 - 00000278 _____ () C:\DECRYPT_INSTRUCTION.URL
2014-10-14 00:30 - 2014-10-14 00:30 - 00008226 _____ () C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.HTML
2014-10-14 00:30 - 2014-10-14 00:30 - 00008226 _____ () C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.HTML
2014-10-14 00:30 - 2014-10-14 00:30 - 00008226 _____ () C:\Documents and Settings\DECRYPT_INSTRUCTION.HTML
2014-10-14 00:30 - 2014-10-14 00:30 - 00004158 _____ () C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.TXT
2014-10-14 00:30 - 2014-10-14 00:30 - 00004158 _____ () C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.TXT
2014-10-14 00:30 - 2014-10-14 00:30 - 00004158 _____ () C:\Documents and Settings\DECRYPT_INSTRUCTION.TXT
2014-10-14 00:30 - 2014-10-14 00:30 - 00000278 _____ () C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.URL
2014-10-14 00:30 - 2014-10-14 00:30 - 00000278 _____ () C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.URL
2014-10-14 00:30 - 2014-10-14 00:30 - 00000278 _____ () C:\Documents and Settings\DECRYPT_INSTRUCTION.URL
2014-10-14 00:28 - 2014-10-14 00:28 - 00008226 _____ () C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.HTML
2014-10-14 00:28 - 2014-10-14 00:28 - 00008226 _____ () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-14 00:28 - 2014-10-14 00:28 - 00004158 _____ () C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.TXT
2014-10-14 00:28 - 2014-10-14 00:28 - 00004158 _____ () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-14 00:28 - 2014-10-14 00:28 - 00000278 _____ () C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.URL
2014-10-14 00:28 - 2014-10-14 00:28 - 00000278 _____ () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 23:40 - 2014-10-14 15:42 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Avast
2014-10-13 19:11 - 2014-10-13 19:11 - 00087200 _____ () C:\Documents and Settings\Paul Kane\C
2014-10-13 16:22 - 2014-10-13 16:22 - 00281104 _____ (CACE Technologies, Inc.) C:\WINDOWS\system32\wpcap.dll
2014-10-13 16:22 - 2014-10-13 16:22 - 00100880 _____ (CACE Technologies, Inc.) C:\WINDOWS\system32\Packet.dll
2014-10-13 16:22 - 2014-10-13 16:22 - 00050704 _____ (CACE Technologies, Inc.) C:\WINDOWS\system32\Drivers\npf.sys
2014-10-13 16:22 - 2014-10-13 16:22 - 00008224 _____ () C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:22 - 2014-10-13 16:22 - 00004156 _____ () C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:22 - 2014-10-13 16:22 - 00000276 _____ () C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 16:21 - 2014-10-13 16:21 - 00008224 _____ () C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:21 - 2014-10-13 16:21 - 00008224 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:21 - 2014-10-13 16:21 - 00008224 _____ () C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:21 - 2014-10-13 16:21 - 00008224 _____ () C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:21 - 2014-10-13 16:21 - 00008224 _____ () C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:21 - 2014-10-13 16:21 - 00008224 _____ () C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:21 - 2014-10-13 16:21 - 00004156 _____ () C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:21 - 2014-10-13 16:21 - 00004156 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:21 - 2014-10-13 16:21 - 00004156 _____ () C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:21 - 2014-10-13 16:21 - 00004156 _____ () C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:21 - 2014-10-13 16:21 - 00004156 _____ () C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:21 - 2014-10-13 16:21 - 00004156 _____ () C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:21 - 2014-10-13 16:21 - 00000276 _____ () C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.URL
2014-10-13 16:21 - 2014-10-13 16:21 - 00000276 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 16:21 - 2014-10-13 16:21 - 00000276 _____ () C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.URL
2014-10-13 16:21 - 2014-10-13 16:21 - 00000276 _____ () C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.URL
2014-10-13 16:21 - 2014-10-13 16:21 - 00000276 _____ () C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 16:21 - 2014-10-13 16:21 - 00000276 _____ () C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.URL
2014-10-13 16:20 - 2014-10-14 02:04 - 00000000 ____D () C:\Documents and Settings\All Users\Local Settings\Temp
2014-10-13 16:20 - 2014-10-13 23:30 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Ipucillu
2014-10-13 16:20 - 2014-10-13 16:20 - 00008224 _____ () C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:20 - 2014-10-13 16:20 - 00008224 _____ () C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:20 - 2014-10-13 16:20 - 00008224 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:20 - 2014-10-13 16:20 - 00008224 _____ () C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:20 - 2014-10-13 16:20 - 00008224 _____ () C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:20 - 2014-10-13 16:20 - 00008224 _____ () C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:20 - 2014-10-13 16:20 - 00008224 _____ () C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-13 16:20 - 2014-10-13 16:20 - 00004156 _____ () C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:20 - 2014-10-13 16:20 - 00004156 _____ () C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:20 - 2014-10-13 16:20 - 00004156 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:20 - 2014-10-13 16:20 - 00004156 _____ () C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:20 - 2014-10-13 16:20 - 00004156 _____ () C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:20 - 2014-10-13 16:20 - 00004156 _____ () C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:20 - 2014-10-13 16:20 - 00004156 _____ () C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-13 16:20 - 2014-10-13 16:20 - 00000276 _____ () C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 16:20 - 2014-10-13 16:20 - 00000276 _____ () C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.URL
2014-10-13 16:20 - 2014-10-13 16:20 - 00000276 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 16:20 - 2014-10-13 16:20 - 00000276 _____ () C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.URL
2014-10-13 16:20 - 2014-10-13 16:20 - 00000276 _____ () C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 16:20 - 2014-10-13 16:20 - 00000276 _____ () C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.URL
2014-10-13 16:20 - 2014-10-13 16:20 - 00000276 _____ () C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.URL
2014-10-13 16:19 - 2014-10-15 17:33 - 00001352 _____ () C:\Documents and Settings\All Users\Application Data\@system.att
2014-10-13 16:19 - 2014-10-15 17:33 - 00001088 ____H () C:\Documents and Settings\All Users\Application Data\@system2.att
