Ransomware Infection

Tommy0421 · Jan 28, 2015

When it rains it pours.

After years of relatively easy sailing lately I have had a couple of problems come up. Yesterday I had a ransomware program downloaded to my computer. All my word files, PDFs and jpgs are now encrypted. (I have them backed up on a thumb drive.) I got what I guess is the usual warning:

What happened to your files ? All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0
Click to expand...

Along with instructions on how to contact tostotor dot com and obtain $$$ the private encryption key.

Instead I ran several scan programs. F-Secure found a couple of things and RansomFix32 removed four registry entries. I then ran a Microsoft Malware program (KB890830 - V.5 20) and that came up clean. I re-ran F-Secure and RansomFix32 a second time and they didn't find anything. My computer and my Internet connection seem to be working normally.

This morning when I turned on my computer I got several Help_Decrypt popups -- a Notepad file and a PDF -- and FireFox opened by itself and tried to connect to tostotor (I closed it). I ran a Farbar Recovery scan (it didn't remove anything) but I removed four items I saw on the startup menu (highlighted in red). When I rebooted the Help_Decrypt popups didn't open nor did FireFox try and connect with tostotor.

Apparently something is still in there. I also see some things on the Farbar scan that look suspicious. If anyone can help me I'd be very appreciative. (In the scan below I dotted out the user name.)

Here's my system information:
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
Processor: Intel(R) Celeron(R) CPU 2.40GHz, x86 Family 15 Model 2 Stepping 9
Processor Count: 1
RAM: 509 Mb
Graphics Card: Intel(R) 82845G/GL/GE/PE/GV Graphics Controller, 64 Mb
Hard Drives: C: Total - 34506 MB, Free - 4789 MB;
Motherboard: Dell Computer Corp., 0K5148
Antivirus: None

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by (administrator) on HOME on 28-01-2015 10:48:33
Running from C:\Documents and Settings\....\My Documents\Downloads
Loaded Profiles: (Available profiles: .....)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSVC01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXBCES.EXE
(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSS01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXPPS.EXE
(Intel Corporation) C:\WINDOWS\SYSTEM32\hkcmd.exe
(Western Digital Technologies, Inc.) C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolsoftware.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft® Corporation) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(America Online, Inc.) C:\WINDOWS\wanmpsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(GEMTEKS) C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
(Cisco Linksys Corporation) C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolupdates.exe
() C:\Documents and Settings\User\My Documents\Downloads\zoek.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\mshta.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [PCMService] => "C:\Program Files\Dell\Media Experience\PCMService.exe"
HKLM\...\Run: [MMTray] => "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
HKLM\...\Run: [BO1HelperStartUp] => C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
HKLM\...\Run: [WD Button Manager] => C:\WINDOWS\system32\WDBtnMgr.exe [331776 2006-12-03] (Western Digital Technologies, Inc.)
HKLM\...\Run: [AOLDialer] => C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [70760 2014-02-06] (AOL Inc.)
HKLM\...\Run: [IPHSend] => C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [126104 2006-03-27] (America Online, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1386822452\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 224 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^A4EAAA==n{[email protected]#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*[email protected]#@&S4k^+cne'c+b @#@&`@#@&[email protected]#@&i @#@&di (the data entry has 32951 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\All Users\msphn.exe [116736 2010-12-09] ( ())
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [msnmsgr] => "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-10-22] (Google Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Elhstion] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\.....\Local Settings\Application Data\Ohdnics\ep0lvr1t.dll"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Odkhics] => regsvr32.exe "C:\Documents and Settings\......\Local Settings\Application Data\Odkhics\BRIBFFM00.DLL"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [RSA815694720] => C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\.....\Application Data\Microsoft\Crypto\RSA\RSA815694720.dll",DllInitialize
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [AOL Fast Start] => C:\Program Files\AOL Desktop 9.7a\AOL.EXE [72296 2014-08-19] (AOL Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Google Update**.d<*>] => "C:\Documents and Settings\.....\Local Settings\Application Data\Google\Desktop\Install\{d23d6ab3-5ace-3265-1a93-d8dca11f5f67}\# \GoogleUpdate.exe" > <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\.....\Application Data\msphn.exe [158349 2015-01-27] (loplkjyhtg)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\MountPoints2: {00da99a9-264b-11e0-bc13-00038a000015} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [AOL Fast Start] => "C:\Program Files\America Online 9.0\AOL.EXE" -b
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (Microsoft® Corporation)
Startup: C:\Documents and Settings\......\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/Y0asb3
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.aol.com/34561-111/aol-6/en-us/Suite.aspx
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com/?ncid=customie8
URLSearchHook: HKLM - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
URLSearchHook: HKU\S-1-5-21-201643229-4220724790-121854142-1006 - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files\AOL Toolbar\aoltb.dll No File
BHO: No Name -> {53707962-6F74-2D53-2644-206D7942484F} -> No File
BHO: No Name -> {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -> No File
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\j2re1.4.2_03\bin\ssv.dll No File
BHO: ST -> {9394EDE7-C8B5-483E-8773-474BF36AF6E4} -> C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: MSNToolBandBHO -> {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\j2re1.4.2_03\bin\jp2ssv.dll No File
Toolbar: HKLM - MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
Toolbar: HKLM - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Toolbar: HKU\S-1-5-21-201643229-4220724790-121854142-1006 -> AOL Toolbar - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\.....\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296
FF Homepage: https://mail.google.com/mail/u/0/?shva=1#inbox
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Extension: Bitdefender QuickScan - C:\Documents and Settings\THELMA NUNEZ\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2015-01-27]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-10-22]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46184 2014-02-06] (AOL Inc.)
R2 Brother XP spl Service; C:\WINDOWS\system32\brsvc01a.exe [57344 2001-11-22] (brother Industries Ltd)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2004-03-04] (Lexmark International, Inc.) [File not signed]
S3 SystemUpdate; C:\WINDOWS\FrameworkUpdate\Update.exe [274944 2015-01-27] (Company name goes here) [File not signed]
R2 WANMiniportService; C:\WINDOWS\wanmpsvc.exe [65536 2001-11-26] (America Online, Inc.) [File not signed]
S3 FUDWTHMPRWIE; C:\DOCUME~1\.....~1\LOCALS~1\Temp\FUDWTHMPRWIE.exe [X]
S2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [X]
R2 WUSB54GSVC; "C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 bvrp_pci; C:\WINDOWS\system32\Drivers\bvrp_pci.sys [4272 2003-08-28] ()
R0 fsbts; C:\WINDOWS\System32\Drivers\fsbts.sys [44240 2015-01-15] ()
R3 GTNDIS5; C:\WINDOWS\system32\GTNDIS5.SYS [15872 2003-09-25] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S3 PRISM_A02; C:\WINDOWS\System32\DRIVERS\WUSB20XP.sys [339488 2004-01-07] (Cisco-Linksys, LLC.)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2005-10-07] (Sonic Solutions) [File not signed]
R3 senfilt; C:\WINDOWS\System32\drivers\senfilt.sys [381056 2004-04-26] (Sensaura)
S3 SONYPVU1; C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 wanatw; C:\WINDOWS\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [120830 2003-10-08] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [98842 2003-10-08] (Intel Corporation)
S3 BS815694720; \??\C:\DOCUME~1\.....~1\LOCALS~1\Temp\NTFS.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

Tommy0421 · Jan 28, 2015

I guess I was too optimistic. This opened on my desktop a little while ago:

Nasty looking ain't it? Then all the Encrypt popups popped up again.

I just ran FixRansom32 again and it found two registry keys but I'm wondering if there isn't something else. Something else that is reloading the popups once I have deleted the entries on the startup menu.

JSntgRvr · Jan 29, 2015

The FRST.txt is incomplete. Check this file for more text.

Read here about the CBT-Locker.

