Tommy0421
Thread Starter
- Joined
- Jan 15, 2015
- Messages
- 33
When it rains it pours.
After years of relatively easy sailing lately I have had a couple of problems come up. Yesterday I had a ransomware program downloaded to my computer. All my word files, PDFs and jpgs are now encrypted. (I have them backed up on a thumb drive.) I got what I guess is the usual warning:
Instead I ran several scan programs. F-Secure found a couple of things and RansomFix32 removed four registry entries. I then ran a Microsoft Malware program (KB890830 - V.5 20) and that came up clean. I re-ran F-Secure and RansomFix32 a second time and they didn't find anything. My computer and my Internet connection seem to be working normally.
This morning when I turned on my computer I got several Help_Decrypt popups -- a Notepad file and a PDF -- and FireFox opened by itself and tried to connect to tostotor (I closed it). I ran a Farbar Recovery scan (it didn't remove anything) but I removed four items I saw on the startup menu (highlighted in red). When I rebooted the Help_Decrypt popups didn't open nor did FireFox try and connect with tostotor.
Apparently something is still in there. I also see some things on the Farbar scan that look suspicious. If anyone can help me I'd be very appreciative. (In the scan below I dotted out the user name.)
Here's my system information:
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
Processor: Intel(R) Celeron(R) CPU 2.40GHz, x86 Family 15 Model 2 Stepping 9
Processor Count: 1
RAM: 509 Mb
Graphics Card: Intel(R) 82845G/GL/GE/PE/GV Graphics Controller, 64 Mb
Hard Drives: C: Total - 34506 MB, Free - 4789 MB;
Motherboard: Dell Computer Corp., 0K5148
Antivirus: None
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by (administrator) on HOME on 28-01-2015 10:48:33
Running from C:\Documents and Settings\....\My Documents\Downloads
Loaded Profiles: (Available profiles: .....)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSVC01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXBCES.EXE
(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSS01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXPPS.EXE
(Intel Corporation) C:\WINDOWS\SYSTEM32\hkcmd.exe
(Western Digital Technologies, Inc.) C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolsoftware.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft® Corporation) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(America Online, Inc.) C:\WINDOWS\wanmpsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(GEMTEKS) C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
(Cisco Linksys Corporation) C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolupdates.exe
() C:\Documents and Settings\User\My Documents\Downloads\zoek.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\mshta.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [PCMService] => "C:\Program Files\Dell\Media Experience\PCMService.exe"
HKLM\...\Run: [MMTray] => "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
HKLM\...\Run: [BO1HelperStartUp] => C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
HKLM\...\Run: [WD Button Manager] => C:\WINDOWS\system32\WDBtnMgr.exe [331776 2006-12-03] (Western Digital Technologies, Inc.)
HKLM\...\Run: [AOLDialer] => C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [70760 2014-02-06] (AOL Inc.)