2014-10-13 16:19 - 2014-10-13 16:19 - 16086006 _____ (Microsoft Corporation) C:\Documents and Settings\Paul Kane\Application Data\ChromeUpdate.exe
2014-10-13 16:19 - 2014-10-13 16:19 - 00314880 _____ (Microsoft Corporation) C:\Documents and Settings\Paul Kane\Application Data\90d8040.exe
2014-10-13 16:19 - 2014-10-13 16:19 - 00000448 ____H () C:\Documents and Settings\Paul Kane\Application Data\麽鎒駓覜
2014-10-13 16:19 - 2014-10-13 16:19 - 00000000 ___HD () C:\90d8040
2014-10-13 16:18 - 2014-10-13 23:30 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Liwyam
2014-10-13 02:05 - 2014-10-13 02:05 - 00090112 _____ () C:\WINDOWS\Minidump\Mini101314-01.dmp
2014-10-12 17:55 - 2014-10-12 17:55 - 00090112 _____ () C:\WINDOWS\Minidump\Mini101214-01.dmp
2014-10-12 16:15 - 2014-10-12 21:35 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Upzeoh
2014-10-12 16:15 - 2014-10-12 21:35 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Osishad
2014-10-12 16:13 - 2014-10-12 16:13 - 00049152 _____ () C:\WINDOWS\system32\hebkcxn.dll
2014-10-12 16:13 - 2014-10-12 16:13 - 00000000 _____ () C:\WINDOWS\system32\cayfrk.dll
2014-10-11 15:18 - 2014-10-11 22:47 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\j9tbgsdger04r
2014-10-11 03:10 - 2014-10-11 03:10 - 00090112 _____ () C:\WINDOWS\Minidump\Mini101114-01.dmp
2014-10-10 11:47 - 2014-10-10 11:47 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Vyutivy
2014-10-10 11:47 - 2014-10-10 11:47 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Usvydevu
2014-10-10 11:47 - 2014-10-10 11:47 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Owutekfo
2014-10-10 11:47 - 2014-10-10 11:47 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Munomye
2014-10-10 11:47 - 2014-10-10 11:47 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Eriruf
2014-10-10 11:47 - 2014-10-10 11:47 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Beavxeu
2014-10-09 12:38 - 2014-10-15 17:36 - 00065536 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-10-09 12:38 - 2014-10-09 16:11 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-10-09 12:37 - 2014-10-09 12:38 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-10-09 12:37 - 2014-10-09 12:37 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-10-09 12:37 - 2014-10-09 12:37 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-10-09 12:37 - 2014-10-09 12:37 - 00000000 ____D () C:\WINDOWS\system32\GroupPolicy
2014-10-09 12:37 - 2014-10-09 12:37 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2014-10-08 14:42 - 2008-04-14 06:42 - 00221184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmpns.dll
2014-10-02 05:30 - 2014-10-07 14:32 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\YVZPack
2014-10-02 05:29 - 2014-10-02 10:17 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Ogunqy
2014-10-02 05:29 - 2014-10-02 10:14 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Elkebivu
2014-10-02 05:29 - 2014-10-02 05:30 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Ohvdics
2014-09-30 09:17 - 2014-09-30 09:17 - 00000000 ____D () C:\WINDOWS\system32\LogFiles
2014-09-29 17:19 - 2014-09-29 17:21 - 00000664 _____ () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\d3d9caps.dat
2014-09-29 16:52 - 2014-09-29 16:53 - 00006144 __RSH () C:\Documents and Settings\Paul Kane\Application Data\{00002454-230D-5716-4EDF-F11687C9B491}.exe
2014-09-28 10:29 - 2014-10-13 17:24 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Coleman Property
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-10-20 01:52 - 2013-01-07 00:13 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Temp
2014-10-20 01:49 - 2013-01-07 00:59 - 00000430 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{8EA0BB0F-B1A9-4973-8FF0-21055396EB39}.job
2014-10-20 01:31 - 2014-07-20 05:54 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-10-20 01:31 - 2014-04-08 22:42 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Computer
2014-10-20 01:27 - 2013-01-07 00:08 - 01407379 _____ () C:\WINDOWS\WindowsUpdate.log
2014-10-20 01:20 - 2013-01-07 01:20 - 00000892 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-20 00:19 - 2013-09-17 00:19 - 00000464 _____ () C:\WINDOWS\Tasks\At3.job
2014-10-19 23:49 - 2013-01-07 00:11 - 00032546 _____ () C:\WINDOWS\SchedLgU.Txt
2014-10-19 20:40 - 2013-09-17 00:19 - 00000464 _____ () C:\WINDOWS\Tasks\At2.job
2014-10-19 15:20 - 2013-01-07 01:20 - 00000888 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-19 14:00 - 2013-09-17 00:19 - 00000464 _____ () C:\WINDOWS\Tasks\At4.job
2014-10-19 13:03 - 2013-01-06 16:02 - 00000211 _____ () C:\WINDOWS\wiadebug.log
2014-10-19 10:10 - 2013-09-17 00:19 - 00000464 _____ () C:\WINDOWS\Tasks\At1.job
2014-10-19 09:49 - 2014-04-08 22:37 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-10-19 04:40 - 2014-04-03 05:10 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-10-19 04:40 - 2013-01-07 00:11 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-10-18 02:42 - 2014-04-03 09:49 - 00000230 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-10-18 02:42 - 2013-01-11 06:01 - 00000260 _____ () C:\WINDOWS\Tasks\WGASetup.job
2014-10-18 02:33 - 2013-01-07 00:11 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-10-18 02:33 - 2013-01-06 16:02 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-10-17 23:51 - 2004-08-04 05:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-10-17 13:45 - 2013-01-07 16:38 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-10-17 13:37 - 2013-01-06 16:00 - 00585732 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-17 13:13 - 2013-01-11 01:53 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-10-17 13:11 - 2010-02-07 20:14 - 00000891 _____ () C:\Documents and Settings\Paul Kane\Desktop\Bank of America.url
2014-10-17 01:29 - 2013-01-11 01:59 - 00002495 _____ () C:\Documents and Settings\Paul Kane\Desktop\Microsoft Office Excel 2003.lnk
2014-10-16 01:31 - 2013-01-08 03:19 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Stuff to Check Out
2014-10-16 01:30 - 2014-05-27 00:42 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Computers - Laptops
2014-10-16 01:19 - 2013-01-12 19:30 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Funny Stuff
2014-10-16 00:59 - 2013-01-08 01:09 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Paul's Business
2014-10-15 17:36 - 2013-01-07 00:13 - 00000278 ___SH () C:\Documents and Settings\Paul Kane\ntuser.ini
2014-10-15 14:14 - 2013-01-08 02:28 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\TEMP Files 103010 to 121210
2014-10-15 10:35 - 2013-01-11 01:56 - 00002497 _____ () C:\Documents and Settings\Paul Kane\Desktop\Microsoft Office Word 2003.lnk
2014-10-14 23:40 - 2013-01-08 01:30 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Paul's Stuff