Tommy0421 · Jan 29, 2015

Sorry about that. I'm repasting what I hope is the entire log.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by ..... (administrator) on HOME on 28-01-2015 10:48:33
Running from C:\Documents and Settings\.....\My Documents\Downloads
Loaded Profiles: ..... (Available profiles: .....)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSVC01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXBCES.EXE
(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSS01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXPPS.EXE
(Intel Corporation) C:\WINDOWS\SYSTEM32\hkcmd.exe
(Western Digital Technologies, Inc.) C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolsoftware.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft® Corporation) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(America Online, Inc.) C:\WINDOWS\wanmpsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(GEMTEKS) C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
(Cisco Linksys Corporation) C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolupdates.exe
() C:\Documents and Settings\.....\My Documents\Downloads\zoek.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\mshta.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [PCMService] => "C:\Program Files\Dell\Media Experience\PCMService.exe"
HKLM\...\Run: [MMTray] => "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
HKLM\...\Run: [BO1HelperStartUp] => C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
HKLM\...\Run: [WD Button Manager] => C:\WINDOWS\system32\WDBtnMgr.exe [331776 2006-12-03] (Western Digital Technologies, Inc.)
HKLM\...\Run: [AOLDialer] => C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [70760 2014-02-06] (AOL Inc.)
HKLM\...\Run: [IPHSend] => C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [126104 2006-03-27] (America Online, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1386822452\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 224 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^A4EAAA==n{[email protected]#@&l{xAPzmOk7+p6(L+1O`r?1.rwDRUtnVsE*[email protected]#@&S4k^+cne'[email protected]#@&`@#@&[email protected]#@&i @#@&di (the data entry has 32951 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\All Users\msphn.exe [116736 2010-12-09] ( ())
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [msnmsgr] => "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-10-22] (Google Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Elhstion] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\.....\Local Settings\Application Data\Ohdnics\ep0lvr1t.dll"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Odkhics] => regsvr32.exe "C:\Documents and Settings\.....\Local Settings\Application Data\Odkhics\BRIBFFM00.DLL"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [RSA815694720] => C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\.....\Application Data\Microsoft\Crypto\RSA\RSA815694720.dll",DllInitialize
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [AOL Fast Start] => C:\Program Files\AOL Desktop 9.7a\AOL.EXE [72296 2014-08-19] (AOL Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Google Update**.d<*>] => "C:\Documents and Settings\.....\Local Settings\Application Data\Google\Desktop\Install\{d23d6ab3-5ace-3265-1a93-d8dca11f5f67}\# \GoogleUpdate.exe" > <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\.....\Application Data\msphn.exe [158349 2015-01-27] (loplkjyhtg)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\MountPoints2: {00da99a9-264b-11e0-bc13-00038a000015} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [AOL Fast Start] => "C:\Program Files\America Online 9.0\AOL.EXE" -b
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (Microsoft® Corporation)
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/Y0asb3
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.aol.com/34561-111/aol-6/en-us/Suite.aspx
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com/?ncid=customie8
URLSearchHook: HKLM - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
URLSearchHook: HKU\S-1-5-21-201643229-4220724790-121854142-1006 - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files\AOL Toolbar\aoltb.dll No File
BHO: No Name -> {53707962-6F74-2D53-2644-206D7942484F} -> No File
BHO: No Name -> {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -> No File
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\j2re1.4.2_03\bin\ssv.dll No File
BHO: ST -> {9394EDE7-C8B5-483E-8773-474BF36AF6E4} -> C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: MSNToolBandBHO -> {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\j2re1.4.2_03\bin\jp2ssv.dll No File
Toolbar: HKLM - MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
Toolbar: HKLM - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Toolbar: HKU\S-1-5-21-201643229-4220724790-121854142-1006 -> AOL Toolbar - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\.....\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296
FF Homepage: https://mail.google.com/mail/u/0/?shva=1#inbox
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Extension: Bitdefender QuickScan - C:\Documents and Settings\.....\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2015-01-27]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-10-22]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46184 2014-02-06] (AOL Inc.)
R2 Brother XP spl Service; C:\WINDOWS\system32\brsvc01a.exe [57344 2001-11-22] (brother Industries Ltd)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2004-03-04] (Lexmark International, Inc.) [File not signed]
S3 SystemUpdate; C:\WINDOWS\FrameworkUpdate\Update.exe [274944 2015-01-27] (Company name goes here) [File not signed]
R2 WANMiniportService; C:\WINDOWS\wanmpsvc.exe [65536 2001-11-26] (America Online, Inc.) [File not signed]
S3 FUDWTHMPRWIE; C:\DOCUME~1\THELMA~1\LOCALS~1\Temp\FUDWTHMPRWIE.exe [X]
S2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [X]
R2 WUSB54GSVC; "C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 bvrp_pci; C:\WINDOWS\system32\Drivers\bvrp_pci.sys [4272 2003-08-28] ()
R0 fsbts; C:\WINDOWS\System32\Drivers\fsbts.sys [44240 2015-01-15] ()
R3 GTNDIS5; C:\WINDOWS\system32\GTNDIS5.SYS [15872 2003-09-25] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S3 PRISM_A02; C:\WINDOWS\System32\DRIVERS\WUSB20XP.sys [339488 2004-01-07] (Cisco-Linksys, LLC.)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2005-10-07] (Sonic Solutions) [File not signed]
R3 senfilt; C:\WINDOWS\System32\drivers\senfilt.sys [381056 2004-04-26] (Sensaura)
S3 SONYPVU1; C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 wanatw; C:\WINDOWS\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [120830 2003-10-08] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [98842 2003-10-08] (Intel Corporation)
S3 BS815694720; \??\C:\DOCUME~1\THELMA~1\LOCALS~1\Temp\NTFS.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 10:39 - 2015-01-28 10:39 - 00000938 _____ () C:\Documents and Settings\.....\Desktop\Shortcut to zoek.lnk
2015-01-28 10:39 - 2015-01-28 10:39 - 00000000 ___DC () C:\zoek_backup
2015-01-28 00:23 - 2015-01-28 00:23 - 00001032 _____ () C:\Documents and Settings\.....\Desktop\Shortcut to Windows-KB890830-V5.20.lnk
2015-01-27 21:19 - 2015-01-27 21:19 - 00000036 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\housecall.guid.cache
2015-01-27 21:05 - 2015-01-27 21:05 - 00000977 _____ () C:\Documents and Settings\.....\Desktop\Shortcut to RansomFix32.lnk
2015-01-27 19:59 - 2015-01-27 20:27 - 00022316 ____C () C:\Report 2015-01-27 19.59.03.txt
2015-01-27 19:59 - 2015-01-27 19:59 - 00000000 ____D () C:\Documents and Settings\.....\Application Data\QuickScan
2015-01-27 19:42 - 2015-01-27 23:22 - 00000701 _____ () C:\Documents and Settings\.....\Desktop\Shortcut to mbam-setup-2.0.4.1028.lnk
2015-01-27 18:44 - 2015-01-27 18:44 - 00000972 _____ () C:\Documents and Settings\.....\Desktop\Shortcut to mssstool32.lnk
2015-01-27 17:18 - 2015-01-27 17:18 - 00004204 _____ () C:\Documents and Settings\.....\Desktop\HELP_DECRYPT.TXT
2015-01-27 17:17 - 2015-01-27 17:17 - 00008528 ____C () C:\HELP_DECRYPT.HTML
2015-01-27 17:17 - 2015-01-27 17:17 - 00004204 ____C () C:\HELP_DECRYPT.TXT
2015-01-27 17:17 - 2015-01-27 17:17 - 00000272 ____C () C:\HELP_DECRYPT.URL
2015-01-27 15:31 - 2015-01-27 15:31 - 00008528 _____ () C:\Documents and Settings\.....\My Documents\HELP_DECRYPT.HTML
2015-01-27 15:31 - 2015-01-27 15:31 - 00008528 _____ () C:\Documents and Settings\.....\HELP_DECRYPT.HTML
