Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Final stages of ransomware removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Final stages of ransomware removal

Unread postby ColinL » October 27th, 2012, 6:46 pm

Hi there,

I did have a thread open:

viewtopic.php?f=11&t=60626

Unfortunately I was unable to reply within the allotted timeframe and so the thread was closed.

Need a hand polishing off the last few steps of the cleanup.

As is required for new posts here is a DDS log:

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421
Run by Jacklyn at 23:43:00 on 2012-10-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3692.1630 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
c:\xampp\apache\bin\httpd.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\xampp\mysql\bin\mysqld.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\windows\system32\Dwm.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\conhost.exe
C:\windows\system32\DllHost.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\windows\SysWOW64\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\Jacklyn\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Spotify] "C:\Users\Jacklyn\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
uRun: [Spotify Web Helper] "C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe /boot
mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\windows\Installer\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}\Icon09DB8A851.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{87D899B5-EEBA-4AC0-AD7F-31EF7DE59B20} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{87D899B5-EEBA-4AC0-AD7F-31EF7DE59B20}\D41627B69647D275966696 : DHCPNameServer = 192.168.191.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\windows\System32\drivers\amd_sata.sys [2012-3-28 79488]
R0 amd_xata;amd_xata;C:\windows\System32\drivers\amd_xata.sys [2012-3-28 40064]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-3-28 55856]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswSnx.sys [2012-7-25 969200]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswSP.sys [2012-7-25 359464]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-3-28 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2012-3-28 204288]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-8-6 365568]
R2 Apache2.2;Apache2.2;C:\xampp\apache\bin\httpd.exe [2011-9-10 18432]
R2 aswFsBlk;aswFsBlk;C:\windows\System32\drivers\aswFsBlk.sys [2012-7-25 25232]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2012-7-25 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-8-23 44808]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-23 399432]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-10-23 676936]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-3-28 1692480]
R3 amdiox64;AMD IO Driver;C:\windows\System32\drivers\amdiox64.sys [2012-3-28 46136]
R3 amdkmdag;amdkmdag;C:\windows\System32\drivers\atikmdag.sys [2012-3-28 9978880]
R3 amdkmdap;amdkmdap;C:\windows\System32\drivers\atikmpag.sys [2012-3-28 309248]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\System32\drivers\AtihdW76.sys [2012-3-28 231440]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-3-28 176096]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2012-10-23 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 usbfilter;AMD USB Filter Driver;C:\windows\System32\drivers\usbfilter.sys [2012-3-28 47232]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\System32\drivers\vwifimp.sys [2009-7-14 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-15 250808]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-8-17 25584]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-3-28 250984]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-6-11 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== Created Last 30 ================
.
2012-10-27 02:00:58 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3AFC83EB-CC8C-43EF-BE75-C1C09168D2D3}\offreg.dll
2012-10-26 17:01:44 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3AFC83EB-CC8C-43EF-BE75-C1C09168D2D3}\mpengine.dll
2012-10-25 21:59:54 -------- d-----w- C:\Program Files (x86)\ESET
2012-10-23 19:07:23 -------- d-----w- C:\Users\Jacklyn\AppData\Roaming\Malwarebytes
2012-10-23 19:07:12 -------- d-----w- C:\ProgramData\Malwarebytes
2012-10-23 19:07:09 25928 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-10-23 19:07:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-10-23 18:44:19 -------- d-----w- C:\_OTL
2012-10-19 18:40:55 388096 ----a-r- C:\Users\Jacklyn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-10-19 18:35:25 -------- d-----w- C:\ProgramData\PC Tools
2012-10-19 18:35:24 -------- d-----w- C:\Users\Jacklyn\AppData\Roaming\TestApp
2012-10-19 18:22:01 -------- d-----w- C:\windows\pss
2012-10-19 17:46:32 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{6DA5DAD7-0C5E-4638-AE98-8A31B838EB27}
2012-10-14 18:37:13 -------- d-----w- C:\Users\Jacklyn\AppData\Local\Dell Edoc Viewer
2012-10-13 01:27:59 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{66A6EFE5-84F2-49F7-8620-33D118BFF744}
2012-10-12 12:47:45 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{E66C16C7-A407-439A-AEFB-0BA9FD6B190A}
2012-10-11 16:03:54 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{EE4A6E54-3801-42B0-97C0-920EA687968D}
2012-10-10 17:17:53 220160 ----a-w- C:\windows\System32\wintrust.dll
2012-10-10 17:17:53 172544 ----a-w- C:\windows\SysWow64\wintrust.dll
2012-10-10 17:17:35 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2012-10-10 17:17:35 2048 ----a-w- C:\windows\System32\tzres.dll
2012-10-10 17:17:17 715776 ----a-w- C:\windows\System32\kerberos.dll
2012-10-10 17:17:17 542208 ----a-w- C:\windows\SysWow64\kerberos.dll
2012-10-10 17:17:03 1464320 ----a-w- C:\windows\System32\crypt32.dll
2012-10-10 17:17:02 1159680 ----a-w- C:\windows\SysWow64\crypt32.dll
2012-10-10 17:17:01 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2012-10-10 17:17:01 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2012-10-10 17:17:01 140288 ----a-w- C:\windows\System32\cryptnet.dll
2012-10-10 17:17:01 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
2012-10-01 16:51:41 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{1C90144F-9726-4D9F-8A38-FEA2D8844A41}
2012-09-30 16:22:47 -------- d-----w- C:\Users\Jacklyn\AppData\Local\Microsoft Games
2012-09-30 11:12:53 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{6AC53B89-442E-457A-A288-9CF6177AC8CB}
2012-09-28 07:03:00 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{5862D5A3-519F-4D8E-B3FD-834C0E795F71}
.
==================== Find3M ====================
.
2012-10-09 16:51:23 696760 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-10-09 16:51:22 73656 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-24 22:16:58 821736 ----a-w- C:\windows\SysWow64\npDeployJava1.dll
2012-09-24 22:16:53 746984 ----a-w- C:\windows\SysWow64\deployJava1.dll
2012-09-17 20:15:51 560184 ----a-w- C:\windows\System32\drivers\sptd.sys
2012-08-31 18:19:35 1659760 ----a-w- C:\windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-08-24 10:31:32 2312704 ----a-w- C:\windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-08-22 18:12:50 1913200 ----a-w- C:\windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00 245760 ----a-w- C:\windows\System32\OxpsConverter.exe
2012-08-21 09:13:13 969200 ----a-w- C:\windows\System32\drivers\aswSnx.sys
2012-08-21 09:13:12 71600 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2012-08-21 09:13:12 54072 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2012-08-21 09:12:33 41224 ----a-w- C:\windows\avastSS.scr
2012-08-20 18:48:44 362496 ----a-w- C:\windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-02 17:58:52 574464 ----a-w- C:\windows\System32\d3d10level9.dll
2012-08-02 16:57:20 490496 ----a-w- C:\windows\SysWow64\d3d10level9.dll
2010-08-03 10:11:16 819200 --sha-w- C:\windows\SysWOW64\xvidcore.dll
2010-08-03 10:11:16 180224 --sha-w- C:\windows\SysWOW64\xvidvfw.dll
.
============= FINISH: 23:44:02.27 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 10/06/2012 22:55:42
System Uptime: 25/10/2012 20:58:32 (51 hours ago)
.
Motherboard: Dell Inc. | | 05X5JT
Processor: AMD C-60 APU with Radeon(tm) HD Graphics | CPU 1 | 800/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 363.005 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter for 64-bit Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter for 64-bit Windows
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SBRE
Device ID: ROOT\LEGACY_SBRE\0000
Manufacturer:
Name: SBRE
PNP Device ID: ROOT\LEGACY_SBRE\0000
Service: SBRE
.
==== System Restore Points ===================
.
RP70: 19/10/2012 19:39:05 - Installed HiJackThis
RP71: 19/10/2012 19:40:30 - Installed HiJackThis
RP72: 19/10/2012 20:38:28 - Installed Java 7 Update 9
RP73: 21/10/2012 14:44:13 - Pre-Fix
RP74: 21/10/2012 14:46:09 - Removed Java(TM) 7 Update 1 (64-bit)
RP75: 21/10/2012 14:47:33 - Removed Java 7 Update 9
RP76: 23/10/2012 19:48:24 - OTL Restore Point - 23/10/2012 19:48:19
RP77: 23/10/2012 19:56:16 - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4) MUI
Advanced Audio FX Engine
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Fuel
AMD Media Foundation Decoders
AMD VISION Engine Control Center
ATI AVIVO64 Codecs
avast! Free Antivirus
Blio
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cisco Systems VPN Client 5.0.07.0440
D3DX10
Defcon v1.6
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Edoc Viewer
Dell Getting Started Guide
Dell MusicStage
Dell PhotoStage
Dell Product Registration
Dell Stage
Dell Stage Remote
Dell Support Center
Dell Touchpad
Dell VideoStage
Dell Webcam Central
Dell Wireless Driver Installation
DirectX 9 Runtime
DivX Codec
EA SPORTS Game Face Browser Plugin 1.5.3.0
Google Chrome
HiJackThis
IDT Audio
JavaFX 2.1.1
Junk Mail filter update
Malwarebytes Anti-Malware version 1.65.1.1000
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Paint.NET v3.5.10
PhotoShowExpress
PlayReady PC Runtime x86
Quickset64
RBVirtualFolder64Inst
RCT3 Soaked
Realtek Ethernet Controller Driver
Realtek USB 2.0 Card Reader
RollerCoaster Tycoon® 3
Roxio Activation Module
Roxio BackOnTrack
Roxio Burn
Roxio Creator Starter
Roxio Express Labeler 3
Roxio File Backup
S.T.A.L.K.E.R. - Clear Sky [v1.0003]
S.W.A.T. 4
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype™ 5.10
Sonic CinePlayer Decoder Pack
SPORE™
Spotify
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VLC media player 2.0.0
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.20 beta 3 (64-bit)
XAMPP 1.7.7
.
==== Event Viewer Messages From Past Week ========
.
25/10/2012 00:44:29, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
25/10/2012 00:43:31, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.
24/10/2012 00:23:37, Error: Service Control Manager [7024] - The Apache2.2 service terminated with service-specific error Incorrect function..
23/10/2012 23:26:25, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
23/10/2012 23:26:24, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
23/10/2012 23:26:24, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
23/10/2012 19:41:29, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the iphlpsvc service.
.
==== End Of File ===========================