2014-10-14 12:15 - 2013-01-06 15:59 - 00520814 _____ () C:\WINDOWS\setupapi.log
2014-10-14 12:15 - 2013-01-06 15:59 - 00165435 _____ () C:\WINDOWS\setupact.log
2014-10-14 02:31 - 2013-01-11 02:02 - 00002521 _____ () C:\Documents and Settings\Paul Kane\Desktop\Microsoft Office Outlook 2003.lnk
2014-10-14 02:10 - 2013-01-07 00:38 - 00000000 ____D () C:\Program Files\EVGA Precision X
2014-10-14 02:05 - 2013-03-22 05:00 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2807986$
2014-10-14 00:39 - 2013-01-07 17:47 - 00000000 ____D () C:\Documents and Settings\Guest\Start Menu\Programs\CyberLink Media Suite
2014-10-14 00:39 - 2013-01-07 01:38 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Start Menu\Programs\CyberLink Media Suite
2014-10-14 00:39 - 2013-01-07 01:38 - 00000000 ____D () C:\Documents and Settings\Default User\Start Menu\Programs\CyberLink Media Suite
2014-10-14 00:30 - 2014-07-08 15:44 - 00000000 ____D () C:\FileNet
2014-10-14 00:30 - 2013-01-14 22:43 - 00000000 ____D () C:\Documents and Settings\Paul Kane\My Documents\My Scans
2014-10-14 00:30 - 2013-01-07 00:13 - 00000000 ____D () C:\Documents and Settings\Paul Kane
2014-10-14 00:28 - 2013-01-07 01:48 - 00000000 ____D () C:\Documents and Settings\Paul Kane\My Documents\CyberLink
2014-10-14 00:27 - 2013-01-24 20:44 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Cyberlink
2014-10-14 00:27 - 2013-01-07 18:18 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Autodesk
2014-10-14 00:27 - 2013-01-07 16:46 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\HP
2014-10-14 00:27 - 2013-01-07 01:20 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Google
2014-10-14 00:23 - 2013-04-26 03:34 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Williams Ranch Samples - Save Elsewhere Later
2014-10-14 00:13 - 2014-09-03 04:33 - 00169240 _____ () C:\Documents and Settings\Paul Kane\Desktop\TV Show Log Summer 2014.xls
2014-10-14 00:13 - 2014-04-08 22:00 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Via Del Corvo, San Marcos
2014-10-14 00:13 - 2014-01-18 02:04 - 00175640 _____ () C:\Documents and Settings\Paul Kane\Desktop\TV Show Log Winter 2014.xls
2014-10-14 00:13 - 2013-10-04 04:22 - 00241944 _____ () C:\Documents and Settings\Paul Kane\Desktop\TV Show Log Fall 2013.xls
2014-10-14 00:13 - 2013-01-08 03:17 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Stuff to Print
2014-10-14 00:13 - 2013-01-08 02:26 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\TEMP KE Files 103010 to 121210
2014-10-14 00:13 - 2011-09-15 21:48 - 00021016 _____ () C:\Documents and Settings\Paul Kane\Desktop\TV Guide - NFL Football.xls
2014-10-14 00:13 - 2010-12-08 02:07 - 00244760 _____ () C:\Documents and Settings\Paul Kane\Desktop\TEMP Chase Business Bank Ledger.xls
2014-10-14 00:13 - 2010-11-12 11:03 - 00054808 _____ () C:\Documents and Settings\Paul Kane\Desktop\TEMP Chase Bank Ledger.xls
2014-10-14 00:13 - 2010-01-25 19:38 - 00022552 _____ () C:\Documents and Settings\Paul Kane\Desktop\TEMP Cash Box.xls
2014-10-14 00:13 - 2010-01-25 19:37 - 00221720 _____ () C:\Documents and Settings\Paul Kane\Desktop\TEMP Personal Checkbook.xls
2014-10-14 00:13 - 2010-01-25 19:36 - 00031256 _____ () C:\Documents and Settings\Paul Kane\Desktop\TEMP Bank Ledger - Kane Enterprises.xls
2014-10-14 00:13 - 2010-01-25 19:33 - 00098584 _____ () C:\Documents and Settings\Paul Kane\Desktop\TEMP Bank Ledger - Kane Engineering.xls
2014-10-14 00:13 - 2010-01-25 19:31 - 00068120 _____ () C:\Documents and Settings\Paul Kane\Desktop\TEMP Business Expenses.xls
2014-10-14 00:12 - 2013-04-23 15:59 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Standke
2014-10-14 00:02 - 2014-01-01 01:46 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\SB Nation Sites
2014-10-14 00:02 - 2013-02-28 16:39 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Receipts
2014-10-14 00:02 - 2013-01-08 02:20 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Router
2014-10-14 00:01 - 2013-06-12 21:38 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Prasad
2014-10-14 00:01 - 2013-01-08 03:12 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Pictures for Dinner
2014-10-13 23:48 - 2013-01-08 02:22 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Picgurs
2014-10-13 23:47 - 2013-01-08 02:10 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Photos Ready to Upload
2014-10-13 23:46 - 2013-02-18 17:30 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Photo Collection Box
2014-10-13 23:46 - 2013-01-08 02:10 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Photos for Others
2014-10-13 23:45 - 2013-01-08 01:33 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Paul's Work
2014-10-13 23:30 - 2013-01-10 06:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2691442$
2014-10-13 22:02 - 2013-01-08 01:38 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Paul's Business Samples
2014-10-13 18:33 - 2013-04-20 01:38 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Outlook Backup of File dated 042013 239 am TRASH THIS ONCE FULL BACKUP DONE
2014-10-13 18:33 - 2013-01-08 01:08 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Oakridge
2014-10-13 18:31 - 2013-01-14 23:53 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\National Mortgage Settlement
2014-10-13 18:31 - 2013-01-08 02:20 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\MS Office 2003 Sites
2014-10-13 18:31 - 2013-01-08 01:33 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Mom
2014-10-13 18:31 - 2013-01-08 01:27 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Nick
2014-10-13 18:30 - 2014-04-08 02:28 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Malwarebytes
2014-10-13 18:30 - 2014-03-25 18:46 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Lake Hodges
2014-10-13 18:30 - 2013-01-08 02:02 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Misc Desktop Stuff Prior to Computer Crash Jan 2010
2014-10-13 18:30 - 2013-01-08 01:54 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Linda Pix
2014-10-13 18:30 - 2010-09-17 06:11 - 00037144 _____ () C:\Documents and Settings\Paul Kane\Desktop\Logon Directory.xls
2014-10-13 18:29 - 2013-01-08 01:00 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Jennite Sale
2014-10-13 18:27 - 2013-01-08 01:01 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Jennite Rental
2014-10-13 18:24 - 2013-01-08 01:50 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Jani Photos Scans
2014-10-13 18:20 - 2013-01-08 01:34 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Jani Photos
2014-10-13 18:18 - 2013-01-08 01:26 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Jani Memorial
2014-10-13 18:17 - 2014-01-06 16:19 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Holly Street Oceanside
2014-10-13 18:17 - 2013-01-08 01:28 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Hillandale