2015-01-27 15:31 - 2015-01-27 15:31 - 00008528 _____ () C:\Documents and Settings\HELP_DECRYPT.HTML
2015-01-27 15:31 - 2015-01-27 15:31 - 00004204 _____ () C:\Documents and Settings\.....\My Documents\HELP_DECRYPT.TXT
2015-01-27 15:31 - 2015-01-27 15:31 - 00004204 _____ () C:\Documents and Settings\.....\HELP_DECRYPT.TXT
2015-01-27 15:31 - 2015-01-27 15:31 - 00004204 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT
2015-01-27 15:31 - 2015-01-27 15:31 - 00000272 _____ () C:\Documents and Settings\.....\My Documents\HELP_DECRYPT.URL
2015-01-27 15:31 - 2015-01-27 15:31 - 00000272 _____ () C:\Documents and Settings\.....\HELP_DECRYPT.URL
2015-01-27 15:31 - 2015-01-27 15:31 - 00000272 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-01-27 13:10 - 2015-01-27 13:10 - 00008528 _____ () C:\Documents and Settings\.....\Local Settings\HELP_DECRYPT.HTML
2015-01-27 13:10 - 2015-01-27 13:10 - 00008528 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-27 13:10 - 2015-01-27 13:10 - 00001376 _____ () C:\Documents and Settings\.....\Local Settings\HELP_DECRYPT.TXT.qjqzead
2015-01-27 13:10 - 2015-01-27 13:10 - 00001376 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 13:10 - 2015-01-27 13:10 - 00000272 _____ () C:\Documents and Settings\.....\Local Settings\HELP_DECRYPT.URL
2015-01-27 13:10 - 2015-01-27 13:10 - 00000272 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-27 12:30 - 2015-01-27 12:30 - 00008528 _____ () C:\Documents and Settings\.....\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:30 - 2015-01-27 12:30 - 00001376 _____ () C:\Documents and Settings\.....\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:30 - 2015-01-27 12:30 - 00000272 _____ () C:\Documents and Settings\.....\Application Data\HELP_DECRYPT.URL
2015-01-27 12:21 - 2015-01-27 16:11 - 00799067 _____ () C:\Documents and Settings\All Users\Application Data\wdjnyee.html
2015-01-27 12:12 - 2015-01-27 12:12 - 00008528 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.HTML
2015-01-27 12:12 - 2015-01-27 12:12 - 00008528 _____ () C:\Documents and Settings\NetworkService\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:12 - 2015-01-27 12:12 - 00008528 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.HTML
2015-01-27 12:12 - 2015-01-27 12:12 - 00008528 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:12 - 2015-01-27 12:12 - 00008528 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.HTML
2015-01-27 12:12 - 2015-01-27 12:12 - 00001376 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:12 - 2015-01-27 12:12 - 00001376 _____ () C:\Documents and Settings\NetworkService\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:12 - 2015-01-27 12:12 - 00001376 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:12 - 2015-01-27 12:12 - 00001376 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:12 - 2015-01-27 12:12 - 00001376 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:12 - 2015-01-27 12:12 - 00000272 _____ () C:\Documents and Settings\NetworkService\HELP_DECRYPT.URL
2015-01-27 12:12 - 2015-01-27 12:12 - 00000272 _____ () C:\Documents and Settings\NetworkService\Application Data\HELP_DECRYPT.URL
2015-01-27 12:12 - 2015-01-27 12:12 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\HELP_DECRYPT.URL
2015-01-27 12:12 - 2015-01-27 12:12 - 00000272 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-27 12:12 - 2015-01-27 12:12 - 00000272 _____ () C:\Documents and Settings\LocalService\HELP_DECRYPT.URL
2015-01-27 12:11 - 2015-01-27 12:11 - 00008528 _____ () C:\Documents and Settings\LocalService\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:11 - 2015-01-27 12:11 - 00008528 _____ () C:\Documents and Settings\Default User\My Documents\HELP_DECRYPT.HTML
2015-01-27 12:11 - 2015-01-27 12:11 - 00008528 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-01-27 12:11 - 2015-01-27 12:11 - 00001376 _____ () C:\Documents and Settings\LocalService\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:11 - 2015-01-27 12:11 - 00001376 _____ () C:\Documents and Settings\Default User\My Documents\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:11 - 2015-01-27 12:11 - 00001376 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:11 - 2015-01-27 12:11 - 00000272 _____ () C:\Documents and Settings\LocalService\Application Data\HELP_DECRYPT.URL
2015-01-27 12:11 - 2015-01-27 12:11 - 00000272 _____ () C:\Documents and Settings\Default User\My Documents\HELP_DECRYPT.URL
2015-01-27 12:11 - 2015-01-27 12:11 - 00000272 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-01-27 12:02 - 2015-01-27 12:02 - 00008528 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
2015-01-27 12:02 - 2015-01-27 12:02 - 00008528 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:02 - 2015-01-27 12:02 - 00008528 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:02 - 2015-01-27 12:02 - 00008528 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-01-27 12:02 - 2015-01-27 12:02 - 00008528 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:02 - 2015-01-27 12:02 - 00001376 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:02 - 2015-01-27 12:02 - 00001376 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:02 - 2015-01-27 12:02 - 00001376 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:02 - 2015-01-27 12:02 - 00001376 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:02 - 2015-01-27 12:02 - 00001376 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:02 - 2015-01-27 12:02 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-01-27 12:02 - 2015-01-27 12:02 - 00000272 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-27 12:02 - 2015-01-27 12:02 - 00000272 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-01-27 12:02 - 2015-01-27 12:02 - 00000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-01-27 12:02 - 2015-01-27 12:02 - 00000272 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-01-27 11:42 - 2015-01-27 11:42 - 00000480 ____H () C:\Documents and Settings\.....\Application Data\麽鎒駓覜
2015-01-27 11:42 - 2015-01-27 11:42 - 00000000 ____D () C:\WINDOWS\FrameworkUpdate
2015-01-26 22:17 - 2015-01-26 22:18 - 00014656 _____ () C:\Documents and Settings\.....\Desktop\Miss Egypt 2014.JPG.qjqzead
2015-01-26 20:45 - 2015-01-26 20:46 - 00020176 _____ () C:\Documents and Settings\.....\Desktop\Miss Arab (Morocco) 2015.JPG.qjqzead
2015-01-26 20:32 - 2015-01-26 20:34 - 00018880 _____ () C:\Documents and Settings\.....\Desktop\Miss Universe Pic.JPG.qjqzead
2015-01-26 12:28 - 2015-01-26 12:31 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-25 17:42 - 2015-01-25 17:42 - 00013808 _____ () C:\Documents and Settings\.....\Desktop\Saludos desde New York.DOCX.qjqzead
2015-01-24 10:30 - 2015-01-24 10:29 - 00090112 _____ () C:\WINDOWS\Minidump\Mini012415-01.dmp
2015-01-24 00:29 - 2015-01-28 10:48 - 00000000 ___DC () C:\FRST
2015-01-22 20:16 - 2015-01-27 12:56 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\TRAINS CNJ 0356
2015-01-19 21:44 - 2015-01-19 21:44 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011915-01.dmp
2015-01-17 14:28 - 2015-01-27 13:07 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers Buses
2015-01-17 00:03 - 2015-01-17 00:03 - 00000000 ____D () C:\WINDOWS\pss
2015-01-15 15:59 - 2015-01-15 15:58 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011515-02.dmp
2015-01-15 14:19 - 2015-01-15 14:19 - 00044240 _____ () C:\WINDOWS\system32\Drivers\fsbts.sys
2015-01-15 14:14 - 2015-01-15 14:14 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\F-Secure
2015-01-15 10:25 - 2015-01-15 10:25 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011515-01.dmp
2015-01-14 22:19 - 2015-01-28 09:05 - 00000000 ___DC () C:\AdwCleaner
2015-01-13 17:29 - 2015-01-13 17:28 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011315-01.dmp
2015-01-12 11:55 - 2015-01-12 11:55 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011215-01.dmp
2015-01-10 16:49 - 2015-01-10 16:49 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\Odkhics
2015-01-10 16:45 - 2015-01-15 14:56 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\Ohdnics
2015-01-03 18:29 - 2015-01-27 13:07 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers Feb NL
2015-01-02 19:19 - 2015-01-02 19:19 - 13732528 _____ () C:\Documents and Settings\.....\Desktop\PRR CNJ Passenger Study 7-15-1959.PDF.qjqzead
2014-12-29 15:34 - 2014-12-29 15:34 - 00000000 ____D () C:\Program Files\NVIDIA Corporation