Thanks,

Colin.
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm
Advertisement
Register to Remove

Re: Final stages of ransomware removal

Unread postby Gary R » October 29th, 2012, 10:16 am

Looking over your old topic, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Final stages of ransomware removal

Unread postby Gary R » October 29th, 2012, 10:26 am

If you already have the logs from the scans that pgmigg asked you to run in his last post to you, please post them, if not please do the following ....

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)

Next

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Standard Output.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Next

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
*Conduit*
*Funmoods*

:folderfind
*Conduit*
*Funmoods*
*Vuze*

:Regfind
Conduit
Funmoods
trolltech
Vuze

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Summary of the logs I need from you in your next post:
  • E-Set log
  • OTL.txt
  • Extras.txt
  • SystemLook.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Final stages of ransomware removal

Unread postby ColinL » October 29th, 2012, 4:03 pm

Hi Gary,

Thanks for looking into this for me. Please pass on my apologies to the original helper.

Online Scan log:

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\Users\Jacklyn\Downloads\DAEMONToolsPro510-0333.exe Win32/OpenCandy application

Fresh OTL:

OTL logfile created on: 29/10/2012 19:36:53 - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Jacklyn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.61 Gb Total Physical Memory | 1.79 Gb Available Physical Memory | 49.61% Memory free
7.21 Gb Paging File | 4.62 Gb Available in Paging File | 64.04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 362.88 Gb Free Space | 80.46% Space Free | Partition Type: NTFS

Computer Name: JACKLYN-PC | User Name: Jacklyn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/21 14:03:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jacklyn\Desktop\OTL.exe
PRC - [2012/10/19 19:35:25 | 001,199,576 | ---- | M] (Spotify Ltd) -- C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2012/09/29 18:54:26 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/09/29 18:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/09/29 18:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/08/21 09:12:26 | 004,282,728 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/08/21 09:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/07/27 12:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/02/01 10:50:58 | 000,968,048 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
PRC - [2011/10/01 07:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 07:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/09/10 09:43:18 | 000,018,432 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\httpd.exe
PRC - [2011/09/10 09:43:18 | 000,018,432 | ---- | M] (Apache Software Foundation) -- c:\xampp\apache\bin\httpd.exe
PRC - [2011/09/09 17:46:10 | 008,158,720 | ---- | M] () -- c:\xampp\mysql\bin\mysqld.exe
PRC - [2011/09/06 17:29:20 | 004,259,648 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
PRC - [2011/08/18 15:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
PRC - [2011/08/18 15:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
PRC - [2011/08/08 17:26:12 | 000,475,200 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
PRC - [2011/08/08 17:26:00 | 002,034,752 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
PRC - [2011/08/01 17:56:48 | 000,460,096 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
PRC - [2011/03/04 11:45:08 | 001,529,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2010/11/17 15:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2010/02/28 01:33:14 | 000,077,664 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE


========== Modules (No Company Name) ==========

MOD - [2012/10/10 10:06:15 | 000,460,312 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\ppgooglenaclpluginchrome.dll
MOD - [2012/10/10 10:06:13 | 012,435,992 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\PepperFlash\pepflashplayer.dll
MOD - [2012/10/10 10:06:12 | 004,005,912 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\pdf.dll
MOD - [2012/10/10 10:04:57 | 000,578,072 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\libglesv2.dll
MOD - [2012/10/10 10:04:55 | 000,123,928 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\libegl.dll
MOD - [2012/10/10 10:04:44 | 000,156,712 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\avutil-51.dll
MOD - [2012/10/10 10:04:43 | 000,275,496 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\avformat-54.dll
MOD - [2012/10/10 10:04:42 | 002,168,360 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\avcodec-54.dll
MOD - [2012/06/14 09:57:43 | 014,340,608 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll
MOD - [2012/06/14 09:56:44 | 012,436,480 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
MOD - [2012/06/14 09:56:24 | 001,591,808 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
MOD - [2012/06/14 09:56:16 | 012,237,824 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll
MOD - [2012/06/12 22:17:32 | 002,297,856 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll
MOD - [2012/06/11 15:05:52 | 000,368,128 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll
MOD - [2012/06/11 15:02:08 | 000,060,928 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ca2eff60beb3ba00a529a2d42dceca22\UIAutomationProvider.ni.dll
MOD - [2012/06/11 15:01:49 | 000,025,600 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\2ec98ab0193d64e95b7d09d094deed97\Accessibility.ni.dll
MOD - [2012/06/11 15:00:54 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll
MOD - [2012/06/11 15:00:39 | 005,452,800 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012/06/11 15:00:28 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012/06/11 15:00:25 | 007,967,232 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/06/11 15:00:05 | 011,492,864 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2012/02/01 10:50:58 | 000,968,048 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
MOD - [2012/02/01 10:44:34 | 008,151,040 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtGui4.dll
MOD - [2012/02/01 10:44:34 | 002,278,400 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtCore4.dll
MOD - [2011/08/18 15:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
MOD - [2011/08/08 17:26:12 | 000,475,200 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
MOD - [2011/08/08 17:26:00 | 002,034,752 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
MOD - [2011/07/21 07:36:00 | 000,327,744 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\en-US\UI\ManagerUI.dll
MOD - [2011/07/17 09:35:36 | 000,058,944 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\DataService.dll
MOD - [2011/06/24 22:20:26 | 000,565,968 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\sqlite3.dll
MOD - [2010/11/25 03:44:02 | 000,375,280 | ---- | M] () -- c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\SQLite352.dll
MOD - [2010/11/17 15:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
MOD - [2010/03/22 14:52:42 | 006,776,832 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtGui4.dll
MOD - [2010/03/16 19:28:28 | 000,326,144 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtXml4.dll
MOD - [2010/03/16 19:28:16 | 000,635,904 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtNetwork4.dll
MOD - [2010/03/16 19:28:04 | 001,926,144 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtCore4.dll
MOD - [2010/03/11 18:52:34 | 000,225,280 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qmng4.dll
MOD - [2010/03/11 18:52:34 | 000,028,160 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qgif4.dll
MOD - [2010/03/05 14:07:58 | 000,125,952 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qjpeg4.dll
MOD - [2010/03/05 14:07:58 | 000,031,744 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qico4.dll
MOD - [2010/02/28 01:33:14 | 000,077,664 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE


========== Services (SafeList) ==========

SRV:64bit: - [2012/08/21 09:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2011/08/06 06:14:06 | 000,365,568 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2011/07/14 01:15:36 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011/05/27 19:06:16 | 000,301,568 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV)
SRV:64bit: - [2010/09/22 23:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/14 01:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/03/03 10:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters)
SRV - [2012/10/09 16:51:24 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/29 18:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 18:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/07/27 12:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/10/01 07:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 07:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/09/10 09:43:18 | 000,018,432 | ---- | M] (Apache Software Foundation) [Auto | Running] -- c:\xampp\apache\bin\httpd.exe -- (Apache2.2)
SRV - [2011/09/09 17:46:10 | 008,158,720 | ---- | M] () [Auto | Running] -- c:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2011/08/18 15:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) [Auto | Running] -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe -- (SftService)
SRV - [2011/03/04 11:45:08 | 001,529,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/11/25 10:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 10:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/03/18 19:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/09/29 18:54:26 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/09/17 20:15:51 | 000,560,184 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2012/08/21 09:13:13 | 000,969,200 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012/08/21 09:13:13 | 000,359,464 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012/08/21 09:13:13 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2012/08/21 09:13:12 | 000,071,600 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012/08/21 09:13:12 | 000,054,072 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2012/08/21 09:13:11 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012/08/17 21:26:48 | 000,025,584 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- c:\Program Files\Dell Support Center\pcdsrvc_x64.pkms -- (PCDSRVC{1E208CE0-FB7451FF-06020101}_0)
DRV:64bit: - [2012/03/01 06:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/10/01 07:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 07:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 07:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 07:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/07/14 02:00:06 | 009,978,880 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/07/14 00:33:58 | 000,309,248 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/06/16 22:08:26 | 000,040,064 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata)
DRV:64bit: - [2011/06/16 22:08:24 | 000,079,488 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata)
DRV:64bit: - [2011/06/10 05:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/06/07 01:07:00 | 000,231,440 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011/05/27 19:06:16 | 000,528,384 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2011/04/22 01:17:10 | 002,727,424 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2011/04/01 03:35:12 | 000,355,960 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2011/03/11 06:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 06:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/03/04 11:51:50 | 000,306,536 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV:64bit: - [2011/01/20 16:20:46 | 000,176,096 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV:64bit: - [2010/12/16 06:06:46 | 000,047,232 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2010/11/21 03:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 03:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 03:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/30 00:11:42 | 000,250,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/03/19 08:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2010/02/18 14:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
DRV:64bit: - [2010/02/08 07:32:00 | 000,014,992 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CVirtA64.sys -- (CVirtA)
DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 20:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/11/16 17:39:44 | 000,157,968 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dne64x.sys -- (DNE)
DRV:64bit: - [2006/11/01 17:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{2F1E335A-858A-4BE9-8F6B-D0AF1D018B53}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{2F1E335A-858A-4BE9-8F6B-D0AF1D018B53}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Jacklyn\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Jacklyn\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\electronicarts.com/GameFacePlugin: C:\Users\Jacklyn\AppData\Roaming\Electronic Arts\Game Face\npGameFacePlugin.dll (Electronic Arts)