2014-10-13 18:17 - 2013-01-08 01:01 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Jani Health Insurance
2014-10-13 18:08 - 2013-06-20 04:31 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Griffin - Sewer Lateral
2014-10-13 18:07 - 2013-05-10 11:53 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Griffin - HMP Exemption
2014-10-13 18:05 - 2013-04-16 23:13 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Griffin - Documents to Review
2014-10-13 18:04 - 2013-01-08 01:23 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Griffin (from Proposals)
2014-10-13 18:02 - 2013-07-24 22:37 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Fanita Drive
2014-10-13 18:02 - 2013-01-08 03:16 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Favorite Ones
2014-10-13 18:01 - 2013-01-08 01:36 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Family Photos
2014-10-13 17:44 - 2014-08-05 13:01 - 00029464 _____ () C:\Documents and Settings\Paul Kane\Desktop\Crystal View Lane - Drainage Study Time Log.xls
2014-10-13 17:44 - 2013-01-08 03:14 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Facebook
2014-10-13 17:44 - 2013-01-08 01:18 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Esquibel Samples - Save Elsewhere Later
2014-10-13 17:44 - 2013-01-08 01:02 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Craigslist
2014-10-13 17:24 - 2014-01-13 12:34 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Claire Drive
2014-10-13 17:24 - 2014-01-05 08:52 - 00423960 _____ () C:\Documents and Settings\Paul Kane\Desktop\Computer File Backup Checklist 2014.xls
2014-10-13 17:24 - 2013-01-08 00:43 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Chula Vista
2014-10-13 17:22 - 2014-04-16 14:13 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Canyon De Oro
2014-10-13 17:22 - 2013-01-08 01:00 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Calico Collections
2014-10-13 17:21 - 2014-02-20 15:06 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Banks
2014-10-13 17:21 - 2013-01-08 02:22 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\AutoCAD 2005
2014-10-13 17:21 - 2013-01-08 00:43 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\Bankruptcy
2014-10-13 17:19 - 2014-04-09 23:04 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\66th Street, San Diego
2014-10-13 17:16 - 2014-03-03 23:43 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Desktop\54th & Orange
2014-10-13 16:21 - 2013-01-09 00:15 - 00000000 ____D () C:\Documents and Settings\Guest\Local Settings\Application Data\Autodesk
2014-10-13 16:21 - 2013-01-07 18:16 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Autodesk
2014-10-13 16:21 - 2013-01-07 17:47 - 00000000 ____D () C:\Documents and Settings\Guest\Local Settings\Application Data\Power2Go
2014-10-13 16:21 - 2013-01-07 17:47 - 00000000 ____D () C:\Documents and Settings\Guest\Local Settings\Application Data\HP
2014-10-13 16:21 - 2013-01-07 17:47 - 00000000 ____D () C:\Documents and Settings\Guest
2014-10-13 16:21 - 2013-01-07 01:18 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Application Data\Adobe
2014-10-13 16:21 - 2013-01-07 00:11 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-10-13 16:20 - 2013-09-17 00:18 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP
2014-10-13 16:20 - 2013-01-09 00:15 - 00000000 ____D () C:\Documents and Settings\Guest\Application Data\Autodesk
2014-10-13 02:05 - 2013-02-09 05:06 - 00000000 ____D () C:\WINDOWS\Minidump
2014-10-12 21:35 - 2013-01-06 15:53 - 00000000 ___RD () C:\WINDOWS\Web
2014-10-11 22:47 - 2013-11-13 06:02 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2014-10-09 16:12 - 2013-01-06 15:53 - 00000000 ____D () C:\WINDOWS\security
2014-10-09 12:41 - 2013-01-06 16:00 - 01278802 _____ () C:\WINDOWS\iis6.log
2014-10-09 12:41 - 2013-01-06 16:00 - 00542414 _____ () C:\WINDOWS\tsoc.log
2014-10-09 12:41 - 2013-01-06 16:00 - 00398321 _____ () C:\WINDOWS\comsetup.log
2014-10-09 12:41 - 2013-01-06 16:00 - 00239773 _____ () C:\WINDOWS\ntdtcsetup.log
2014-10-09 12:41 - 2013-01-06 16:00 - 00065342 _____ () C:\WINDOWS\ocmsn.log
2014-10-09 12:41 - 2013-01-06 16:00 - 00060229 _____ () C:\WINDOWS\tabletoc.log
2014-10-09 12:41 - 2013-01-06 16:00 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-10-09 12:40 - 2013-01-06 16:00 - 01180098 _____ () C:\WINDOWS\FaxSetup.log
2014-10-09 12:40 - 2013-01-06 16:00 - 00573285 _____ () C:\WINDOWS\ocgen.log
2014-10-09 12:40 - 2013-01-06 16:00 - 00207151 _____ () C:\WINDOWS\netfxocm.log
2014-10-09 12:40 - 2013-01-06 16:00 - 00082342 _____ () C:\WINDOWS\MedCtrOC.log
2014-10-09 12:40 - 2013-01-06 16:00 - 00059116 _____ () C:\WINDOWS\msgsocm.log
2014-10-09 12:39 - 2013-01-06 16:00 - 00358890 _____ () C:\WINDOWS\msmqinst.log
2014-10-09 12:38 - 2013-01-07 00:05 - 00000000 ___RD () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2014-10-09 12:38 - 2013-01-06 15:53 - 00000000 ____D () C:\WINDOWS\Help
2014-10-08 15:00 - 2014-04-03 09:49 - 00000224 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-10-08 14:42 - 2013-01-07 00:06 - 00042146 _____ () C:\WINDOWS\wmsetup.log
2014-10-05 11:37 - 2013-01-10 06:06 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB974571$
2014-10-05 05:41 - 2013-10-13 02:27 - 00002812 _____ () C:\Documents and Settings\Paul Kane\Desktop\Bolts From The Blue.url
2014-10-04 11:06 - 2013-08-14 05:00 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2863058$
2014-10-04 10:52 - 2013-01-07 16:46 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\IsolatedStorage
2014-10-03 18:42 - 2013-01-10 06:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB973540_WM9$
2014-10-03 02:05 - 2013-10-22 15:05 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\LogMeIn Rescue Applet
2014-10-02 13:16 - 2010-11-06 17:04 - 00014218 _____ () C:\Documents and Settings\Paul Kane\Desktop\Chase Bank.url
2014-10-01 22:24 - 2013-01-08 18:27 - 00005756 _____ () C:\Documents and Settings\Paul Kane\Desktop\TV Guide.url
2014-10-01 20:30 - 2014-08-03 08:56 - 00000000 ____D () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\browser_dir
2014-09-30 21:37 - 2013-01-10 06:00 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2360937$
2014-09-29 15:33 - 2013-10-09 05:00 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862330$
2014-09-24 18:26 - 2011-03-02 00:45 - 00044932 _____ () C:\Documents and Settings\Paul Kane\Desktop\San Diego Chargers.url
2014-09-22 13:11 - 2011-01-14 03:19 - 00000293 _____ () C:\Documents and Settings\Paul Kane\Desktop\Cox - Internet Tools.url
2014-09-21 23:41 - 2013-01-07 01:09 - 00231568 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
Files to move or delete:
====================
C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe
C:\WINDOWS\TEMP\conhost.exe
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At4.job