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 10:54 - 2011-10-22 17:02 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 10:50 - 2004-11-22 11:40 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Temp
2015-01-28 09:09 - 2011-10-22 17:02 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 09:08 - 2014-03-22 08:44 - 00000236 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-28 09:08 - 2006-07-12 12:56 - 00000444 _____ () C:\WINDOWS\Tasks\MSN Messenger 7.job
2015-01-28 09:08 - 2004-11-16 19:43 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-28 09:06 - 2014-04-27 18:31 - 15728640 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2015-01-28 09:06 - 2004-11-22 11:40 - 00000278 ___SH () C:\Documents and Settings\.....\NTUSER.INI
2015-01-28 09:06 - 2004-11-16 19:43 - 01224703 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-28 09:06 - 2004-11-16 19:43 - 00032578 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-28 08:53 - 2004-11-16 19:26 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-01-28 02:09 - 2012-05-05 23:47 - 00131072 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-27 23:57 - 2014-11-25 18:24 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NYNL 2015
2015-01-27 23:52 - 2004-11-16 19:26 - 00000000 ____D () C:\WINDOWS\system32\FxsTmp
2015-01-27 18:39 - 2006-11-03 10:31 - 00283074 _____ () C:\WINDOWS\setupapi.log
2015-01-27 17:17 - 2006-12-03 13:31 - 00000000 ____D () C:\Retrospect
2015-01-27 16:38 - 2011-10-22 17:02 - 00000000 ____D () C:\Program Files\Google
2015-01-27 16:22 - 2004-11-16 19:24 - 00000000 ____D () C:\I386
2015-01-27 16:13 - 2004-08-10 13:59 - 00000216 ____C () C:\WINDOWS\WIADEBUG.LOG
2015-01-27 16:13 - 2004-08-10 13:59 - 00000049 ____C () C:\WINDOWS\WIASERVC.LOG
2015-01-27 16:07 - 2013-03-21 10:09 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\RRG
2015-01-27 15:31 - 2012-02-11 21:39 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\RR_Stuff
2015-01-27 15:31 - 2004-11-22 11:40 - 00000000 ____D () C:\Documents and Settings\.....
2015-01-27 15:12 - 2013-01-30 23:02 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Ry_Age
2015-01-27 14:38 - 2013-02-11 12:19 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NYC_Stuff
2015-01-27 14:31 - 2004-12-06 15:34 - 00000000 ____D () C:\Program Files\Microsoft Works
2015-01-27 14:26 - 2014-12-27 21:16 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Chapter Archive
2015-01-27 14:26 - 2013-04-25 22:13 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\My Stuff
2015-01-27 14:26 - 2012-06-11 21:51 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Erie_AGW
2015-01-27 14:21 - 2012-01-20 21:00 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Buses
2015-01-27 14:20 - 2012-11-26 20:56 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\Thunderbird
2015-01-27 14:20 - 2012-10-22 18:20 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\Sun
2015-01-27 14:20 - 2011-10-21 22:01 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\Mozilla
2015-01-27 14:03 - 2011-10-28 19:42 - 00000000 ____D () C:\Documents and Settings\.....\Desktop\Tommy's
2015-01-27 14:03 - 2011-10-22 17:02 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\Google
2015-01-27 14:00 - 2006-09-11 10:51 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\AOL
2015-01-27 13:54 - 2013-11-25 20:37 - 00000000 ____D () C:\Documents and Settings\.....\Desktop\MSR Relocation
2015-01-27 13:54 - 2013-11-08 13:39 - 00000000 ____D () C:\Documents and Settings\.....\Desktop\MNR CT
2015-01-27 13:53 - 2012-11-26 20:56 - 00000000 ____D () C:\Documents and Settings\.....\Application Data\Thunderbird
2015-01-27 13:53 - 2011-10-21 22:01 - 00000000 ____D () C:\Documents and Settings\.....\Application Data\Mozilla
2015-01-27 13:43 - 2014-11-15 20:01 - 00000000 ____D () C:\Documents and Settings\NetworkService\Application Data\McAfee
2015-01-27 13:43 - 2004-12-09 11:50 - 00000000 ____D () C:\Documents and Settings\.....\Application Data\AOL
2015-01-27 13:43 - 2004-11-16 19:28 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-01-27 13:42 - 2006-08-28 09:08 - 00000000 ____D () C:\Documents and Settings\LocalService\Application Data\AOL
2015-01-27 13:42 - 2005-08-24 21:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Retrospect
2015-01-27 13:42 - 2004-11-16 19:28 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-01-27 13:42 - 2004-11-16 19:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SBSI
2015-01-27 13:41 - 2014-11-15 22:35 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-27 13:41 - 2004-11-16 19:55 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AOL
2015-01-27 13:13 - 2014-02-10 17:11 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\RLHS Stuff
2015-01-27 13:13 - 2013-05-25 23:06 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Home
2015-01-27 13:12 - 2014-06-10 22:43 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\McLeod
2015-01-27 13:12 - 2004-11-22 10:15 - 00000000 ____D () C:\Program Files\New Folder
2015-01-27 13:11 - 2014-06-22 00:10 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NYBM NYCN
2015-01-27 13:10 - 2014-10-28 22:51 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Kittredge Home
2015-01-27 13:10 - 2013-12-03 23:01 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NYNL 2014
2015-01-27 13:10 - 2013-11-30 21:10 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Chapter 2014
2015-01-27 13:10 - 2013-10-28 11:48 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers Streetcars
2015-01-27 13:10 - 2013-05-30 09:28 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Stuff
2015-01-27 13:09 - 2014-09-26 23:21 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers Nov NL
2015-01-27 13:09 - 2014-09-01 23:53 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Kaufman
2015-01-27 13:09 - 2014-08-27 22:55 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers Electrification
2015-01-27 13:09 - 2014-03-30 17:00 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers NYC
2015-01-27 13:08 - 2014-10-25 11:49 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Warren Wetmore Stas NYC
2015-01-27 13:07 - 2014-10-02 13:59 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers Aband
2015-01-27 13:05 - 2013-12-29 17:39 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Harlem Div
2015-01-27 13:05 - 2013-10-15 00:45 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yonkers
2015-01-27 13:04 - 2013-11-07 19:24 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\MNR-LIRR
2015-01-27 13:03 - 2012-11-11 14:54 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Chicago_Suburban
2015-01-27 13:02 - 2013-12-12 10:25 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Fog
2015-01-27 13:02 - 2013-08-01 21:43 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NYNL 2013
2015-01-27 13:02 - 2011-11-11 19:05 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NYNL
2015-01-27 13:01 - 2013-08-13 22:51 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\PATH Plainfield
2015-01-27 13:00 - 2012-09-04 21:05 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Cal_Guys
2015-01-27 12:59 - 2013-08-28 14:19 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Chap from Natl
2015-01-27 12:58 - 2013-08-05 23:43 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NYP
2015-01-27 12:57 - 2013-11-01 23:54 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\JREF.Intl
2015-01-27 12:57 - 2004-11-16 20:01 - 00000000 ____D () C:\Program Files\WordPerfect Office 12
2015-01-27 12:56 - 2012-05-08 17:15 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY_Chapter
2015-01-27 12:55 - 2013-05-26 09:54 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Yard
2015-01-27 12:54 - 2014-07-22 20:03 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NH NYC GCT
2015-01-27 12:53 - 2014-12-01 00:10 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Chapter 2015
2015-01-27 12:52 - 2014-03-06 01:17 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\SML
2015-01-27 12:50 - 2013-08-02 14:47 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\080213
2015-01-27 12:46 - 2013-12-10 16:49 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Chap Letters 2014
2015-01-27 12:43 - 2013-12-06 12:14 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\Hell Gate
2015-01-27 12:43 - 2013-02-07 18:12 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Chap Letters
2015-01-27 12:40 - 2014-12-18 20:53 - 00000000 ____D () C:\Documents and Settings\.....\My Documents\NY Chap Letters 2015
2015-01-27 12:38 - 2005-10-15 12:48 - 00000000 ____D () C:\Program Files\LimeWire
2015-01-27 12:34 - 2011-12-04 21:47 - 00000000 ____D () C:\Program Files\Windows Media Connect 2
2015-01-27 12:25 - 2004-11-16 19:28 - 00000000 ____D () C:\Program Files\Outlook Express
2015-01-27 12:24 - 2004-11-16 19:54 - 00000000 ____D () C:\Program Files\Modem Helper
2015-01-27 12:23 - 2004-11-19 15:52 - 00000000 ____D () C:\Program Files\Common Files\ATX
2015-01-27 11:46 - 2014-11-15 22:35 - 00000000 __HDC () C:\$AVG
2015-01-27 11:46 - 2004-11-16 19:28 - 00000000 ____D () C:\DELL
2015-01-27 11:42 - 2004-08-04 06:00 - 00158349 ___SH (loplkjyhtg) C:\Documents and Settings\.....\Application Data\msphn.exe
2015-01-27 10:10 - 2012-05-05 09:12 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-25 16:41 - 2012-05-05 23:46 - 00002501 _____ () C:\Documents and Settings\.....\Desktop\Microsoft Word 2010.lnk
2015-01-24 10:30 - 2005-05-12 16:30 - 00000000 ____D () C:\WINDOWS\Minidump
2015-01-23 00:30 - 2004-08-10 14:08 - 00000178 __SHC () C:\Documents and Settings\NetworkService\NTUSER.INI
2015-01-22 21:15 - 2011-10-23 11:02 - 00000284 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2015-01-16 19:14 - 1998-05-28 13:03 - 00004400 ____C () C:\Report 2015-01-16 18.20.32.TXT.qjqzead
2015-01-15 16:03 - 2011-10-22 13:24 - 00002461 _____ () C:\Documents and Settings\.....\Desktop\HiJackThis.lnk
2015-01-15 13:13 - 1998-05-28 13:03 - 00012608 ____C () C:\Report 2015-01-15 12.24.45.TXT.qjqzead
2015-01-15 00:14 - 2014-11-15 12:08 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-14 20:14 - 2006-12-07 15:09 - 00110240 ____C () C:\VETlog.dmp
2015-01-14 20:14 - 1998-05-28 13:03 - 00058480 ____C () C:\VETlog.TXT.qjqzead
2015-01-14 12:04 - 2014-11-18 17:38 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-01-08 15:27 - 2014-03-22 08:44 - 00000230 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-01-03 18:02 - 2013-11-06 00:51 - 00014512 _____ () C:\Documents and Settings\.....\Desktop\NBN Story.DOCX.qjqzead
2015-01-03 09:55 - 2014-08-20 14:32 - 00000000 ____D () C:\Documents and Settings\.....\Local Settings\Application Data\Adobe
2014-12-31 13:15 - 2005-05-12 16:27 - 110348472 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2005-11-07 15:36 - 2006-07-10 10:40 - 0005632 __SHC () C:\Program Files\Thumbs.db
2015-01-27 12:30 - 2015-01-27 12:30 - 0008528 _____ () C:\Documents and Settings\.....\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:30 - 2015-01-27 12:30 - 0045558 _____ () C:\Documents and Settings\.....\Application Data\HELP_DECRYPT.PNG
2015-01-27 12:30 - 2015-01-27 12:30 - 0001376 _____ () C:\Documents and Settings\.....\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:30 - 2015-01-27 12:30 - 0000272 _____ () C:\Documents and Settings\.....\Application Data\HELP_DECRYPT.URL
2004-08-04 06:00 - 2015-01-27 11:42 - 0158349 ___SH (loplkjyhtg) C:\Documents and Settings\.....\Application Data\msphn.exe
1980-01-01 01:00 - 2008-04-13 13:40 - 0000234 _____ () C:\Documents and Settings\.....\Application Data\PBS815694720.ini
2004-11-23 15:32 - 2004-11-23 15:32 - 0012358 ____C () C:\Documents and Settings\.....\Application Data\PFP120JCM.{PB
2004-11-23 15:32 - 2004-11-23 15:32 - 0061678 ____C () C:\Documents and Settings\.....\Application Data\PFP120JPR.{PB
2015-01-27 11:42 - 2015-01-27 11:42 - 0000480 ____H () C:\Documents and Settings\.....\Application Data\麽鎒駓覜
2011-01-20 20:34 - 2013-03-22 12:11 - 0033792 ____C () C:\Documents and Settings\.....\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-27 13:10 - 2015-01-27 13:10 - 0008528 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-27 13:10 - 2015-01-27 13:10 - 0045558 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-01-27 13:10 - 2015-01-27 13:10 - 0001376 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 13:10 - 2015-01-27 13:10 - 0000272 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-27 21:19 - 2015-01-27 21:19 - 0000036 _____ () C:\Documents and Settings\.....\Local Settings\Application Data\housecall.guid.cache
2015-01-27 12:02 - 2015-01-27 12:02 - 0008528 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-01-27 12:02 - 2015-01-27 12:02 - 0045558 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-01-27 12:02 - 2015-01-27 12:02 - 0001376 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:02 - 2015-01-27 12:02 - 0000272 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2004-08-04 06:00 - 2010-12-09 10:15 - 0116736 ___SH () C:\Documents and Settings\All Users\msphn.exe
ZeroAccess:
C:\Documents and Settings\.....\Local Settings\Application Data\Google\Desktop\Install