HKLM\...\Run: [IPHSend] => C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [126104 2006-03-27] (America Online, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1386822452\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 224 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^A4EAAA==n{[email protected]#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*[email protected]#@&S4k^+cne'c+b @#@&`@#@&[email protected]#@&i @#@&di (the data entry has 32951 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\All Users\msphn.exe [116736 2010-12-09] ( ())
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [msnmsgr] => "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-10-22] (Google Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Elhstion] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\.....\Local Settings\Application Data\Ohdnics\ep0lvr1t.dll"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Odkhics] => regsvr32.exe "C:\Documents and Settings\......\Local Settings\Application Data\Odkhics\BRIBFFM00.DLL"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [RSA815694720] => C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\.....\Application Data\Microsoft\Crypto\RSA\RSA815694720.dll",DllInitialize
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [AOL Fast Start] => C:\Program Files\AOL Desktop 9.7a\AOL.EXE [72296 2014-08-19] (AOL Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Google Update**.d<*>] => "C:\Documents and Settings\.....\Local Settings\Application Data\Google\Desktop\Install\{d23d6ab3-5ace-3265-1a93-d8dca11f5f67}\# \GoogleUpdate.exe" > <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\.....\Application Data\msphn.exe [158349 2015-01-27] (loplkjyhtg)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\MountPoints2: {00da99a9-264b-11e0-bc13-00038a000015} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [AOL Fast Start] => "C:\Program Files\America Online 9.0\AOL.EXE" -b
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (Microsoft® Corporation)
Startup: C:\Documents and Settings\......\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/Y0asb3
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.aol.com/34561-111/aol-6/en-us/Suite.aspx
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com/?ncid=customie8
URLSearchHook: HKLM - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
URLSearchHook: HKU\S-1-5-21-201643229-4220724790-121854142-1006 - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files\AOL Toolbar\aoltb.dll No File
BHO: No Name -> {53707962-6F74-2D53-2644-206D7942484F} -> No File
BHO: No Name -> {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -> No File
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\j2re1.4.2_03\bin\ssv.dll No File
BHO: ST -> {9394EDE7-C8B5-483E-8773-474BF36AF6E4} -> C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: MSNToolBandBHO -> {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\j2re1.4.2_03\bin\jp2ssv.dll No File
Toolbar: HKLM - MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
Toolbar: HKLM - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Toolbar: HKU\S-1-5-21-201643229-4220724790-121854142-1006 -> AOL Toolbar - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
FireFox:
========
FF ProfilePath: C:\Documents and Settings\.....\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296
FF Homepage: https://mail.google.com/mail/u/0/?shva=1#inbox
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Extension: Bitdefender QuickScan - C:\Documents and Settings\THELMA NUNEZ\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2015-01-27]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-10-22]
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46184 2014-02-06] (AOL Inc.)
R2 Brother XP spl Service; C:\WINDOWS\system32\brsvc01a.exe [57344 2001-11-22] (brother Industries Ltd)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2004-03-04] (Lexmark International, Inc.) [File not signed]
S3 SystemUpdate; C:\WINDOWS\FrameworkUpdate\Update.exe [274944 2015-01-27] (Company name goes here) [File not signed]
R2 WANMiniportService; C:\WINDOWS\wanmpsvc.exe [65536 2001-11-26] (America Online, Inc.) [File not signed]
S3 FUDWTHMPRWIE; C:\DOCUME~1\.....~1\LOCALS~1\Temp\FUDWTHMPRWIE.exe [X]
S2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [X]
R2 WUSB54GSVC; "C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 bvrp_pci; C:\WINDOWS\system32\Drivers\bvrp_pci.sys [4272 2003-08-28] ()
R0 fsbts; C:\WINDOWS\System32\Drivers\fsbts.sys [44240 2015-01-15] ()
R3 GTNDIS5; C:\WINDOWS\system32\GTNDIS5.SYS [15872 2003-09-25] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S3 PRISM_A02; C:\WINDOWS\System32\DRIVERS\WUSB20XP.sys [339488 2004-01-07] (Cisco-Linksys, LLC.)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2005-10-07] (Sonic Solutions) [File not signed]
R3 senfilt; C:\WINDOWS\System32\drivers\senfilt.sys [381056 2004-04-26] (Sensaura)
S3 SONYPVU1; C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 wanatw; C:\WINDOWS\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [120830 2003-10-08] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [98842 2003-10-08] (Intel Corporation)
S3 BS815694720; \??\C:\DOCUME~1\.....~1\LOCALS~1\Temp\NTFS.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys [X]
U1 WS2IFSL; No ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
After years of relatively easy sailing lately I have had a couple of problems come up. Yesterday I had a ransomware program downloaded to my computer. All my word files, PDFs and jpgs are now encrypted. (I have them backed up on a thumb drive.) I got what I guess is the usual warning:
Along with instructions on how to contact tostotor dot com and obtain $$$ the private encryption key.What happened to your files ? All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0
Instead I ran several scan programs. F-Secure found a couple of things and RansomFix32 removed four registry entries. I then ran a Microsoft Malware program (KB890830 - V.5 20) and that came up clean. I re-ran F-Secure and RansomFix32 a second time and they didn't find anything. My computer and my Internet connection seem to be working normally.