========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java(TM) Platform SE 7 U4 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.40.255 (Enabled) = C:\windows\SysWOW64\npDeployJava1.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
CHR - plugin: WildTangent Games App V2 Presence Detector (Enabled) = C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~2\mcafee\msc\npmcsn~1.dll
CHR - Extension: YouTube = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Fast save = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpgkoeinjnkgcieloaioiohencfcjjjc\1.1_0\
CHR - Extension: avast! WebRep = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1466_0\
CHR - Extension: EXIF Reader = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nchnjcdahncnilbicljpnbfobpnljnki\2.7.4_0\
CHR - Extension: Gmail = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2009/06/10 21:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll File not found
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [DellStage] C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe ()
O4:64bit: - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe ()
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [AccuWeatherWidget] C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe (Dell, Inc.)
O4 - HKLM..\Run: [Desktop Disc Tool] c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [RoxWatchTray] c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe (Sonic Solutions)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001..\Run: [Spotify] C:\Users\Jacklyn\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
O4 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001..\Run: [Spotify Web Helper] C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Policies\Microsoft\Internet Explorer\restrictions present
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87D899B5-EEBA-4AC0-AD7F-31EF7DE59B20}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\Shell - "" = AutoRun
O33 - MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\Shell\AutoRun\command - "" = E:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/25 21:59:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/10/23 19:07:23 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Roaming\Malwarebytes
[2012/10/23 19:07:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/23 19:07:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/10/23 19:07:09 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2012/10/23 19:07:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/10/23 19:04:19 | 010,669,952 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Jacklyn\Desktop\mbam-setup-1.65.1.1000.exe
[2012/10/23 18:44:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/21 14:02:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Jacklyn\Desktop\OTL.exe
[2012/10/21 13:59:49 | 002,213,464 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Jacklyn\Desktop\tdsskiller.exe
[2012/10/19 19:22:40 | 000,687,724 | R--- | C] (Swearware) -- C:\Users\Jacklyn\Desktop\dds.scr
[2012/10/19 18:40:55 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\Desktop\HJT
[2012/10/19 18:40:55 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/10/19 18:35:25 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2012/10/19 18:35:24 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Roaming\TestApp
[2012/10/19 18:22:01 | 000,000,000 | ---D | C] -- C:\windows\pss
[2012/10/19 17:46:32 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{6DA5DAD7-0C5E-4638-AE98-8A31B838EB27}
[2012/10/14 18:37:13 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\Dell Edoc Viewer
[2012/10/13 01:27:59 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{66A6EFE5-84F2-49F7-8620-33D118BFF744}
[2012/10/12 12:47:45 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{E66C16C7-A407-439A-AEFB-0BA9FD6B190A}
[2012/10/11 16:03:54 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{EE4A6E54-3801-42B0-97C0-920EA687968D}
[2012/10/10 17:18:43 | 005,559,664 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntoskrnl.exe
[2012/10/10 17:18:40 | 003,914,096 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntoskrnl.exe
[2012/10/10 17:18:39 | 003,968,880 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntkrnlpa.exe
[2012/10/10 17:18:22 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\kernel32.dll
[2012/10/10 17:18:22 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\KernelBase.dll
[2012/10/10 17:18:21 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\conhost.exe
[2012/10/10 17:18:21 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\winsrv.dll
[2012/10/10 17:18:19 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64.dll
[2012/10/10 17:18:19 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\setup16.exe
[2012/10/10 17:18:18 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64win.dll
[2012/10/10 17:18:18 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntvdm64.dll
[2012/10/10 17:18:18 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntvdm64.dll
[2012/10/10 17:18:18 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64cpu.dll
[2012/10/10 17:18:18 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wow32.dll
[2012/10/10 17:18:18 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2012/10/10 17:18:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2012/10/10 17:18:17 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2012/10/10 17:18:17 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2012/10/10 17:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/10/10 17:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/10/10 17:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2012/10/10 17:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2012/10/10 17:18:17 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/10/10 17:18:17 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2012/10/10 17:18:16 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\instnm.exe
[2012/10/10 17:18:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2012/10/10 17:18:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2012/10/10 17:18:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2012/10/10 17:18:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2012/10/10 17:18:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2012/10/10 17:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2012/10/10 17:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2012/10/10 17:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2012/10/10 17:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2012/10/10 17:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2012/10/10 17:18:14 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2012/10/10 17:18:14 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2012/10/10 17:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2012/10/10 17:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2012/10/10 17:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2012/10/10 17:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2012/10/10 17:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/10/10 17:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/10/10 17:18:13 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2012/10/10 17:18:13 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2012/10/10 17:18:13 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2012/10/10 17:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2012/10/10 17:18:12 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2012/10/10 17:18:12 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2012/10/10 17:18:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2012/10/10 17:18:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2012/10/10 17:18:11 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\user.exe
[2012/10/10 17:17:53 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wintrust.dll
[2012/10/10 17:17:03 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\crypt32.dll
[2012/10/10 17:17:01 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\cryptnet.dll
[2012/10/01 16:51:41 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{1C90144F-9726-4D9F-8A38-FEA2D8844A41}
[2012/09/30 16:22:47 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\Microsoft Games
[2012/09/30 11:12:53 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{6AC53B89-442E-457A-A288-9CF6177AC8CB}

========== Files - Modified Within 30 Days ==========

[2012/10/29 19:44:48 | 000,020,928 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/29 19:44:48 | 000,020,928 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/29 19:43:42 | 000,000,864 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2611650137-3530031623-2658461397-1001Core.job
[2012/10/29 19:29:50 | 000,000,916 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2611650137-3530031623-2658461397-1001UA.job
[2012/10/29 19:29:44 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/10/29 19:29:23 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/10/28 12:18:18 | 003,998,562 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2012/10/28 12:18:18 | 001,817,108 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2012/10/28 12:18:18 | 000,006,498 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2012/10/24 23:42:10 | 2903,519,232 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/23 19:07:14 | 000,001,115 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/23 19:03:54 | 010,669,952 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Jacklyn\Desktop\mbam-setup-1.65.1.1000.exe
[2012/10/21 14:36:08 | 000,165,376 | ---- | M] () -- C:\Users\Jacklyn\Desktop\SystemLook_x64.exe
[2012/10/21 14:03:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jacklyn\Desktop\OTL.exe
[2012/10/21 13:59:58 | 002,213,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Jacklyn\Desktop\tdsskiller.exe
[2012/10/19 19:22:50 | 000,687,724 | R--- | M] (Swearware) -- C:\Users\Jacklyn\Desktop\dds.scr
[2012/10/19 18:40:55 | 000,002,997 | ---- | M] () -- C:\Users\Jacklyn\Desktop\HiJackThis.lnk
[2012/10/19 17:50:31 | 000,000,624 | ---- | M] () -- C:\windows\SysNative\drivers\kgpcpy.cfg
[2012/10/19 01:20:44 | 083,023,306 | ---- | M] () -- C:\ProgramData\erolpxei.pad
[2012/10/09 17:09:01 | 000,017,689 | ---- | M] () -- C:\Users\Jacklyn\Desktop\division_singles_entry_forms.pdf
[2012/10/09 17:08:16 | 000,110,193 | ---- | M] () -- C:\Users\Jacklyn\Desktop\super_cups.pdf
[2012/10/09 17:07:37 | 000,026,422 | ---- | M] () -- C:\Users\Jacklyn\Desktop\division_2_cup.pdf
[2012/10/09 16:51:23 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerApp.exe
[2012/10/09 16:51:22 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/10/23 19:07:14 | 000,001,115 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/21 14:36:06 | 000,165,376 | ---- | C] () -- C:\Users\Jacklyn\Desktop\SystemLook_x64.exe
[2012/10/19 18:40:55 | 000,002,997 | ---- | C] () -- C:\Users\Jacklyn\Desktop\HiJackThis.lnk
[2012/10/19 17:50:09 | 000,000,624 | ---- | C] () -- C:\windows\SysNative\drivers\kgpcpy.cfg
[2012/10/18 23:59:25 | 083,023,306 | ---- | C] () -- C:\ProgramData\erolpxei.pad
[2012/10/09 17:09:00 | 000,017,689 | ---- | C] () -- C:\Users\Jacklyn\Desktop\division_singles_entry_forms.pdf
[2012/10/09 17:08:16 | 000,110,193 | ---- | C] () -- C:\Users\Jacklyn\Desktop\super_cups.pdf
[2012/10/09 17:07:36 | 000,026,422 | ---- | C] () -- C:\Users\Jacklyn\Desktop\division_2_cup.pdf
[2012/06/15 21:14:39 | 000,819,200 | -HS- | C] () -- C:\windows\SysWow64\xvidcore.dll
[2012/06/15 21:14:39 | 000,180,224 | -HS- | C] () -- C:\windows\SysWow64\xvidvfw.dll
[2012/06/13 23:20:06 | 000,000,287 | ---- | C] () -- C:\windows\SIERRA.INI
[2012/06/13 18:45:23 | 000,197,120 | ---- | C] () -- C:\windows\patchw32.dll
[2012/03/28 03:53:00 | 000,003,929 | ---- | C] () -- C:\windows\SysWow64\atipblag.dat
[2012/03/28 02:15:37 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
[2012/03/28 02:06:11 | 000,017,776 | ---- | C] () -- C:\windows\EvtMessage.dll
[2012/02/26 12:02:17 | 000,000,096 | ---- | C] () -- C:\windows\LaunApp.ini
[2012/02/26 12:02:12 | 000,000,325 | ---- | C] () -- C:\windows\Prelaunch.ini
[2012/02/26 12:02:12 | 000,000,271 | ---- | C] () -- C:\windows\WisPriority.ini
[2012/02/26 12:02:12 | 000,000,035 | ---- | C] () -- C:\windows\DELL_LANGCODE.ini
[2012/02/26 12:02:12 | 000,000,033 | ---- | C] () -- C:\windows\DELL_OSTYPE.ini
[2012/02/26 12:02:12 | 000,000,032 | ---- | C] () -- C:\windows\WisHWDest.ini
[2012/02/26 12:02:12 | 000,000,028 | ---- | C] () -- C:\windows\WisLangCode.ini
[2012/02/26 12:02:12 | 000,000,023 | ---- | C] () -- C:\windows\WisSysInfo.ini
[2012/02/26 10:54:12 | 000,788,116 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/07/13 23:55:06 | 000,053,760 | ---- | C] () -- C:\windows\SysWow64\OVDecode.dll