Files to move or delete:
====================
C:\Documents and Settings\All Users\msphn.exe

Some content of TEMP:
====================
C:\Documents and Settings\.....\Local Settings\Temp\hpuninstaller.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

JSntgRvr · Jan 29, 2015

Make no changes yet. I am consulting with the experts in Ransonware.

JSntgRvr · Jan 29, 2015

Other that the volume shadow copy, as explained on the link provided, there is no decrypt resource to recover your files. All we can do is scan the computer and remove the files related to the Ransomware. Let me know what you want to do.

Tommy0421 · Jan 29, 2015

Thanks very much. I won't make any changes.

All my files are saved to a thumb drive that I had updated the night before I got attacked. I have a laptop with Windows7 which I use to safely access my files. The laptop is a small one used only for file storage (I have a lot of work-related files) and the laptop is not connected to the Internet. It is only for safe storage.

I'm not too concerned with restoring the files encrypted on my Desktop. I'd like to but if you're willing to help me what I'd love to try and do is get rid of CBT Locker!

Thanks again.

JSntgRvr · Jan 29, 2015

Download the enclosed file. Save it in the same location FRST is saved. Open FRST and click on the Fix button. The tool will produce a log, fixlog.txt. Please post it on your next reply.

If the log is too long, attempt to zip it and attach it to your reply. Else, upload it here

Once done, re-scan with FRST and post the new FRST.txt log

Tommy0421 · Jan 29, 2015

Thanks I'll do it right now.

Tommy0421 · Jan 29, 2015

JSntgRvr said: ↑

Download the enclosed file. Save it in the same location FRST is saved. Open FRST and click on the Fix button. The tool will produce a log, fixlog.txt. Please post it on your next reply.

If the log is too long, attempt to zip it and attach it to your reply. Else, upload it here

Click to expand...

I ran the fix and sent the fixlog.txt to "here." I had put it in a zip file and attached it to this message but when I opened the file on preview it was in code not text.

I will run a new scan with FRST and post the result. Thanks again for all your help.

Tommy0421 · Jan 29, 2015

Here's my post-fix scan:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 28-01-2015 01
Ran by .... at 2015-01-29 22:49:43
Running from C:\Documents and Settings\....\My Documents\Downloads\FRST
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
AOL Coach Version 1.0(Build:20020605.1) (HKLM\...\AolCoach) (Version: - )
AOL Toolbar (HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\AOL Toolbar) (Version: - )
AOL Uninstaller (Choose which Products to Remove) (HKLM\...\AOL Uninstaller) (Version: - AOL Inc.)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ATX / Kleinrock Tax Products (Remove Only) (HKLM\...\ATX Kleinrock Tax Products) (Version: - )
Broadcom Management Programs (HKLM\...\InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}) (Version: 4.01.0000 - Broadcom)
Broadcom Management Programs (Version: 4.01.0000 - Broadcom) Hidden
Conexant D850 56K V.9x DFVc Modem (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1) (Version: - )
Dell Driver Reset Tool (HKLM\...\{5905F42D-3F5F-4916-ADA6-94A3646AEE76}) (Version: 1.02.0000 - Dell Inc.)
Dell Networking Guide (Version: 1.00.0001 - Dell) Hidden
Dell ResourceCD (HKLM\...\{D78653C3-A8FF-415F-92E6-D774E634FF2D}) (Version: - )
FoneSync (HKLM\...\FoneSync) (Version: - )
Get High Speed Internet! (HKLM\...\{7A3F0566-5E05-4919-9C98-456F6B5CF831}) (Version: 1.00.0000 - Dell)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
HiJackThis (HKLM\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)
hp LaserJet 1000 (HKLM\...\{975C8028-51D8-44A9-9585-82E9810FE96A}) (Version: - )
Intel(R) Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: - )
Internet Explorer Default Page (Version: 1.00.03 - Dell Inc.) Hidden
Java 2 Runtime Environment, SE v1.4.2_03 (HKLM\...\{7148F0A8-6813-11D6-A77B-00B0D0142030}) (Version: 1.4.2_03 - Sun Microsystems, Inc.)
Java 7 Update 13 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217013FF}) (Version: 7.0.130 - Oracle)
LaserJet 1020 series (HKLM\...\HP-LaserJet 1020 series) (Version: - )
LaserJet 1020 series Setup (HKLM\...\{F61F2FAB-7CBB-4745-BC52-C9FB2A0F99EF}) (Version: - )
Lernout & Hauspie TruVoice American English TTS Engine (HKLM\...\tv_enua) (Version: - )
LiveUpdate 1.7 (Symantec Corporation) (HKLM\...\LiveUpdate1.7) (Version: - Symantec Corporation)
Macromedia Flash Player 8 (HKLM\...\{6815FCDD-401D-481E-BA88-31B4754C2B46}) (Version: 8.0.22.0 - Macromedia)
Macromedia Shockwave Player (HKLM\...\Macromedia Shockwave Player) (Version: - )
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works 2001 Setup Launcher (HKLM\...\Works2001Setup) (Version: - )
Microsoft Works 6.0 (HKLM\...\{F8D0829C-9C6F-11D3-8080-00C04FA329AA}) (Version: 06.00.1829 - Microsoft Corporation)
Microsoft Works Suite Add-in for Microsoft Word (HKLM\...\{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}) (Version: 2.0.0.0000 - Microsoft Corporation)
Modem Helper (HKLM\...\{7F142D56-3326-11D5-B229-002078017FBF}) (Version: 2.25 - BVRP Software)
Mozilla Firefox 35.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 35.0.1 (x86 en-US)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
MSN (HKLM\...\MSNINST) (Version: - )
MSN Toolbar (HKLM\...\MSN Toolbar) (Version: - )
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
NetZeroInstallers (HKLM\...\{352310C3-E46B-42D3-8F32-54721FDD72D9}) (Version: 1.0.0 - NetZero, Inc.)
QuickTime 7 (HKLM\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Viewpoint Media Player (HKLM\...\ViewpointMediaPlayer) (Version: - )
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Vz In Home Agent (HKLM\...\{46B5522C-0FDB-4A6D-B730-461FFE0B1384}) (Version: 8.03.42 - Verizon)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
Windows PowerShell(TM) 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
Wireless-G USB Adapter (HKLM\...\{272F54A7-00AE-4AA4-824C-DE541407E8FC}) (Version: - )
Works Suite OS Pack (Version: 1.0.0.0000 - Microsoft Corporation) Hidden
Works Synchronization (Version: 1.0.0.0000 - Your Company Name) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-201643229-4220724790-121854142-1006_Classes\CLSID\{7629C9DE-2E38-4963-A01C-02FFAC203D87}\InprocServer32 -> C:\Program Files\AOL Desktop 9.7b\axtrack.dll (AOL Inc.)

==================== Restore Points =========================

28-01-2015 08:54:41 System Checkpoint
29-01-2015 10:28:23 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 06:00 - 2015-01-29 21:48 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\MSN Messenger 7.job => ?

==================== Loaded Modules (whitelisted) =============

2001-07-31 05:17 - 2001-07-31 05:17 - 00094274 _____ () C:\WINDOWS\system32\HPBHealr.dll
2004-12-06 19:10 - 2003-10-13 15:30 - 00094208 _____ () C:\WINDOWS\system32\GTW32N50.dll
2014-09-16 13:17 - 2014-09-16 13:17 - 00048640 _____ () C:\Program Files\AOL Desktop 9.7b\zlib.dll
2014-09-16 13:17 - 2014-09-16 13:17 - 21151232 _____ () C:\Program Files\AOL Desktop 9.7b\libcef.dll
2014-09-16 13:17 - 2014-09-16 13:17 - 00648704 _____ () C:\Program Files\AOL Desktop 9.7b\libglesv2.dll
2014-09-16 13:17 - 2014-09-16 13:17 - 00122880 _____ () C:\Program Files\AOL Desktop 9.7b\libegl.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-201643229-4220724790-121854142-500 - Administrator - Enabled)
Guest (S-1-5-21-201643229-4220724790-121854142-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-201643229-4220724790-121854142-1005 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-201643229-4220724790-121854142-1002 - Limited - Disabled)
.... (S-1-5-21-201643229-4220724790-121854142-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\....

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/29/2015 10:47:45 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (01/29/2015 09:46:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 28.1.2015.1, faulting module frst.exe, version 28.1.2015.1, fault address 0x0001f3fb.
Processing media-specific event for [frst.exe!ws!]

Error: (01/22/2015 10:02:12 AM) (Source: Microsoft Office 14) (EventID: 1000) (User: )
Description: Faulting application ois.exe, version 14.0.7010.1000, stamp 511d0167, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x02c00000.