Some content of TEMP:
====================
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-c80d814.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\ARS.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\cdo894109409.dll
C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\HPPSdr.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\hpzmsi01.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\hpzscr01.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\iqg.dll
C:\Documents and Settings\Paul Kane\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\oow.dll

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll
[2004-08-04 05:00] - [2009-02-09 05:10] - 0408576 ____A (Microsoft Corporation) c7565aac1fdf795d49576d8c0ec7f7ed 
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
==================== End Of Log ============================


----------



## AGuyNamedPablo (Oct 16, 2014)

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-10-2014
Ran by Paul Kane at 2014-10-20 01:52:54
Running from C:\Documents and Settings\Paul Kane\Desktop\Computer\Cyber Attack October 2014
Boot Mode: Normal
==========================================================

==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Microsoft Security Essentials (Disabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.5.502.135 - Adobe Systems Incorporated)
Adobe Reader XI (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.00 - Adobe Systems Incorporated)
AutoCAD 2005 - English (HKLM\...\{5783F2D7-0301-0409-0002-0060B0CE6BBA}) (Version: 16.1.63.10 - Autodesk)
Autodesk DWF Viewer (HKLM\...\Autodesk DWF Viewer) (Version: 4.1 - Autodesk, Inc.)
Bullzip PDF Printer 4.0.0.463 (HKLM\...\Bullzip PDF Printer_is1) (Version: - Bullzip)
CyberLink Media Suite (HKLM\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 8.0.3216 - CyberLink Corp.)
CyberLink Media Suite (Version: 8.0.3216 - CyberLink Corp.) Hidden
CyberLink PhotoDirector 2011 (HKLM\...\InstallShield_{4862344A-A39C-4897-ACD4-A1BED5163C5A}) (Version: 2.0.2105 - CyberLink Corp.)
CyberLink PhotoDirector 2011 (Version: 2.0.2105 - CyberLink Corp.) Hidden
CyberLink Power2Go (HKLM\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 7.0.0.1906 - CyberLink Corp.)
CyberLink Power2Go (Version: 7.0.0.1906 - CyberLink Corp.) Hidden
CyberLink PowerDirector (HKLM\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 9.0.0.3419 - CyberLink Corp.)
CyberLink PowerDirector (Version: 9.0.0.3419 - CyberLink Corp.) Hidden
CyberLink PowerDVD 10 (HKLM\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.3328.52 - CyberLink Corp.)
CyberLink PowerDVD 10 (Version: 10.0.3328.52 - CyberLink Corp.) Hidden
EVGA Precision X 3.0.3 (HKLM\...\PrecisionX) (Version: 3.0.3 - EVGA Corporation)
FileNet IDM Web Controls 4.0 (HKLM\...\IDMControls) (Version: - )
Google Earth Plug-in (HKLM\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
GPL Ghostscript Lite 9.06 (HKLM\...\GPL Ghostscript Lite_is1) (Version: - )
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
HP Deskjet 1050 J410 series Basic Device Software (HKLM\...\{C111B73A-93EA-4A12-80E2-0460F11D431F}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 1050 J410 series Help (HKLM\...\{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}) (Version: 140.0.66.66 - Hewlett Packard)
HP Deskjet 1050 J410 series Product Improvement Study (HKLM\...\{5E83AB6E-2284-4468-BF97-A451904F186C}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (Version: 1.00.0000 - Microsoft) Hidden
Java 7 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
Java Auto Updater (Version: 2.1.60.19 - Oracle, Inc.) Hidden
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 (Version: 1.1.4322 - Microsoft) Hidden
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Project Professional 2003 (HKLM\...\{903B0409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Plus! for Windows XP (HKLM\...\{EEC2DAFD-5558-40AC-8E9C-5005C8F810E8}) (Version: 1.00.00.0554 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NVIDIA Control Panel 310.90 (Version: 310.90 - NVIDIA Corporation) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: - )
NVIDIA Graphics Driver 310.90 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 310.90 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.95.599 - NVIDIA Corporation) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: - )
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2736233) (HKLM\...\KB2736233) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2863058) (HKLM\...\KB2863058) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version: - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-2052111302-1454471165-725345543-1003_Classes\CLSID\{1365A45F-0C8F-4806-A26A-6B22AD37EC66}\localserver32 -> C:\Program Files\AutoCAD 2005\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2052111302-1454471165-725345543-1003_Classes\CLSID\{8E75D913-3D21-11D2-85C4-080009A0C626}\localserver32 -> C:\Program Files\AutoCAD 2005\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2052111302-1454471165-725345543-1003_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\AutoCAD 2005\acadficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2052111302-1454471165-725345543-1003_Classes\CLSID\{FC280999-88C6-4499-9622-3B795A8B4A5F}\localserver32 -> C:\Program Files\AutoCAD 2005\acad.exe (Autodesk, Inc.)
==================== Restore Points =========================
07-10-2014 19:19:46 System Checkpoint
09-10-2014 19:37:34 Installed %1 %2.
13-10-2014 11:47:06 System Checkpoint
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2004-08-04 05:00 - 2004-08-04 05:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost
==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\WINDOWS\Tasks\At1.job => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\At2.job => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\At3.job => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\At4.job => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{8EA0BB0F-B1A9-4973-8FF0-21055396EB39}.job => C:\WINDOWS\system32\msfeedssync.exe
Task: C:\WINDOWS\Tasks\WGASetup.job => C:\WINDOWS\system32\KB905474\wgasetup.exe
==================== Loaded Modules (whitelisted) =============
2013-01-07 01:43 - 2011-12-13 21:04 - 00247152 ____N () C:\Program Files\CyberLink\Shared files\RichVideo.exe
2014-10-07 07:11 - 2014-10-07 07:11 - 00045568 _____ () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\YVZPack\dxMainio16.dll
2012-06-29 13:41 - 2012-06-29 13:41 - 00553800 _____ () C:\Program Files\EVGA Precision X\EVGAPrecision.exe
2012-06-29 21:18 - 2012-06-29 21:18 - 00061440 _____ () C:\Program Files\EVGA Precision X\RTMUI.dll
2012-06-29 21:17 - 2012-06-29 21:17 - 00061440 _____ () C:\Program Files\EVGA Precision X\RTFC.dll
2012-06-29 21:17 - 2012-06-29 21:17 - 00225280 _____ () C:\Program Files\EVGA Precision X\RTCore.dll
2012-06-29 21:17 - 2012-06-29 21:17 - 00147456 _____ () C:\Program Files\EVGA Precision X\RTUI.dll
2012-06-29 21:18 - 2012-06-29 21:18 - 00335872 _____ () C:\Program Files\EVGA Precision X\RTHAL.dll
2011-03-09 15:21 - 2011-03-09 15:21 - 00619816 _____ () C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
2011-03-09 15:21 - 2011-03-09 15:21 - 00013096 _____ () C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
2014-10-02 05:30 - 2014-10-02 05:30 - 00073728 _____ () C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Ohvdics\symcrtPath.dll
2004-08-04 05:00 - 2008-04-14 06:41 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2004-08-04 05:00 - 2008-04-14 06:42 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================
Administrator (S-1-5-21-2052111302-1454471165-725345543-500 - Administrator - Enabled)
ASPNET (S-1-5-21-2052111302-1454471165-725345543-1004 - Limited - Enabled)
Guest (S-1-5-21-2052111302-1454471165-725345543-501 - Limited - Enabled) => %SystemDrive%\Documents and Settings\Guest
HelpAssistant (S-1-5-21-2052111302-1454471165-725345543-1000 - Limited - Disabled)
Paul Kane (S-1-5-21-2052111302-1454471165-725345543-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Paul Kane
SUPPORT_388945a0 (S-1-5-21-2052111302-1454471165-725345543-1002 - Limited - Disabled)
==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================
Application errors:
==================
Error: (10/16/2014 00:37:41 PM) (Source: Microsoft Office 11) (EventID: 2001) (User: )
Description: Microsoft Office Excel
Error: (10/15/2014 10:35:06 AM) (Source: Microsoft Office 11) (EventID: 2001) (User: )
Description: Microsoft Office Excel
Error: (10/14/2014 02:32:03 AM) (Source: Microsoft Office 11) (EventID: 2000) (User: )
Description: Microsoft Office OutlookOutlook failed to start correctly last time. Starting Outlook in safe mode will help you correct or isolate a startup problem in order to successfully start the program. Some functionality may be disabled in this mode.
Do you want to start Outlook in safe mode?
Error: (10/13/2014 10:07:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x00731470.
Processing media-specific event for [iexplore.exe!ws!]
Error: (10/13/2014 09:06:39 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000673be.
Processing media-specific event for [explorer.exe!ws!]
Error: (10/13/2014 05:47:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000673be.
Processing media-specific event for [explorer.exe!ws!]
Error: (10/12/2014 06:35:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error: (10/12/2014 06:35:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error: (10/12/2014 04:57:31 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error: (10/12/2014 04:57:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