========== ZeroAccess Check ==========

[2009/07/14 04:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 05:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 04:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 01:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 03:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 01:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/06/13 19:06:33 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Atari
[2012/09/17 20:21:27 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\DAEMON Tools Pro
[2012/08/06 10:26:28 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Electronic Arts
[2012/06/10 22:01:22 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Fingertapps
[2012/07/25 09:33:39 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\IDT
[2012/06/10 22:01:05 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Leadertech
[2012/06/14 16:50:58 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\PCDr
[2012/10/28 20:23:46 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\SoftGrid Client
[2012/06/28 04:14:59 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\SPORE
[2012/10/29 19:55:52 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Spotify
[2012/10/19 18:35:24 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\TestApp
[2012/06/25 22:04:07 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\TP
[2012/08/29 20:14:57 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Unity
[2012/06/19 18:35:01 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\WildTangent

========== Purity Check ==========



< End of report >
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Final stages of ransomware removal

Unread postby ColinL » October 29th, 2012, 4:04 pm

Fresh Extras log:

OTL Extras logfile created on: 29/10/2012 19:36:53 - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Jacklyn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.61 Gb Total Physical Memory | 1.79 Gb Available Physical Memory | 49.61% Memory free
7.21 Gb Paging File | 4.62 Gb Available in Paging File | 64.04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 362.88 Gb Free Space | 80.46% Space Free | Partition Type: NTFS