Error: (01/21/2015 03:53:55 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

System errors:
=============
Error: (01/29/2015 10:01:42 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The IHA_MessageCenter service failed to start due to the following error:
%%2

Error: (01/29/2015 10:01:37 PM) (Source: DCOM) (EventID: 10005) (User: HOME)
Description: DCOM got error "%%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (01/29/2015 09:42:35 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Error: (01/29/2015 09:40:35 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Error: (01/29/2015 09:38:32 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Error: (01/29/2015 09:36:32 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Error: (01/29/2015 09:04:13 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Error: (01/29/2015 09:02:13 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Error: (01/29/2015 09:00:13 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Error: (01/29/2015 08:57:45 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Microsoft Office Sessions:
=========================
Error: (01/29/2015 10:47:45 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (01/29/2015 09:46:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe28.1.2015.1frst.exe28.1.2015.10001f3fb

Error: (01/22/2015 10:02:12 AM) (Source: Microsoft Office 14) (EventID: 1000) (User: )
Description: ois.exe14.0.7010.1000511d0167unknown0.0.0.000000000002c00000

Error: (01/21/2015 03:53:55 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

==================== Memory info ===========================

Processor: Intel(R) Celeron(R) CPU 2.40GHz
Percentage of memory in use: 39%
Total physical RAM: 509.9 MB
Available physical RAM: 308.57 MB
Total Pagefile: 1244.36 MB
Available Pagefile: 933.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 1935.09 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:33.7 GB) (Free:6.99 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 37.3 GB) (Disk ID: D0F4738C)
Partition 1: (Not Active) - (Size=47 MB) - (Type=DE)
Partition 2: (Active) - (Size=33.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=3.5 GB) - (Type=DB)

==================== End Of Log ============================

JSntgRvr · Jan 30, 2015

Please re-scan with FRST and post the new FRST.txt log.

I do have the path of all files encripted. Would you like to remove these from the computer?

Tommy0421 · Jan 30, 2015

I'll do a rescan now. Yes I would like to remove the encrypted files path if you think it's advisable.

Tommy0421 · Jan 30, 2015

The FRST scan is amazingly fast! I'm pasting the results below. Fwiw I have not had any of the CBT-Locker popup ads since very early Thursday morning, over thirty hours.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by .... (administrator) on HOME on 30-01-2015 11:28:19
Running from C:\Documents and Settings\....\My Documents\Downloads\FRST
Loaded Profiles: .... (Available profiles: ....)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSVC01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXBCES.EXE
(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSS01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXPPS.EXE
(Western Digital Technologies, Inc.) C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolsoftware.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(AOL Inc.) C:\Program Files\AOL Desktop 9.7b\waol.exe
(Microsoft® Corporation) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(AOL Inc.) C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(America Online, Inc.) C:\WINDOWS\wanmpsvc.exe
(GEMTEKS) C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
(Cisco Linksys Corporation) C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
(AOL Inc.) C:\Program Files\AOL Desktop 9.7b\shellmon.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [PCMService] => "C:\Program Files\Dell\Media Experience\PCMService.exe"
HKLM\...\Run: [MMTray] => "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
HKLM\...\Run: [BO1HelperStartUp] => C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
HKLM\...\Run: [WD Button Manager] => C:\WINDOWS\system32\WDBtnMgr.exe [331776 2006-12-03] (Western Digital Technologies, Inc.)
HKLM\...\Run: [AOLDialer] => C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [70760 2014-02-06] (AOL Inc.)
HKLM\...\Run: [IPHSend] => C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [126104 2006-03-27] (America Online, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1386822452\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [msnmsgr] => "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-10-22] (Google Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [AOL Fast Start] => C:\Program Files\AOL Desktop 9.7b\AOL.EXE [72296 2014-09-16] (AOL Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\MountPoints2: {00da99a9-264b-11e0-bc13-00038a000015} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [AOL Fast Start] => "C:\Program Files\America Online 9.0\AOL.EXE" -b
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (Microsoft® Corporation)
Startup: C:\Documents and Settings\....\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.aol.com/34561-111/aol-6/en-us/Suite.aspx
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com/?ncid=customie8
URLSearchHook: HKLM - (No Name) - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - No File
BHO: No Name -> {9394EDE7-C8B5-483E-8773-474BF36AF6E4} -> No File
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: No Name -> {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -> No File
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\j2re1.4.2_03\bin\jp2ssv.dll No File
Toolbar: HKLM - No Name - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
Toolbar: HKLM - No Name - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\....\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296
FF Homepage: https://mail.google.com/mail/u/0/?shva=1#inbox
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Extension: Bitdefender QuickScan - C:\Documents and Settings\....\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2015-01-27]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-10-22]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46184 2014-02-06] (AOL Inc.)
R2 Brother XP spl Service; C:\WINDOWS\system32\brsvc01a.exe [57344 2001-11-22] (brother Industries Ltd)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2004-03-04] (Lexmark International, Inc.) [File not signed]
R2 WANMiniportService; C:\WINDOWS\wanmpsvc.exe [65536 2001-11-26] (America Online, Inc.) [File not signed]
S2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [X]
R2 WUSB54GSVC; "C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 bvrp_pci; C:\WINDOWS\system32\Drivers\bvrp_pci.sys [4272 2003-08-28] ()
R0 fsbts; C:\WINDOWS\System32\Drivers\fsbts.sys [44240 2015-01-15] ()
R3 GTNDIS5; C:\WINDOWS\system32\GTNDIS5.SYS [15872 2003-09-25] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S3 PRISM_A02; C:\WINDOWS\System32\DRIVERS\WUSB20XP.sys [339488 2004-01-07] (Cisco-Linksys, LLC.)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2005-10-07] (Sonic Solutions) [File not signed]
R3 senfilt; C:\WINDOWS\System32\drivers\senfilt.sys [381056 2004-04-26] (Sensaura)
S3 SONYPVU1; C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 wanatw; C:\WINDOWS\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [120830 2003-10-08] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [98842 2003-10-08] (Intel Corporation)
S3 BS815694720; \??\C:\DOCUME~1\THELMA~1\LOCALS~1\Temp\NTFS.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 20:43 - 2015-01-29 20:43 - 00000761 _____ () C:\Documents and Settings\All Users\Desktop\AOL Desktop 9.7.lnk
2015-01-29 20:43 - 2015-01-29 20:43 - 00000671 _____ () C:\Documents and Settings\All Users\Start Menu\AOL Desktop 9.7.lnk
2015-01-29 20:43 - 2015-01-29 20:43 - 00000000 ____D () C:\Program Files\Viewpoint
2015-01-29 20:43 - 2015-01-29 20:43 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Viewpoint
2015-01-29 20:38 - 2015-01-29 20:46 - 00000000 ____D () C:\Program Files\AOL Desktop 9.7b
2015-01-28 21:56 - 2015-01-28 21:56 - 00000650 _____ () C:\Documents and Settings\....\Desktop\Shortcut to JRT.lnk
2015-01-28 21:52 - 2015-01-28 21:52 - 00000000 ____D () C:\WINDOWS\ERUNT
2015-01-28 15:28 - 2015-01-28 15:32 - 00000419 ____C () C:\runcheck.txt
2015-01-28 10:39 - 2015-01-28 10:39 - 00000938 _____ () C:\Documents and Settings\....\Desktop\Shortcut to zoek.lnk
2015-01-28 10:39 - 2015-01-28 10:39 - 00000000 ___DC () C:\zoek_backup
2015-01-28 00:23 - 2015-01-28 00:23 - 00001032 _____ () C:\Documents and Settings\....\Desktop\Shortcut to Windows-KB890830-V5.20.lnk
2015-01-27 21:19 - 2015-01-27 21:19 - 00000036 _____ () C:\Documents and Settings\....\Local Settings\Application Data\housecall.guid.cache
2015-01-27 21:05 - 2015-01-27 21:05 - 00000977 _____ () C:\Documents and Settings\....\Desktop\Shortcut to RansomFix32.lnk
2015-01-27 19:59 - 2015-01-27 20:27 - 00022316 ____C () C:\Report 2015-01-27 19.59.03.txt
2015-01-27 19:59 - 2015-01-27 19:59 - 00000000 ____D () C:\Documents and Settings\....\Application Data\QuickScan
2015-01-27 19:42 - 2015-01-27 23:22 - 00000701 _____ () C:\Documents and Settings\....\Desktop\Shortcut to mbam-setup-2.0.4.1028.lnk
2015-01-27 18:44 - 2015-01-27 18:44 - 00000972 _____ () C:\Documents and Settings\....\Desktop\Shortcut to mssstool32.lnk
2015-01-27 17:18 - 2015-01-28 15:34 - 00004204 _____ () C:\Documents and Settings\....\Desktop\HELP_DECRYPT.TXT
2015-01-27 15:31 - 2015-01-27 15:31 - 00004204 _____ () C:\Documents and Settings\....\My Documents\HELP_DECRYPT.TXT
2015-01-27 15:31 - 2015-01-27 15:31 - 00004204 _____ () C:\Documents and Settings\....\HELP_DECRYPT.TXT
2015-01-27 13:10 - 2015-01-27 13:10 - 00008528 _____ () C:\Documents and Settings\....\Local Settings\HELP_DECRYPT.HTML
2015-01-27 13:10 - 2015-01-27 13:10 - 00008528 _____ () C:\Documents and Settings\....\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-27 13:10 - 2015-01-27 13:10 - 00001376 _____ () C:\Documents and Settings\....\Local Settings\HELP_DECRYPT.TXT.qjqzead
2015-01-27 13:10 - 2015-01-27 13:10 - 00001376 _____ () C:\Documents and Settings\....\Local Settings\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 13:10 - 2015-01-27 13:10 - 00000272 _____ () C:\Documents and Settings\....\Local Settings\HELP_DECRYPT.URL
2015-01-27 13:10 - 2015-01-27 13:10 - 00000272 _____ () C:\Documents and Settings\....\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-27 12:30 - 2015-01-27 12:30 - 00008528 _____ () C:\Documents and Settings\....\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:30 - 2015-01-27 12:30 - 00001376 _____ () C:\Documents and Settings\....\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:30 - 2015-01-27 12:30 - 00000272 _____ () C:\Documents and Settings\....\Application Data\HELP_DECRYPT.URL
2015-01-27 11:42 - 2015-01-27 11:42 - 00000480 ____H () C:\Documents and Settings\....\Application Data\麽鎒駓覜
2015-01-27 11:42 - 2015-01-27 11:42 - 00000000 ____D () C:\WINDOWS\FrameworkUpdate
2015-01-26 12:28 - 2015-01-26 12:31 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-24 10:30 - 2015-01-24 10:29 - 00090112 _____ () C:\WINDOWS\Minidump\Mini012415-01.dmp
2015-01-24 00:29 - 2015-01-30 11:28 - 00000000 ___DC () C:\FRST
2015-01-22 20:16 - 2015-01-27 12:56 - 00000000 ____D () C:\Documents and Settings\....\My Documents\TRAINS CNJ 0356
2015-01-19 21:44 - 2015-01-19 21:44 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011915-01.dmp
2015-01-17 14:28 - 2015-01-27 13:07 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers Buses
2015-01-17 00:03 - 2015-01-17 00:03 - 00000000 ____D () C:\WINDOWS\pss
2015-01-15 15:59 - 2015-01-15 15:58 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011515-02.dmp
2015-01-15 14:19 - 2015-01-15 14:19 - 00044240 _____ () C:\WINDOWS\system32\Drivers\fsbts.sys
2015-01-15 14:14 - 2015-01-15 14:14 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\F-Secure
2015-01-15 10:25 - 2015-01-15 10:25 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011515-01.dmp
2015-01-14 22:19 - 2015-01-28 20:43 - 00000000 ___DC () C:\AdwCleaner
2015-01-13 17:29 - 2015-01-13 17:28 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011315-01.dmp
2015-01-12 11:55 - 2015-01-12 11:55 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011215-01.dmp
2015-01-10 16:49 - 2015-01-10 16:49 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\Odkhics
2015-01-10 16:45 - 2015-01-15 14:56 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\Ohdnics
2015-01-03 18:29 - 2015-01-27 13:07 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers Feb NL
2015-01-02 19:19 - 2015-01-02 19:19 - 13732528 _____ () C:\Documents and Settings\....\Desktop\PRR CNJ Passenger Study 7-15-1959.PDF.qjqzead