System errors:
=============
Error: (10/20/2014 01:15:33 AM) (Source: DCOM) (EventID: 10005) (User: HOME-89B9F847D7)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
Error: (10/19/2014 03:20:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/19/2014 03:20:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/19/2014 03:20:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/19/2014 03:20:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/19/2014 03:20:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/19/2014 03:20:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/18/2014 02:52:44 AM) (Source: DCOM) (EventID: 10005) (User: HOME-89B9F847D7)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/18/2014 00:33:43 AM) (Source: DCOM) (EventID: 10005) (User: HOME-89B9F847D7)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (10/17/2014 11:50:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Terminal Services service terminated unexpectedly. It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (10/16/2014 00:37:41 PM) (Source: Microsoft Office 11) (EventID: 2001) (User: )
Description: Microsoft Office Excel
Error: (10/15/2014 10:35:06 AM) (Source: Microsoft Office 11) (EventID: 2001) (User: )
Description: Microsoft Office Excel
Error: (10/14/2014 02:32:03 AM) (Source: Microsoft Office 11) (EventID: 2000) (User: )
Description: Microsoft Office OutlookOutlook failed to start correctly last time. Starting Outlook in safe mode will help you correct or isolate a startup problem in order to successfully start the program. Some functionality may be disabled in this mode.
Do you want to start Outlook in safe mode?
Error: (10/13/2014 10:07:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.000731470
Error: (10/13/2014 09:06:39 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.6055000673be
Error: (10/13/2014 05:47:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.6055000673be
Error: (10/12/2014 06:35:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000
Error: (10/12/2014 06:35:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000
Error: (10/12/2014 04:57:31 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000
Error: (10/12/2014 04:57:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

==================== Memory info =========================== 
Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz
Percentage of memory in use: 40%
Total physical RAM: 2046.36 MB
Available physical RAM: 1215.68 MB
Total Pagefile: 3939 MB
Available Pagefile: 2542.05 MB
Total Virtual: 2047.88 MB
Available Virtual: 1913.71 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:465.76 GB) (Free:420.15 GB) NTFS ==>[Drive with boot components (Windows XP)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 0CF269BD)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)
==================== End Of Log ============================


----------



## JSntgRvr (Jul 1, 2003)

Your computer is quite infected.

Backdoor Trojan is a category of trojan viruses rather than an individual virus name. These viruses are the most common, the most widespread and the most dangerous. Backdoor Trojans allow the owner(hacker) of the virus remote administrator access to a victims computer. These viruses install, launch and run invisibly without the knowledge of the user. Once installed the Backdoor Trojans can be instructed to send, receive, execute and delete files. Not only can it manipulate physical files on your hard drive but delicate and personal information can he obtained from the victims PC.

Most rootkits can be detected and removed, however, despite our efforts, it is dangerous and incorrect to assume that simply because one backdoor trojan has been removed from a computer, that the computer is now secure.

When a BackDoor Trojan is detected, first we must collect information from the user as to whether or not the computer is used for more than games and music. If used for financial transactions, then it is advisable to educate the member about the danger of having his identity stolen.

You should change your passwords from a clean computer in order to secure your accounts.

Not always is advisable to reformat, but in occasions is the only way. This however is the victims decision, not ours. At TSG we never promote a reformat unless necessary.

BleepingComputer.com has created a small utility that will find the Registry key created by CryptoWall and then export its list of encrypted files to a text file for you. Please download the *ListCWall* tool and post its report.

Download the enclosed file (see below). Save it in the same location FRST is saved. Run FRST, except that this time around, click on the Fix button and wait. The utility will create a *Fixlog.txt* report in the same location FRST is saved. Please post its report.


----------



## AGuyNamedPablo (Oct 16, 2014)

I do use my computer for banking and other financial transactions, as well as a number of other online functions. Unfortunately, because I've got so many online logons and passwords, I've kept a spreadsheet on my computer that lists all of my login names and passwords.

So, I spent a good deal of time yesterday going online (from a clean computer of course) and changing all my passwords (and security questions, if applicable). I've done that for pretty much everything, save a few sites (such as some sports sites, etc.) that are simply blogs or similar. No personal info on those.

I am running the two scans you last asked for, and will post the results when they're done.


----------



## AGuyNamedPablo (Oct 16, 2014)

Well, a couple of interesting things happened here.

I ran the ListCWall utility first, which finished almost instantaneously. The log said that no encrypted files were found. (Which is not correct... I probably have many hundreds if not a few thousand affected files.) I ran it again from the desktop and got the same result. Does the result depend on the location it's run from? Any other reason for getting the results I did?

Then I ran the FRST and the "Fix" function as you said to. This took almost two hours. Well, just when it finished and said there was a log created, some kind of malware still on my computer encrypted the logs from both scans. I saw a pop up come up saying this had happened. So I cannot post the logs here.

It appears that this is the same ransomeware that did this the first time a week or so ago. It left a text file with the same exact decrypt instructions (as it had last week), in the folder with the scan utilities and scan logs.

I have been disconnected from the internet since I ran the IdTool scan very early Monday morning. So whatever is doing this, is doing it without the benefit of internet access.

So at this point, what do I do next? Any other scan tools I can use that won't be vulnerable to the encryption malware?


----------



## JSntgRvr (Jul 1, 2003)

AGuyNamedPablo said:


> Well, a couple of interesting things happened here.
> 
> I ran the ListCWall utility first, which finished almost instantaneously. The log said that no encrypted files were found. (Which is not correct... I probably have many hundreds if not a few thousand affected files.) I ran it again from the desktop and got the same result. Does the result depend on the location it's run from? Any other reason for getting the results I did?
> 
> ...