Computer Name: JACKLYN-PC | User Name: Jacklyn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03587A81-B4C8-44FA-8284-2C8E8AAA0498}" = rport=10243 | protocol=6 | dir=out | app=system |
"{05C442DC-D99A-4019-B3CC-7FF071814D27}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{18D28917-6174-4BBC-B01B-BF2376C4AB42}" = lport=10243 | protocol=6 | dir=in | app=system |
"{237E9FED-C353-4587-91C7-B00FAF66CB8D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{23C614EE-E28B-47F5-82EF-5EE044263497}" = rport=137 | protocol=17 | dir=out | app=system |
"{24177875-A199-4CCA-B47F-8BDC97E20117}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{345B7DEE-438B-49ED-8BB0-613000F22CEE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{353D6EBC-EFC3-4753-8567-518AB842BA5D}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{56582ED5-FC87-4558-86C3-FC4B2BCFEB79}" = lport=2869 | protocol=6 | dir=in | app=system |
"{61EFB818-04A2-45B1-964C-AE79A2E8FDB6}" = lport=138 | protocol=17 | dir=in | app=system |
"{6399185B-EFF3-4D6D-92CD-65A412B05DAA}" = lport=137 | protocol=17 | dir=in | app=system |
"{64792C8F-1E76-4EB0-84C6-550689FF0CE5}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7E558730-F542-481E-9B2D-C9C2338EBE86}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{81D35255-4CD1-4599-AE78-C9E834593852}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{82AE8E11-B7EB-4A75-9F01-F72DD61E9175}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{99D163DE-CCB1-4EB1-9E7B-B99567CB952F}" = rport=138 | protocol=17 | dir=out | app=system |
"{AE0B1B47-34A0-4195-9DC6-6A93F816D662}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B08D657C-A854-449F-B5EE-104CE9312707}" = lport=445 | protocol=6 | dir=in | app=system |
"{B523B65F-9032-4986-9B77-377D52C6B2A9}" = rport=139 | protocol=6 | dir=out | app=system |
"{BE04528A-AD4D-473A-ADA6-BE643D0EFE18}" = rport=445 | protocol=6 | dir=out | app=system |
"{C4A956EB-192B-4E4E-A095-D7E1BC9A4296}" = lport=139 | protocol=6 | dir=in | app=system |
"{C5B3AAF1-0BFD-453F-8915-1157B34CCAA6}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{EE4D6131-829F-4502-A65C-F01ED690CE99}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A2DFCD5-609A-4C9A-A3D8-E001F3E70130}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{167D240E-A73D-48B7-9AAF-5AB9C7D408E7}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{19FDA39B-E19B-406D-94EC-19DC973C3224}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{2BA0CFBD-32B3-4B8F-A342-688FEF12800E}" = protocol=17 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"{33985FE9-540B-4DA2-8087-1DFD354D7BF2}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremoteservice.exe |
"{35E0178B-CC86-4E56-9BFF-D2FEEE03B294}" = protocol=17 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\dedicated\xrengine.exe |
"{392B76EE-00F0-457E-A833-A355C34F09FB}" = protocol=6 | dir=out | app=system |
"{3A6ACD04-6E5D-4D8B-A37E-B167ED074584}" = dir=in | app=c:\program files\dell stage\dell stage\accuweather\accuweather.exe |
"{414CC7D1-6277-437D-82FF-B881A921DC80}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{444100AD-1CC8-4BEB-BC1D-5D6034668A81}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{484EF2CD-5D6C-4888-ACAB-FF72C72C9FFD}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{48B9DDE7-8CD1-46CB-8C26-C2A0895D95ED}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{4BA28F52-3522-4ED1-B7E1-D39F2B56D5CE}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremote.exe |
"{4C19E1A0-F0F8-4566-A50F-A1E3DF7BDDB8}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{4CB8862C-ACF1-4BA3-85A5-AFBE8CD5EADB}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{587F16E7-10C2-445A-8E9B-0C25E95F4CDE}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\controller.exe |
"{58B9E318-D8FC-45F2-8765-99E24CB80024}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{614A2B98-1216-47BF-9ED1-ECEC962B74B3}" = protocol=17 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\xrengine.exe |
"{6A307EBE-9FCB-43AF-93C0-77E932AC4625}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremote.exe |
"{6F2A80B5-8997-43C6-A0DC-AB5DEAB2173F}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\dmr.exe |
"{71E07BDF-1F24-43FA-9C1A-AEFBAE6C1E08}" = dir=in | app=c:\program files\dell stage\dell stage\stage_primary.exe |
"{7594C316-B235-4361-81CF-205F38A4F431}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{816873CE-0C86-42EA-8714-81430E24BD92}" = protocol=6 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\xrengine.exe |
"{84653354-AEC6-4040-8950-5022F5BC6539}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\dmr.exe |
"{86E61FAB-8719-4D4A-977D-F92AED47551C}" = dir=in | app=c:\program files\dell stage\musicstage\musicstageengine.exe |
"{8B438362-CE73-40DB-B4A8-676E5DA99D19}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremoteservice.exe |
"{8EFCB0A7-A7F0-463F-BE6D-297378048B39}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{92EC8823-FBB2-4F08-929E-B53DE037A08B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{94728F65-5CEC-407A-856B-4E689992C62B}" = protocol=6 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\dedicated\xrengine.exe |
"{95B1D254-0D07-4C55-AC8A-E0ADC4B68BA0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{A2E2009F-AD38-41A2-8FFF-D8EB6927F837}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{A31773F8-B5D5-4186-AC26-4C6140D4CC8D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B07B710F-A591-4DE2-8742-47593EF96DC3}" = protocol=6 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{B4E5468E-E626-4450-9496-3FE0681E006B}" = protocol=17 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{B5EE4B99-D541-46AA-94DB-67A70015F9DA}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{B6CBB6C8-A97E-43B2-937D-0E5E8921A0B8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{BAEAD94D-964B-4875-A6DD-92E8A73C69B8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{C26B62A9-6A9E-4D99-ACDB-35A674BF72F0}" = dir=in | app=c:\program files (x86)\dell\videostage\videostage.exe |
"{C26D7175-F4E5-4FE1-8D9F-998026D18216}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe |
"{C96804BF-EE8C-4577-9CA9-817717EC3A85}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\installerhelp.exe |
"{CD1E90F2-9220-459B-9E6D-654B21B38129}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\controller.exe |
"{CD6BF49D-E6B2-491F-A542-D0A3347AF2E3}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{CFF289A0-6C89-4EB1-BAA9-40D52B420F30}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{D995F622-AA56-464D-9447-1157858B5171}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DAB7C9CD-22C0-48DE-8735-E9DE35532559}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\installerhelp.exe |
"{E4CF0872-C8F1-4D64-B168-2650C89A228F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E6D22196-95E1-48DE-8742-A4E2F477EC73}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{F683ABBC-71F7-40AC-A719-D6475864ABD3}" = protocol=6 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"{FE08CEE4-6F19-4457-AC90-A98191349AD2}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"TCP Query User{13C61F8B-A71F-4F2A-90B6-275215A5C469}C:\program files (x86)\defcon\defcon.exe" = protocol=6 | dir=in | app=c:\program files (x86)\defcon\defcon.exe |
"TCP Query User{A1BAEDDE-9E57-4EAC-904A-31E357591CAC}C:\xampp\apache\bin\httpd.exe" = protocol=6 | dir=in | app=c:\xampp\apache\bin\httpd.exe |
"TCP Query User{D09324D4-C497-4F49-853E-067B77CC6DCB}C:\users\jacklyn\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\jacklyn\appdata\roaming\spotify\spotify.exe |
"UDP Query User{6A3AF2AE-DCD0-431F-BFF1-C120818D1183}C:\xampp\apache\bin\httpd.exe" = protocol=17 | dir=in | app=c:\xampp\apache\bin\httpd.exe |
"UDP Query User{B094F9D3-7A78-4C56-B63A-9C153A9ADA2E}C:\users\jacklyn\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\jacklyn\appdata\roaming\spotify\spotify.exe |
"UDP Query User{DDF2F20E-0972-4373-A9F8-04280EB98D23}C:\program files (x86)\defcon\defcon.exe" = protocol=17 | dir=in | app=c:\program files (x86)\defcon\defcon.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}" = Cisco Systems VPN Client 5.0.07.0440
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{6A29BC26-68EB-EE27-0775-C6A5D9880FB8}" = ATI AVIVO64 Codecs
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{87CF757E-C1F1-4D22-865C-00C6950B5258}" = Quickset64
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D6DFAD6-09E5-445E-A4B5-A388FEEBD90D}" = RBVirtualFolder64Inst
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{AB7F413C-C973-1E76-1500-A379C6876468}" = ccc-utility64
"{D44E2164-C3EA-09BF-8396-07BFF727025A}" = AMD Media Foundation Decoders
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F6B0EA7E-5C19-7421-C2EB-927DA66A1081}" = AMD Catalyst Install Manager
"{F82DEF3B-AB08-942C-3EA9-18277410B384}" = AMD Fuel
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"PC-Doctor for Windows" = Dell Support Center
"WinRAR archiver" = WinRAR 4.20 beta 3 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0ED7EE95-6A97-47AA-AD73-152C08A15B04}" = Dell DataSafe Local Backup
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2244FF47-8247-C94C-4459-0B6F57495400}" = CCC Help Hungarian
"{2299EEBD-0A83-4B26-AA4A-057AE9E5BAE8}" = Dell Stage Remote
"{25AE6DBA-D866-1325-1F82-D6BFFA4D6110}" = CCC Help Chinese Standard
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2A0F2CC5-3065-492C-8380-B03AA7106B1A}" = Dell Product Registration
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{315B5C4F-8FB3-117A-DB04-C09D99781848}" = Catalyst Control Center Profiles Mobile
"{3250260C-7A95-4632-893B-89657EB5545B}" = PhotoShowExpress
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{33B2BCA3-DAAA-92E4-A612-1E25349CC439}" = Catalyst Control Center Localization All
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3BD7DD08-991B-4A2F-A165-614ED14EAADD}" = Dell MusicStage
"{400182B4-CA55-46A9-9D88-F8413DCFB36D}" = Blio
"{4296F858-23E0-1875-96F4-ECAC0B65B2A5}" = CCC Help Russian
"{44619C87-6A22-E5B5-B756-A4E87CF287ED}" = CCC Help Japanese
"{451517F1-7E41-400B-AA36-FB7E2563526D}" = Dell Wireless Driver Installation
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4CDFB50C-EFC7-5740-8351-9DA8327076AB}" = CCC Help Chinese Traditional
"{51F2D101-6579-CA0C-0B69-DEC94C4C7EC9}" = CCC Help German
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{58DB59A3-47B7-CB43-8AAA-400A6EB3FAD3}" = CCC Help Korean
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{63229B8B-B757-2A22-D56B-36CA72DD401B}" = CCC Help Greek
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}" = Roxio Creator Starter
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73B91779-D763-560C-2623-5835DFBC5016}" = CCC Help Thai
"{7746BFAA-2B5D-4FFD-A0E8-4558F4668105}" = Roxio Burn
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B09AC97-2063-0928-0C94-7330E4AEF4D9}" = CCC Help Danish
"{8B16758A-B4E4-F49C-76C4-13D2A067CC24}" = CCC Help Swedish
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon® 3
"{91CF243B-116F-965D-726C-89713A3B1922}" = CCC Help Norwegian
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{933FBD25-7171-D8B5-3E31-095750D6BD8C}" = CCC Help Finnish
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{97F75C51-951B-E04C-8CFD-25900D388693}" = CCC Help Polish
"{98AB97E8-FA29-02A4-941D-222C4A83DAC3}" = AMD VISION Engine Control Center
"{9A00EC4E-27E1-42C4-98DD-662F32AC8870}" = Sonic CinePlayer Decoder Pack
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A121EEDE-C68F-461D-91AA-D48BA226AF1C}" = Roxio Activation Module
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9668246-FB70-4103-A1E3-66C9BC2EFB49}" = Dell DataSafe Local Backup - Support Software
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.4) MUI
"{AD57ECE4-976A-0447-4C4C-644C6059341F}" = CCC Help Turkish
"{AF4D3C63-009B-4A17-B02E-D395065DD3F0}" = Dell Stage Remote
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{AFEA7544-6B97-4867-A94D-1C39BA61B64F}" = Catalyst Control Center - Branding
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B106F6AB-EEC6-FCC3-1492-0A54E7B0D52E}" = CCC Help French
"{B191A02C-9F58-C0B1-6996-12C612B214E0}" = Catalyst Control Center InstallProxy
"{B62174EB-2AE6-D3A0-381D-DA9FDBF70C82}" = CCC Help Czech
"{B73009A8-78AB-47D2-9D63-99271D9457B1}" = CCC Help Italian
"{BE731865-5041-3F42-C7E9-68292DB8A044}" = Catalyst Control Center Graphics Previews Common
"{C594B957-CC60-589C-D825-E6406D8759F5}" = CCC Help Spanish
"{C5BF5D70-6C6E-915A-A3DA-F4F86ACEEFE3}" = CCC Help Portuguese
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CED8DCFA-2DD0-49EF-377A-F414B644D8E3}" = CCC Help English
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E4335E82-17B3-460F-9E70-39D9BC269DB3}" = Dell PhotoStage
"{E50FD74A-DAAC-C9D0-F9D8-EDCDD08CAB2D}" = CCC Help Dutch
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{EA926717-CE5A-4CB4-AB21-9E6E9565A458}" = RCT3 Soaked
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EF56258E-0326-48C5-A86C-3BAC26FC15DF}" = Roxio Creator Starter
"{F06B5C4C-8D2E-4B24-9D43-7A45EEC6C878}" = Roxio Creator Starter
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{FC45E4D6-FEA5-4091-B172-4351D130C2E1}" = Dell Stage
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"avast" = avast! Free Antivirus
"Defcon_is1" = Defcon v1.6
"Dell Webcam Central" = Dell Webcam Central
"DivX Codec" = DivX Codec
"InstallShield_{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"S.T.A.L.K.E.R. - Clear Sky_is1" = S.T.A.L.K.E.R. - Clear Sky [v1.0003]
"S.W.A.T. 4_is1" = S.W.A.T. 4
"VLC media player" = VLC media player 2.0.0
"WinLiveSuite" = Windows Live Essentials
"xampp" = XAMPP 1.7.7