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-30 11:29 - 2004-11-22 11:40 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Temp
2015-01-30 11:06 - 2004-08-10 13:59 - 00000159 ____C () C:\WINDOWS\WIADEBUG.LOG
2015-01-30 11:06 - 2004-08-10 13:59 - 00000049 ____C () C:\WINDOWS\WIASERVC.LOG
2015-01-30 10:54 - 2011-10-22 17:02 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-30 10:15 - 2011-10-22 17:02 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-30 10:14 - 2014-03-22 08:44 - 00000236 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-30 10:14 - 2006-07-12 12:56 - 00000444 _____ () C:\WINDOWS\Tasks\MSN Messenger 7.job
2015-01-30 10:14 - 2004-11-16 19:43 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-30 00:59 - 2004-11-16 19:43 - 00032402 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-30 00:58 - 2012-05-05 23:47 - 00131072 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-30 00:58 - 2004-11-22 11:40 - 00000278 ___SH () C:\Documents and Settings\....\NTUSER.INI
2015-01-30 00:58 - 2004-11-16 19:43 - 01237979 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-29 21:58 - 2014-04-27 18:31 - 15728640 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2015-01-29 21:53 - 2004-11-16 19:28 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2015-01-29 21:48 - 2004-11-16 19:28 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-01-29 21:48 - 2004-11-16 19:28 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-01-29 21:33 - 2012-05-05 23:46 - 00002501 _____ () C:\Documents and Settings\....\Desktop\Microsoft Word 2010.lnk
2015-01-29 21:21 - 2004-11-16 19:26 - 00000000 ____D () C:\WINDOWS\system32\FxsTmp
2015-01-29 21:15 - 2011-10-23 11:02 - 00000284 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2015-01-29 20:44 - 2006-09-11 10:51 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\AOL
2015-01-29 20:44 - 2004-12-09 11:50 - 00000000 ____D () C:\Documents and Settings\....\Application Data\AOL
2015-01-29 20:44 - 2004-11-19 15:59 - 00093841 ____C () C:\INSTALL.LOG
2015-01-29 20:43 - 2013-12-11 23:34 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AOL
2015-01-29 20:43 - 2004-11-16 19:55 - 00000000 ____D () C:\Program Files\Common Files\AOL
2015-01-29 20:43 - 2004-08-10 14:08 - 00153151 ____C () C:\WINDOWS\WMSETUP.LOG
2015-01-29 20:38 - 2013-12-11 23:26 - 00000000 ____D () C:\Program Files\Common Files\aolshare
2015-01-29 20:38 - 2004-11-16 19:55 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AOL
2015-01-29 20:32 - 2013-12-11 23:33 - 00058696 _____ (AOL Inc.) C:\WINDOWS\system32\AOLParconLink.exe
2015-01-29 05:25 - 2004-08-04 06:00 - 00154253 ___SH (fgtrfgvbnh) C:\Documents and Settings\....\Application Data\msphn.exe
2015-01-29 00:18 - 2014-11-25 18:24 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NYNL 2015
2015-01-28 16:14 - 2004-11-22 11:40 - 00000000 ____D () C:\Documents and Settings\....
2015-01-28 08:53 - 2004-11-16 19:26 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-01-27 18:39 - 2006-11-03 10:31 - 00283074 _____ () C:\WINDOWS\setupapi.log
2015-01-27 17:17 - 2006-12-03 13:31 - 00000000 ____D () C:\Retrospect
2015-01-27 16:38 - 2011-10-22 17:02 - 00000000 ____D () C:\Program Files\Google
2015-01-27 16:22 - 2004-11-16 19:24 - 00000000 ____D () C:\I386
2015-01-27 16:07 - 2013-03-21 10:09 - 00000000 ____D () C:\Documents and Settings\....\My Documents\RRG
2015-01-27 15:31 - 2012-02-11 21:39 - 00000000 ____D () C:\Documents and Settings\....\My Documents\RR_Stuff
2015-01-27 15:12 - 2013-01-30 23:02 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Ry_Age
2015-01-27 14:38 - 2013-02-11 12:19 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NYC_Stuff
2015-01-27 14:31 - 2004-12-06 15:34 - 00000000 ____D () C:\Program Files\Microsoft Works
2015-01-27 14:26 - 2014-12-27 21:16 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Chapter Archive
2015-01-27 14:26 - 2013-04-25 22:13 - 00000000 ____D () C:\Documents and Settings\....\My Documents\My Stuff
2015-01-27 14:26 - 2012-06-11 21:51 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Erie_AGW
2015-01-27 14:21 - 2012-01-20 21:00 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Buses
2015-01-27 14:20 - 2012-11-26 20:56 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\Thunderbird
2015-01-27 14:20 - 2012-10-22 18:20 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\Sun
2015-01-27 14:20 - 2011-10-21 22:01 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\Mozilla
2015-01-27 14:03 - 2011-10-28 19:42 - 00000000 ____D () C:\Documents and Settings\....\Desktop\Tommy's
2015-01-27 14:03 - 2011-10-22 17:02 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\Google
2015-01-27 13:54 - 2013-11-25 20:37 - 00000000 ____D () C:\Documents and Settings\....\Desktop\MSR Relocation
2015-01-27 13:54 - 2013-11-08 13:39 - 00000000 ____D () C:\Documents and Settings\....\Desktop\MNR CT
2015-01-27 13:53 - 2012-11-26 20:56 - 00000000 ____D () C:\Documents and Settings\....\Application Data\Thunderbird
2015-01-27 13:53 - 2011-10-21 22:01 - 00000000 ____D () C:\Documents and Settings\....\Application Data\Mozilla
2015-01-27 13:43 - 2014-11-15 20:01 - 00000000 ____D () C:\Documents and Settings\NetworkService\Application Data\McAfee
2015-01-27 13:42 - 2006-08-28 09:08 - 00000000 ____D () C:\Documents and Settings\LocalService\Application Data\AOL
2015-01-27 13:42 - 2005-08-24 21:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Retrospect
2015-01-27 13:42 - 2004-11-16 19:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SBSI
2015-01-27 13:41 - 2014-11-15 22:35 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-27 13:13 - 2014-02-10 17:11 - 00000000 ____D () C:\Documents and Settings\....\My Documents\RLHS Stuff
2015-01-27 13:13 - 2013-05-25 23:06 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Home
2015-01-27 13:12 - 2014-06-10 22:43 - 00000000 ____D () C:\Documents and Settings\....\My Documents\McLeod
2015-01-27 13:12 - 2004-11-22 10:15 - 00000000 ____D () C:\Program Files\New Folder
2015-01-27 13:11 - 2014-06-22 00:10 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NYBM NYCN
2015-01-27 13:10 - 2014-10-28 22:51 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Kittredge Home
2015-01-27 13:10 - 2013-12-03 23:01 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NYNL 2014
2015-01-27 13:10 - 2013-11-30 21:10 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Chapter 2014
2015-01-27 13:10 - 2013-10-28 11:48 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers Streetcars
2015-01-27 13:10 - 2013-05-30 09:28 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Stuff
2015-01-27 13:09 - 2014-09-26 23:21 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers Nov NL
2015-01-27 13:09 - 2014-09-01 23:53 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Kaufman
2015-01-27 13:09 - 2014-08-27 22:55 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers Electrification
2015-01-27 13:09 - 2014-03-30 17:00 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers NYC
2015-01-27 13:08 - 2014-10-25 11:49 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Warren Wetmore Stas NYC
2015-01-27 13:07 - 2014-10-02 13:59 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers Aband
2015-01-27 13:05 - 2013-12-29 17:39 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Harlem Div
2015-01-27 13:05 - 2013-10-15 00:45 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yonkers
2015-01-27 13:04 - 2013-11-07 19:24 - 00000000 ____D () C:\Documents and Settings\....\My Documents\MNR-LIRR
2015-01-27 13:03 - 2012-11-11 14:54 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Chicago_Suburban
2015-01-27 13:02 - 2013-12-12 10:25 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Fog
2015-01-27 13:02 - 2013-08-01 21:43 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NYNL 2013
2015-01-27 13:02 - 2011-11-11 19:05 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NYNL
2015-01-27 13:01 - 2013-08-13 22:51 - 00000000 ____D () C:\Documents and Settings\....\My Documents\PATH Plainfield
2015-01-27 13:00 - 2012-09-04 21:05 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Cal_Guys
2015-01-27 12:59 - 2013-08-28 14:19 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Chap from Natl
2015-01-27 12:58 - 2013-08-05 23:43 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NYP
2015-01-27 12:57 - 2013-11-01 23:54 - 00000000 ____D () C:\Documents and Settings\....\My Documents\JREF.Intl
2015-01-27 12:57 - 2004-11-16 20:01 - 00000000 ____D () C:\Program Files\WordPerfect Office 12
2015-01-27 12:56 - 2012-05-08 17:15 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY_Chapter
2015-01-27 12:55 - 2013-05-26 09:54 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Yard
2015-01-27 12:54 - 2014-07-22 20:03 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NH NYC GCT
2015-01-27 12:53 - 2014-12-01 00:10 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Chapter 2015
2015-01-27 12:52 - 2014-03-06 01:17 - 00000000 ____D () C:\Documents and Settings\....\My Documents\SML
2015-01-27 12:50 - 2013-08-02 14:47 - 00000000 ____D () C:\Documents and Settings\....\My Documents\080213
2015-01-27 12:46 - 2013-12-10 16:49 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Chap Letters 2014
2015-01-27 12:43 - 2013-12-06 12:14 - 00000000 ____D () C:\Documents and Settings\....\My Documents\Hell Gate
2015-01-27 12:43 - 2013-02-07 18:12 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Chap Letters
2015-01-27 12:40 - 2014-12-18 20:53 - 00000000 ____D () C:\Documents and Settings\....\My Documents\NY Chap Letters 2015
2015-01-27 12:38 - 2005-10-15 12:48 - 00000000 ____D () C:\Program Files\LimeWire
2015-01-27 12:34 - 2011-12-04 21:47 - 00000000 ____D () C:\Program Files\Windows Media Connect 2
2015-01-27 12:25 - 2004-11-16 19:28 - 00000000 ____D () C:\Program Files\Outlook Express
2015-01-27 12:24 - 2004-11-16 19:54 - 00000000 ____D () C:\Program Files\Modem Helper
2015-01-27 12:23 - 2004-11-19 15:52 - 00000000 ____D () C:\Program Files\Common Files\ATX
2015-01-27 11:46 - 2014-11-15 22:35 - 00000000 __HDC () C:\$AVG
2015-01-27 11:46 - 2004-11-16 19:28 - 00000000 ____D () C:\DELL
2015-01-27 10:10 - 2012-05-05 09:12 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-24 10:30 - 2005-05-12 16:30 - 00000000 ____D () C:\WINDOWS\Minidump
2015-01-23 00:30 - 2004-08-10 14:08 - 00000178 __SHC () C:\Documents and Settings\NetworkService\NTUSER.INI
2015-01-16 19:14 - 1998-05-28 13:03 - 00004400 ____C () C:\Report 2015-01-16 18.20.32.TXT.qjqzead
2015-01-15 16:03 - 2011-10-22 13:24 - 00002461 _____ () C:\Documents and Settings\....\Desktop\HiJackThis.lnk
2015-01-15 13:13 - 1998-05-28 13:03 - 00012608 ____C () C:\Report 2015-01-15 12.24.45.TXT.qjqzead
2015-01-15 00:14 - 2014-11-15 12:08 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-14 20:14 - 2006-12-07 15:09 - 00110240 ____C () C:\VETlog.dmp
2015-01-14 20:14 - 1998-05-28 13:03 - 00058480 ____C () C:\VETlog.TXT.qjqzead
2015-01-14 12:04 - 2014-11-18 17:38 - 00000000 ____D () C:\Program Files\Enigma Software Group
2015-01-08 15:27 - 2014-03-22 08:44 - 00000230 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-01-03 09:55 - 2014-08-20 14:32 - 00000000 ____D () C:\Documents and Settings\....\Local Settings\Application Data\Adobe
2014-12-31 13:15 - 2005-05-12 16:27 - 110348472 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2005-11-07 15:36 - 2006-07-10 10:40 - 0005632 __SHC () C:\Program Files\Thumbs.db
2015-01-27 12:30 - 2015-01-27 12:30 - 0008528 _____ () C:\Documents and Settings\....\Application Data\HELP_DECRYPT.HTML
2015-01-27 12:30 - 2015-01-27 12:30 - 0045558 _____ () C:\Documents and Settings\....\Application Data\HELP_DECRYPT.PNG
2015-01-27 12:30 - 2015-01-27 12:30 - 0001376 _____ () C:\Documents and Settings\....\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 12:30 - 2015-01-27 12:30 - 0000272 _____ () C:\Documents and Settings\....\Application Data\HELP_DECRYPT.URL
2004-08-04 06:00 - 2015-01-29 05:25 - 0154253 ___SH (fgtrfgvbnh) C:\Documents and Settings\....\Application Data\msphn.exe
1980-01-01 01:00 - 2008-04-13 13:40 - 0000234 _____ () C:\Documents and Settings\....\Application Data\PBS815694720.ini
2004-11-23 15:32 - 2004-11-23 15:32 - 0012358 ____C () C:\Documents and Settings\....\Application Data\PFP120JCM.{PB
2004-11-23 15:32 - 2004-11-23 15:32 - 0061678 ____C () C:\Documents and Settings\....\Application Data\PFP120JPR.{PB
2015-01-27 11:42 - 2015-01-27 11:42 - 0000480 ____H () C:\Documents and Settings\....\Application Data\麽鎒駓覜
2011-01-20 20:34 - 2013-03-22 12:11 - 0033792 ____C () C:\Documents and Settings\....\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-27 13:10 - 2015-01-27 13:10 - 0008528 _____ () C:\Documents and Settings\....\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-01-27 13:10 - 2015-01-27 13:10 - 0045558 _____ () C:\Documents and Settings\....\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-01-27 13:10 - 2015-01-27 13:10 - 0001376 _____ () C:\Documents and Settings\....\Local Settings\Application Data\HELP_DECRYPT.TXT.qjqzead
2015-01-27 13:10 - 2015-01-27 13:10 - 0000272 _____ () C:\Documents and Settings\....\Local Settings\Application Data\HELP_DECRYPT.URL
2015-01-27 21:19 - 2015-01-27 21:19 - 0000036 _____ () C:\Documents and Settings\....\Local Settings\Application Data\housecall.guid.cache
ZeroAccess:
C:\Documents and Settings\....\Local Settings\Application Data\Google\Desktop\Install