Try this fix in Safe Mode and let me know the outcome.

Also,







Please download Malwarebytes' Anti-Malware from *Here*.

Double Click mbam-setup-2.0..exe to install the application. (The revision number may vary.)

Select the language and click OK.
Accept the agreement
Make sure a checkmark is placed next to *Enable the Free Trial* and *Launch [*]Malwarebytes' Anti-Malware*, then click on finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Scan Now*".
The scan may take some time to finish,so please be patient.
When the scan is complete, click on *Quanrantee All*,.
When disinfection is completed, a dialog will open and you may be prompted to Restart.(See Extra Note)
Upon restart, launch Malwarebytes Antimalware and select History.
Double click on the last scan done, then on Copy to Clipboard.
Right click on your next reply and select Paste.
Submit your reply.

Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*


----------



## AGuyNamedPablo (Oct 16, 2014)

I really appreciate the timely replies on your part. Perhaps you could answer the following questions for me, just so I have a clearer understanding of what we are trying to do here:

1. Are you still trying to diagnose what exactly has infected my computer, or are we at the point of trying to CLEAN my computer now?
2. I already have the free version of Malwarebytes on my computer (I had mentioned this in my initial post). Do I need to download the trial version (which I believe is for the premium version, which has real time protection, the free version does not), or am I good with what I've got? Isn't the scan function the same in both? (I will connect to the internet to update it before running the scan.)
3. Is Malwarebytes the best option for cleaning my computer, or is there a better option? Once my computer is clean (or even before then) I was considering buying Kaspersky's Total Internet Protection. What do you think of that software? I've done some reading up and it seems to be highly regarded.

Thanks very much.


----------



## JSntgRvr (Jul 1, 2003)

Your computer show a numerous infections. In two occasions you were infected by Cryptowall Ransomware. I am trying to remove the malware from your computer, so you can attempt to decrypt your files, which in turn may not be easy, unless there is a shadow copy of the file on the system.

For more about Cryptowall, read *here*..


----------



## AGuyNamedPablo (Oct 16, 2014)

OK, so we are trying to remove the malware.

To answer my second question, I can just use the Malwarebytes already on my computer, yes? (Assuming I download the update.)

Also, you said to do this in SAFE mode. Can you remind me how to do this again? Can I be connected to the internet in safe mode?


----------



## JSntgRvr (Jul 1, 2003)

> I can just use the Malwarebytes already on my computer, yes? (Assuming I download the update.)


Yes.



> Also, you said to do this in SAFE mode. Can you remind me how to do this again? Can I be connected to the internet in safe mode?


Tap on F8 at startup until you reach the Advanced Menu. Select Safe Mode. While on Safe Mode you will have no connection to the Internet.


----------



## AGuyNamedPablo (Oct 16, 2014)

I downloaded the update to Malwarebytes. It actually installed an updated version on my computer.

I ran a scan, and this only took 8 minutes. I am wondering if this scanned the entire computer, as prior scans I've done have taken much longer (like a couple of hours).

In any case, it found 12 malicious items (Trojan and/or CryptoWall items). I am attaching am image of the results log to this post.

After quarantining these items and restarting, I opened Malwarebytes and went to History, and there is NOT a list of scans (by date) as you suggest. Instead, it appears that it lists all of the various ITEMS that have been quarantined over some period of time. It looks like there are hundreds of items in there, with various dates going back to mid-September. I am not able to sort them by date or type, for some reason. I do see the items from today, scattered throughout the list.

I have not done anything yet with the quarantined items. They remain quarantined. At this point should I delete them? Or, if you need to see the list of items, is there any way to display or print them?


----------



## JSntgRvr (Jul 1, 2003)

Download the enclosed file (see below). Save it in the same location FRST is saved. Run FRST, except that this time around, click on the Fix button and wait. The utility will create a Fixlog.txt report in the same location FRST is saved. Please post its report.


----------



## JSntgRvr (Jul 1, 2003)

AGuyNamedPablo said:


> I downloaded the update to Malwarebytes. It actually installed an updated version on my computer.
> 
> I ran a scan, and this only took 8 minutes. I am wondering if this scanned the entire computer, as prior scans I've done have taken much longer (like a couple of hours).
> 
> ...


To export the report to a text, click on Copy to clipboard, open a Notepad document, right click on the Notepad document and select Paste.