This morning when I turned on my computer I got several Help_Decrypt popups -- a Notepad file and a PDF -- and FireFox opened by itself and tried to connect to tostotor (I closed it). I ran a Farbar Recovery scan (it didn't remove anything) but I removed four items I saw on the startup menu (highlighted in red). When I rebooted the Help_Decrypt popups didn't open nor did FireFox try and connect with tostotor.
Apparently something is still in there. I also see some things on the Farbar scan that look suspicious. If anyone can help me I'd be very appreciative. (In the scan below I dotted out the user name.)
Here's my system information:
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
Processor: Intel(R) Celeron(R) CPU 2.40GHz, x86 Family 15 Model 2 Stepping 9
Processor Count: 1
RAM: 509 Mb
Graphics Card: Intel(R) 82845G/GL/GE/PE/GV Graphics Controller, 64 Mb
Hard Drives: C: Total - 34506 MB, Free - 4789 MB;
Motherboard: Dell Computer Corp., 0K5148
Antivirus: None
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by (administrator) on HOME on 28-01-2015 10:48:33
Running from C:\Documents and Settings\....\My Documents\Downloads
Loaded Profiles: (Available profiles: .....)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSVC01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXBCES.EXE
(brother Industries Ltd) C:\WINDOWS\SYSTEM32\BRSS01A.EXE
(Lexmark International, Inc.) C:\WINDOWS\SYSTEM32\LEXPPS.EXE
(Intel Corporation) C:\WINDOWS\SYSTEM32\hkcmd.exe
(Western Digital Technologies, Inc.) C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolsoftware.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft® Corporation) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(America Online, Inc.) C:\WINDOWS\wanmpsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(GEMTEKS) C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
(Cisco Linksys Corporation) C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\msiexec.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1386822452\ee\aolupdates.exe
() C:\Documents and Settings\User\My Documents\Downloads\zoek.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\cmd.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\mshta.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [PCMService] => "C:\Program Files\Dell\Media Experience\PCMService.exe"
HKLM\...\Run: [MMTray] => "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
HKLM\...\Run: [BO1HelperStartUp] => C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
HKLM\...\Run: [WD Button Manager] => C:\WINDOWS\system32\WDBtnMgr.exe [331776 2006-12-03] (Western Digital Technologies, Inc.)
HKLM\...\Run: [AOLDialer] => C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [70760 2014-02-06] (AOL Inc.)
HKLM\...\Run: [IPHSend] => C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [126104 2006-03-27] (America Online, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1386822452\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 224 more characters). <==== ATTENTION!