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

JSntgRvr · Jan 30, 2015

Please download SystemLook from one of the links below and save it to your Desktop.

32 bit Download Mirror #1
32 bit Download Mirror #2

For 64bit systems, Please download SystemLook from the link below and save it to your Desktop.

64 bit Download Mirror

Double-click SystemLook.exe (or SystemLook_x64.exe) to run the application.

Copy the content of the following quote box into the main textfield:

:filefind
housecall.guid.cache
*DECRYPT*
msphn.exe

Click to expand...

Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Log in or Sign up

Ransomware Infection

Tommy0421 Thread Starter

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

JSntgRvr Retired Moderator and Malware Specialist

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Attached Files:

fixlist.txt

Tommy0421 Thread Starter

Tommy0421 Thread Starter

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Tommy0421 Thread Starter

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Sponsor

Welcome to Tech Support Guy!

New BTOS Ransomware

Solved Infected by ransomware

In Progress Is my Ursnif infection cleaned?

Log in or Sign up

Ransomware Infection

Tommy0421 Thread Starter

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

JSntgRvr Retired Moderator and Malware Specialist

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Attached Files:

fixlist.txt

Tommy0421 Thread Starter

Tommy0421 Thread Starter

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Tommy0421 Thread Starter

Tommy0421 Thread Starter

JSntgRvr Retired Moderator and Malware Specialist

Sponsor

Welcome to Tech Support Guy!

New BTOS Ransomware

Solved Infected by ransomware

In Progress Is my Ursnif infection cleaned?

Useful Searches