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"EA SPORTS Game Face Browser Plugin" = EA SPORTS Game Face Browser Plugin 1.5.3.0
"Google Chrome" = Google Chrome
"Spotify" = Spotify

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 10/09/2012 13:49:09 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 11/09/2012 03:29:37 | Computer Name = Jacklyn-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/09/2012 03:33:21 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 11/09/2012 03:33:21 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 11/09/2012 03:39:42 | Computer Name = Jacklyn-PC | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed:

Error - 12/09/2012 02:49:04 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 12/09/2012 02:49:04 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 12/09/2012 02:57:39 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 12/09/2012 02:57:39 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 12/09/2012 03:26:55 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

[ Dell Events ]
Error - 10/06/2012 18:11:23 | Computer Name = Jacklyn-PC | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 10/06/2012 18:11:23 | Computer Name = Jacklyn-PC | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/06/2012 17:29:16 | Computer Name = Jacklyn-PC | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

[ System Events ]
Error - 11/10/2012 21:31:30 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7024
Description = The Apache2.2 service terminated with service-specific error %%1.

Error - 12/10/2012 08:46:48 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the SftService service.

Error - 12/10/2012 08:47:42 | Computer Name = Jacklyn-PC | Source = WMPNetworkSvc | ID = 866300
Description =

Error - 12/10/2012 10:51:57 | Computer Name = Jacklyn-PC | Source = DCOM | ID = 10010
Description =

Error - 12/10/2012 10:52:04 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7024
Description = The Apache2.2 service terminated with service-specific error %%1.

Error - 12/10/2012 11:54:40 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the SftService service.

Error - 12/10/2012 11:55:10 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the SftService service.

Error - 15/10/2012 08:16:45 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the STacSV service.

Error - 15/10/2012 17:10:30 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.

Error - 18/10/2012 12:34:13 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.


< End of report >
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Final stages of ransomware removal

Unread postby ColinL » October 29th, 2012, 4:33 pm

Fresh SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 20:19 on 29/10/2012 by Jacklyn
Administrator - Elevation successful

========== filefind ==========

Searching for "*Conduit*"
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Feeds\http___alerts_conduit-services_com_root_897164_892962_UK.xml --a---- 188 bytes [19:01 11/06/2012] [20:29 11/06/2012] E2A87E535CF5282072AA46166D27D1DF

Searching for "*Funmoods*"
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\Local\funmoods.crx --a---- 31470 bytes [20:38 11/06/2012] [20:38 11/06/2012] BC64C97573527DDBC0F6522A28E6C96E
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\style\funmoods_chrome_1.0.1.css --a---- 1915 bytes [20:05 12/06/2012] [20:05 12/06/2012] 932E88939025DEA549719B7FFB869668

========== folderfind ==========

Searching for "*Conduit*"
C:\_OTL\MovedFiles\10232012_194419\C_Program Files (x86)\Conduit d------ [18:54 11/06/2012]
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\Local\Conduit d------ [18:54 11/06/2012]
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\LocalLow\Conduit d------ [18:54 11/06/2012]

Searching for "*Funmoods*"
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods d------ [20:05 12/06/2012]
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\f.funmoods.com d------ [19:03 10/10/2012]
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\macromedia.com\support\flashplayer\sys\#f.funmoods.com d------ [19:03 10/10/2012]
C:\_OTL\MovedFiles\10232012_194419\C_Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#f.funmoods.com d------ [21:04 04/08/2012]

Searching for "*Vuze*"
C:\Users\Jacklyn\Documents\Vuze Downloads d------ [19:05 11/06/2012]

========== Regfind ==========

Searching for "Conduit"
[HKEY_CURRENT_USER\Software\Conduit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
@="Conduit Community Alerts"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]
@="C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
@="Conduit Community Alerts"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]
@="C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit]

Searching for "Funmoods"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortApp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortApp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
"path"="C:\Users\Jacklyn\AppData\Local\funmoods.crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortApp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"

Searching for "trolltech"
[HKEY_CURRENT_USER\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]

Searching for "Vuze"
[HKEY_CURRENT_USER\Software\Conduit\AppPaths\Vuze.exe]
[HKEY_CURRENT_USER\Software\Conduit\AppPaths\Vuze.exe]
"AppPath"="C:\Program Files (x86)\Vuze\Azureus.exe"
[HKEY_CURRENT_USER\Software\Classes\BC\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\BC\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\BCTP\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\BCTP\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\DHT\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\DHT\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"="Azureus"
[HKEY_CURRENT_USER\Software\Classes\Magnet\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command]
"@"=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\Vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\AppPaths\Vuze.exe]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\AppPaths\Vuze.exe]
"AppPath"="C:\Program Files (x86)\Vuze\Azureus.exe"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"="Azureus"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command]
"@"=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"="Azureus"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command]
"@"=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze]

-= EOF =-
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Final stages of ransomware removal

Unread postby Gary R » October 29th, 2012, 5:45 pm

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe
C:\Users\Jacklyn\Downloads\DAEMONToolsPro510-0333.exe
C:\Users\Jacklyn\Documents\Vuze Downloads
C:\Program Files (x86)\Vuze
ipconfig flushdns /c

:Reg
[-HKEY_CURRENT_USER\Software\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
[-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_CURRENT_USER\Software\Trolltech]
[-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech]
[-HKEY_CURRENT_USER\Software\Conduit]
[HKEY_CURRENT_USER\Software\Classes\BC\DefaultIcon]
@=-
[HKEY_CURRENT_USER\Software\Classes\BC\shell\open\command]
@=-
[HKEY_CURRENT_USER\Software\Classes\BCTP\DefaultIcon]
@=-
[HKEY_CURRENT_USER\Software\Classes\BCTP\shell\open\command]
@=-
[HKEY_CURRENT_USER\Software\Classes\DHT\DefaultIcon]
@=-
[HKEY_CURRENT_USER\Software\Classes\DHT\shell\open\command]
@=-
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"=-
[HKEY_CURRENT_USER\Software\Classes\Magnet\DefaultIcon]
@=-
[HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command]
@=-
[HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command]
"@"=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\Vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\shell\open\command]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\shell\open\command]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command]
"@"=-
[-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\shell\open\command]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\shell\open\command]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\shell\open\command]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command]
@=-
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command]
"@"=-
[-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze]