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^A4EAAA==n{[email protected]#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*[email protected]#@&S4k^+cne'c+b @#@&`@#@&[email protected]#@&i @#@&di (the data entry has 32951 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\All Users\msphn.exe [116736 2010-12-09] ( ())
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [msnmsgr] => "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-10-22] (Google Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Elhstion] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\.....\Local Settings\Application Data\Ohdnics\ep0lvr1t.dll"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Odkhics] => regsvr32.exe "C:\Documents and Settings\......\Local Settings\Application Data\Odkhics\BRIBFFM00.DLL"
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [RSA815694720] => C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\.....\Application Data\Microsoft\Crypto\RSA\RSA815694720.dll",DllInitialize
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [AOL Fast Start] => C:\Program Files\AOL Desktop 9.7a\AOL.EXE [72296 2014-08-19] (AOL Inc.)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Run: [Google Update**.d<*>] => "C:\Documents and Settings\.....\Local Settings\Application Data\Google\Desktop\Install\{d23d6ab3-5ace-3265-1a93-d8dca11f5f67}\# \GoogleUpdate.exe" > <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer\Run: [11317936] => C:\Documents and Settings\.....\Application Data\msphn.exe [158349 2015-01-27] (loplkjyhtg)
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-201643229-4220724790-121854142-1006\...\MountPoints2: {00da99a9-264b-11e0-bc13-00038a000015} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [AOL Fast Start] => "C:\Program Files\America Online 9.0\AOL.EXE" -b
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
ShortcutTarget: Microsoft Works Calendar Reminders.lnk -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (Microsoft® Corporation)
Startup: C:\Documents and Settings\......\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\.....\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/Y0asb3
Startup: C:\Documents and Settings\.....\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.aol.com/34561-111/aol-6/en-us/Suite.aspx
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKU\S-1-5-21-201643229-4220724790-121854142-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com/?ncid=customie8
URLSearchHook: HKLM - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
URLSearchHook: HKU\S-1-5-21-201643229-4220724790-121854142-1006 - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files\AOL Toolbar\aoltb.dll No File
BHO: No Name -> {53707962-6F74-2D53-2644-206D7942484F} -> No File
BHO: No Name -> {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -> No File
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\j2re1.4.2_03\bin\ssv.dll No File
BHO: ST -> {9394EDE7-C8B5-483E-8773-474BF36AF6E4} -> C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: MSNToolBandBHO -> {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\j2re1.4.2_03\bin\jp2ssv.dll No File
Toolbar: HKLM - MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
Toolbar: HKLM - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Toolbar: HKU\S-1-5-21-201643229-4220724790-121854142-1006 -> AOL Toolbar - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
FireFox:
========
FF ProfilePath: C:\Documents and Settings\.....\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296
FF Homepage: https://mail.google.com/mail/u/0/?shva=1#inbox
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MI1933~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Extension: Bitdefender QuickScan - C:\Documents and Settings\THELMA NUNEZ\Application Data\Mozilla\Firefox\Profiles\xdytazvi.default-1421465156296\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2015-01-27]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-10-22]
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46184 2014-02-06] (AOL Inc.)
R2 Brother XP spl Service; C:\WINDOWS\system32\brsvc01a.exe [57344 2001-11-22] (brother Industries Ltd)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2004-03-04] (Lexmark International, Inc.) [File not signed]
S3 SystemUpdate; C:\WINDOWS\FrameworkUpdate\Update.exe [274944 2015-01-27] (Company name goes here) [File not signed]
R2 WANMiniportService; C:\WINDOWS\wanmpsvc.exe [65536 2001-11-26] (America Online, Inc.) [File not signed]
S3 FUDWTHMPRWIE; C:\DOCUME~1\.....~1\LOCALS~1\Temp\FUDWTHMPRWIE.exe [X]
S2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [X]
R2 WUSB54GSVC; "C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 bvrp_pci; C:\WINDOWS\system32\Drivers\bvrp_pci.sys [4272 2003-08-28] ()
R0 fsbts; C:\WINDOWS\System32\Drivers\fsbts.sys [44240 2015-01-15] ()
R3 GTNDIS5; C:\WINDOWS\system32\GTNDIS5.SYS [15872 2003-09-25] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S3 PRISM_A02; C:\WINDOWS\System32\DRIVERS\WUSB20XP.sys [339488 2004-01-07] (Cisco-Linksys, LLC.)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2005-10-07] (Sonic Solutions) [File not signed]
R3 senfilt; C:\WINDOWS\System32\drivers\senfilt.sys [381056 2004-04-26] (Sensaura)
S3 SONYPVU1; C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 wanatw; C:\WINDOWS\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [120830 2003-10-08] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [98842 2003-10-08] (Intel Corporation)
S3 BS815694720; \??\C:\DOCUME~1\.....~1\LOCALS~1\Temp\NTFS.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys [X]
U1 WS2IFSL; No ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)