----------



## AGuyNamedPablo (Oct 16, 2014)

I ran the FRST and created the Fixlog.txt document. Here are the results:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 16-10-2014
Ran by Paul Kane at 2014-10-23 20:04:32 Run:2
Running from C:\Documents and Settings\Paul Kane\Desktop\Computer\Cyber Attack October 2014
Loaded Profile: Paul Kane (Available profiles: Paul Kane & Guest)
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
Start
HKLM\...\Run: [.tluafed** <*>] => C:\Documents and Settings\Paul Kane\Application Data\{00002454-230D-5716-4EDF-F11687C9B491}.ex <===== ATTENTION (Value Name with invalid characters)
HKLM\...\Run: [wkoxgkfhnax] => C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\vvtcyhy.exe <===== ATTENTION
HKLM\...\Run: [rjvbsdsnjqyqphbsivt] => C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\hebkcxn.dll" update
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 220 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^k4QAAA==n{[email protected]#@&l{xAPzmOk7+p6(L+1O`r?1.rwDRUtnVsE*[email protected]#@&S4k^+cne'c+b @#@&`@#@&[email protected]#@&i @#@&di (the data entry has 33863 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [Power2GoExpress] => NA
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [Otmics] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\Paul Kane\Local Settings\Application Data\Ohvdics\symcrtPath.dll"
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [YVZPack Update] => regsvr32.exe "C:\Documents and Settings\Paul Kane\Local Settings\Application Data\YVZPack\dxMainio16.dll"
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [ChromeUpdate] => C:\Documents and Settings\Paul Kane\Application Data\ChromeUpdate.exe [16086006 2014-10-13] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [90d804] => C:\90d8040\90d8040.exe [314880 2014-10-13] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [90d8040] => C:\Documents and Settings\Paul Kane\Application Data\90d8040.exe [314880 2014-10-13] (Microsoft Corporation)
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\...\Run: [svchost86x.sys] => C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe [153088 2014-10-15] (Microsoft) <===== ATTENTION
HKU\S-1-5-18\...\Run: [svchost86x.sys] => C:\WINDOWS\TEMP\conhost.exe [153088 2014-10-15] (Microsoft) <===== ATTENTION
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe
C:\WINDOWS\TEMP\conhost.exe
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At4.job
CMD: Del /q C:\Windows\Tasks\At*
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-c80d814.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\ARS.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\cdo894109409.dll
C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\HPPSdr.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\hpzmsi01.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\hpzscr01.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\iqg.dll
C:\Documents and Settings\Paul Kane\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\Paul Kane\Local Settings\Temp\oow.dll
C:\Documents and Settings\All Users\Application Data\wrnhoah.tmp
C:\avenger.txt
C:\Avenger
C:\Documents and Settings\Paul Kane\C
C:\Documents and Settings\Paul Kane\Application Data\Vyutivy
C:\Documents and Settings\Paul Kane\Application Data\Usvydevu
C:\Documents and Settings\Paul Kane\Application Data\Owutekfo
C:\Documents and Settings\Paul Kane\Application Data\Munomye
C:\Documents and Settings\Paul Kane\Application Data\Eriruf
C:\Documents and Settings\Paul Kane\Application Data\Beavxeu
C:\WINDOWS\Tasks\User_Feed_Synchronization-{8EA0BB0F-B1A9-4973-8FF0-21055396EB39}.job
C:\DECRYPT_INSTRUCTION.HTML
C:\DECRYPT_INSTRUCTION.TXT
C:\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML
C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.TXT
C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.URL
C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.URL
EmptyTemp:
End
*****************
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\.tluafed** <*> => Value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\wkoxgkfhnax => Value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\rjvbsdsnjqyqphbsivt => Value not found.
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\Default => Value was restored successfully.
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\a => Value not found.
[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] => No subkey with invalid name found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => Value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value not found.
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress => Value not found.
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Otmics => Value not found.
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\YVZPack Update => Value not found.
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\ChromeUpdate => Value not found.
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\90d804 => Value not found.
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\90d8040 => Value not found.
HKU\S-1-5-21-2052111302-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\svchost86x.sys => Value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\svchost86x.sys => Value not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value not found.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe" => File/Directory not found.
"C:\WINDOWS\TEMP\conhost.exe" => File/Directory not found.
"C:\Windows\Tasks\At1.job" => File/Directory not found.
"C:\Windows\Tasks\At2.job" => File/Directory not found.
"C:\Windows\Tasks\At3.job" => File/Directory not found.
"C:\Windows\Tasks\At4.job" => File/Directory not found.
========= Del /q C:\Windows\Tasks\At* =========
Could Not Find C:\Windows\Tasks\At*
========= End of CMD: =========
"C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-c80d814.exe" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\ARS.exe" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\cdo894109409.dll" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\conhost.exe" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\HPPSdr.exe" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\hpzmsi01.exe" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\hpzscr01.exe" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\iqg.dll" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Temp\oow.dll" => File/Directory not found.
C:\Documents and Settings\All Users\Application Data\wrnhoah.tmp => Moved successfully.
"C:\avenger.txt" => File/Directory not found.
"C:\Avenger" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\C" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\Vyutivy" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\Usvydevu" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\Owutekfo" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\Munomye" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\Eriruf" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\Beavxeu" => File/Directory not found.
"C:\WINDOWS\Tasks\User_Feed_Synchronization-{8EA0BB0F-B1A9-4973-8FF0-21055396EB39}.job" => File/Directory not found.
C:\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\DECRYPT_INSTRUCTION.URL => Moved successfully.
"C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Documents and Settings\DECRYPT_INSTRUCTION.HTML => Moved successfully.
"C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Documents and Settings\DECRYPT_INSTRUCTION.TXT => Moved successfully.
"C:\Documents and Settings\Paul Kane\My Documents\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
C:\Documents and Settings\Paul Kane\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Documents and Settings\DECRYPT_INSTRUCTION.URL => Moved successfully.
"C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Paul Kane\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\LocalService\Local Settings\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Guest\Local Settings\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Guest\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Guest\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML" => File/Directory not found.
"C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.TXT" => File/Directory not found.
"C:\Documents and Settings\Guest\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Default User\Local Settings\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Default User\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
"C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.URL" => File/Directory not found.
EmptyTemp: => Removed 34.3 MB temporary data.

The system needed a reboot. 
==== End of Fixlog ====

I still cannot figure out how to copy the Malwarebytes report. There is no print or copy button, I cannot highlight the items to copy them, etc. Is there a report log printed to some folder that I can check?


----------



## JSntgRvr (Jul 1, 2003)

As long as the items are quarantined, there will be no interaction with them. You can delete the quarantined items. Go to this *link* as previously suggested and see if you are able to decrypt the files with its shadow copy.


----------



## AGuyNamedPablo (Oct 16, 2014)

I deleted all of the quarantined files. I also ran another Malwarebytes scan this morning, and it found NO malicious items. It appears that my computer is clean for now.

I have most of my work and personal files on backup, however there is some stuff not backed up. So I'm going to attempt to recover those files via Shadow Copies.

In the link you provided, it describes two methods for restoring using Shadow Copies. The first method is simply to right click on either folders or individual files, select Properties, then go to the Previous Versions tab, and select the appropriate prior version to restore the folder or file. However, when I do this, there is no "Previous Versions" tab. Do you know why this is? Is there another way to do this using the Windows functions I already have? (My OS is Windows XP Pro.)


----------



## JSntgRvr (Jul 1, 2003)

> In the link you provided, it describes two methods for restoring using Shadow Copies. The first method is simply to right click on either folders or individual files, select Properties, then go to the Previous Versions tab, and select the appropriate prior version to restore the folder or file. However, when I do this, there is no "Previous Versions" tab. Do you know why this is? Is there another way to do this using the Windows functions I already have? (My OS is Windows XP Pro.)


That is unfortunate. Chances are that the *Volume Shadow Copy* Service was not active.

Go to *Start, Run*, type *services.msc* and click *OK*. Browse to the V*olume Shadow Copy* service and double click on it. It should be set to *Automatic*.


----------



## AGuyNamedPablo (Oct 16, 2014)

I have been taking inventory of my backup folders and files, to see what backup is missing or out of date. As I suspected, there are several holes in my backup. So there are some files I'd like to try to restore.

I checked the Volume Shadow Copy service as you said, and it was currently set to Manual (not Automatic). So there may not be any shadow copies.

If the Volume Shadow Copy method does not work, what do you think of the other file retrieval software mentioned in the CryptoWall Info Guide (R-Studio and Photorec) that you'd previously linked? Do they search for copies of files in a different manner or location? Do you think I'd have any luck with those?

Thanks for your help.


----------



## JSntgRvr (Jul 1, 2003)

AGuyNamedPablo said:


> I have been taking inventory of my backup folders and files, to see what backup is missing or out of date. As I suspected, there are several holes in my backup. So there are some files I'd like to try to restore.
> 
> I checked the Volume Shadow Copy service as you said, and it was currently set to Manual (not Automatic). So there may not be any shadow copies.
> 
> ...


I haven't try these applications. Most users haven't been able to recover their files as the Ramsonware has evolved, thus the tools have become obsolete and aren't been able to decrypt their files. Those with the Shadow Copy have had a better chance, however, nowadays, the malware is removing that also. Give these tools a try. At this moment there is nothing else available for it.


----------



## AGuyNamedPablo (Oct 16, 2014)

I am still in the process of trying to recover files. I just posted this update because I would like to keep this thread open, as I may need some help as I continue through this process.


----------



## JSntgRvr (Jul 1, 2003)

No problem. The thread however, will be automatically closed due to inactivity. In case you are successful, please let us know.

Thanks.


----------