:OTL
O33 - MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\Shell - "" = AutoRun
O33 - MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\Shell\AutoRun\command - "" = E:\autorun.exe
[2012/10/19 17:46:32 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{6DA5DAD7-0C5E-4638-AE98-8A31B838EB27}
[2012/10/13 01:27:59 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{66A6EFE5-84F2-49F7-8620-33D118BFF744}
[2012/10/12 12:47:45 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{E66C16C7-A407-439A-AEFB-0BA9FD6B190A}
[2012/10/11 16:03:54 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{EE4A6E54-3801-42B0-97C0-920EA687968D}
[2012/10/01 16:51:41 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{1C90144F-9726-4D9F-8A38-FEA2D8844A41}
[2012/09/30 11:12:53 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{6AC53B89-442E-457A-A288-9CF6177AC8CB}

:Commands
[emptytemp]
[resethosts]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Summary of the logs I need from you in your next post:
  • OTL log
  • Let me know how your computer is behaving now please.


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Final stages of ransomware removal

Unread postby ColinL » October 29th, 2012, 6:16 pm

All processes killed
========== FILES ==========
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe moved successfully.
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe moved successfully.
C:\Users\Jacklyn\Downloads\DAEMONToolsPro510-0333.exe moved successfully.
C:\Users\Jacklyn\Documents\Vuze Downloads folder moved successfully.
File\Folder C:\Program Files (x86)\Vuze not found.
< ipconfig flushdns /c >
Error: unrecognized or incomplete command line.
USAGE:
ipconfig [/allcompartments] [/? | /all |
/renew [adapter] | /release [adapter] |
/renew6 [adapter] | /release6 [adapter] |
/flushdns | /displaydns | /registerdns |
/showclassid adapter |
/setclassid adapter [classid] |
/showclassid6 adapter |
/setclassid6 adapter [classid] ]
where
adapter Connection name
(wildcard characters * and ? allowed, see examples)
Options:
/? Display this help message
/all Display full configuration information.
/release Release the IPv4 address for the specified adapter.
/release6 Release the IPv6 address for the specified adapter.
/renew Renew the IPv4 address for the specified adapter.
/renew6 Renew the IPv6 address for the specified adapter.
/flushdns Purges the DNS Resolver cache.
/registerdns Refreshes all DHCP leases and re-registers DNS names
/displaydns Display the contents of the DNS Resolver Cache.
/showclassid Displays all the dhcp class IDs allowed for adapter.
/setclassid Modifies the dhcp class id.
/showclassid6 Displays all the IPv6 DHCP class IDs allowed for adapter.
/setclassid6 Modifies the IPv6 DHCP class id.
The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.
For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.
For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.
Examples:
> ipconfig ... Show information
> ipconfig /all ... Show detailed information
> ipconfig /renew ... renew all adapters
> ipconfig /renew EL* ... renew any connection that has its
name starting with EL
> ipconfig /release *Con* ... release all matching connections,
eg. "Local Area Connection 1" or
"Local Area Connection 2"
> ipconfig /allcompartments ... Show information about all
compartments
> ipconfig /allcompartments /all ... Show detailed information about all
compartments
C:\Users\Jacklyn\Desktop\cmd.bat deleted successfully.
C:\Users\Jacklyn\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Conduit\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ not found.
Registry key HKEY_CURRENT_USER\Software\Trolltech\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech\ not found.
Registry key HKEY_CURRENT_USER\Software\Conduit\ not found.
Registry value HKEY_CURRENT_USER\Software\Classes\BC\DefaultIcon\\@ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\BC\shell\open\command\\@ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\BCTP\DefaultIcon\\@ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\BCTP\shell\open\command\\@ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\DHT\DefaultIcon\\@ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\DHT\shell\open\command\\@ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\program files (x86)\vuze\azureus.exe deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\Magnet\DefaultIcon\\@ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command\\@ deleted successfully.
HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command\\"@"|""C:\Program Files (x86)\Vuze\Azureus.exe" "%1"" /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\DefaultIcon\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\shell\open\command\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\DefaultIcon\\@ not found.
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\shell\open\command\\@|""C:\Program Files (x86)\Vuze\Azureus.exe" "%1"" /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\DefaultIcon\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\shell\open\command\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\program files (x86)\vuze\azureus.exe not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\DefaultIcon\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command\\@ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command\\@ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\DefaultIcon\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\shell\open\command\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\DefaultIcon\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\shell\open\command\\@ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\DefaultIcon\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\shell\open\command\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\program files (x86)\vuze\azureus.exe not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\DefaultIcon\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command\\@ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command\\@ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze not found.
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\ not found.
File E:\autorun.exe not found.
C:\Users\Jacklyn\AppData\Local\{6DA5DAD7-0C5E-4638-AE98-8A31B838EB27} folder moved successfully.
C:\Users\Jacklyn\AppData\Local\{66A6EFE5-84F2-49F7-8620-33D118BFF744} folder moved successfully.
C:\Users\Jacklyn\AppData\Local\{E66C16C7-A407-439A-AEFB-0BA9FD6B190A} folder moved successfully.
C:\Users\Jacklyn\AppData\Local\{EE4A6E54-3801-42B0-97C0-920EA687968D} folder moved successfully.
C:\Users\Jacklyn\AppData\Local\{1C90144F-9726-4D9F-8A38-FEA2D8844A41} folder moved successfully.
C:\Users\Jacklyn\AppData\Local\{6AC53B89-442E-457A-A288-9CF6177AC8CB} folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jacklyn
->Temp folder emptied: 31796 bytes
->Temporary Internet Files folder emptied: 1255428 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 366307777 bytes
->Flash cache emptied: 291 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 19158 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 278322 bytes

Total Files Cleaned = 351.00 mb

C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 10292012_220724

Files\Folders moved on Reboot...
C:\Users\Jacklyn\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Computer seems to be fine. There are no popups and the internet is slightly faster but I am no expert when it comes to malware/viruses etc.

Just want to get back to being able to buy and bank online....
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Final stages of ransomware removal

Unread postby Gary R » October 29th, 2012, 7:20 pm

Just one last thing to do before we finish, then I'll post you instructions for how to remove the programs we've been using on your computer, and give a few hints for staying safer online.

I miss typed one of my commands in the last fix, so we need to run the command again (this time without the mis-type).

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
ipconfig /flushdns /c

:Commands
[ClearAllRestorePoints]


  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Final stages of ransomware removal

Unread postby ColinL » October 29th, 2012, 7:37 pm

Thanks for your help with this. Log is below:

========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Jacklyn\Desktop\cmd.bat deleted successfully.
C:\Users\Jacklyn\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 10292012_233517
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Final stages of ransomware removal

Unread postby Gary R » October 30th, 2012, 2:13 am

OK, time for a bit of housekeeping and then you're clear to go.

Let's clear out OTL and the files and folders it created. This should also remove TDSSKiller and SystemLook as well.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Final stages of ransomware removal

Unread postby Gary R » October 31st, 2012, 12:20 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware