1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

remove bitcryptor ransom virus and decrypt locked files

Discussion in 'Virus & Other Malware Removal' started by ontheroad343, May 19, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. ontheroad343

    ontheroad343 Thread Starter

    Joined:
    May 19, 2015
    Messages:
    9
    My computer has been infected with Bitcryptor ransom virus and it is asking for Bitcoin payments to unlock/decrypt my files.

    The last thing I downloaded was a jpg from a client email through Outlook 2013 and left my computer up all night. Now all of my files are encrypted and cannot be opened.

    Please help me get rid of this virus/trojan (without formatting the system) and if possible any help in recovering some of the text/excel files.

    All of my important data was on D drive and in onedrive/dropbox so I can restore the previous versions from there, but some other stuff was not stored in cloud storage hence I would like some help in descrypting these files.

    I have restarted the PC since then in Safe Mode and am typing this message from another computer.

     
    Last edited: May 20, 2015
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi and welcome :)

    Unfortunately, we are still unable to reverse the damages done by this virus. All your files, in all drives may be encrypted, and there is no easy way to decrypt these files.

    Lets identify the ransomware first.

    Please download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The tool will also produce another log (Addition.txt ). Please attach this to your reply.
     
  3. ontheroad343

    ontheroad343 Thread Starter

    Joined:
    May 19, 2015
    Messages:
    9
    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-05-2015
    Ran by Jayant (administrator) on JAYANT-PC on 20-05-2015 21:38:32
    Running from C:\Users\Jayant\Downloads
    Loaded Profiles: Jayant (Available profiles: Jayant)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser not detected!)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (AMD) C:\Windows\System32\atiesrxx.exe
    (Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
    (Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
    (AMD) C:\Windows\System32\atieclxx.exe
    (Microsoft Corporation) C:\Windows\System32\wlanext.exe
    (FontExplorer X) C:\Program Files (x86)\FontExplorer X\FontExplorer X Pro\FontManagementServices.exe
    (Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe
    (Flux Software LLC) C:\Users\Jayant\AppData\Local\FluxSoftware\Flux\flux.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Dropbox, Inc.) C:\Users\Jayant\AppData\Roaming\Dropbox\bin\Dropbox.exe
    (Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
    (Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
    () C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    (Realtek Semiconductor Corp.) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RtlService.exe
    () C:\Windows\runSW.exe
    (Realtek Semiconductor Corp.) C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RtWLan.exe
    (Realtek) C:\Windows\SwUSB.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
    () C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    () C:\Program Files\MBlaze UI\bin\MonServiceUDisk.exe
    (Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
    (Wacom Technology) C:\Program Files\Tablet\Pen\WacomHost.exe
    (Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
    (Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
    (www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
    (Microsoft Corporation) C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE
    () C:\Users\Jayant\AppData\Local\Viber\Viber.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
    HKLM\...\RunOnce: [520_16526101549542] => C:\Users\Jayant\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp_r.bat [365 2015-05-20] ()
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\...\Run: [AdobeBridge] => [X]
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie\SbieCtrl.exe [759496 2014-01-18] (Sandboxie Holdings, LLC)
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\...\Run: [Google Update] => C:\Users\Jayant\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-11-13] (Google Inc.)
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\...\Run: [f.lux] => C:\Users\Jayant\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\...\Run: [GoogleChromeAutoLaunch_26F3EBEF600DB5312D01C4E4C2F9978C] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [812872 2015-05-05] (Google Inc.)
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\...\Run: [OneDrive] => C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-14] (Microsoft Corporation)
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\...\RunOnce: [Uninstall C:\Users\Jayant\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811_1\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Jayant\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811_1\amd64"
    HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-04-30] (Microsoft Corporation)
    Startup: C:\Users\Jayant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-12-12]
    ShortcutTarget: Dropbox.lnk -> C:\Users\Jayant\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\amd64\FileSyncShell64.dll [2015-05-14] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\amd64\FileSyncShell64.dll [2015-05-14] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\amd64\FileSyncShell64.dll [2015-05-14] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jayant\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jayant\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jayant\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jayant\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-02-11] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\FileSyncShell.dll [2015-05-14] (Microsoft Corporation)
    ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\FileSyncShell.dll [2015-05-14] (Microsoft Corporation)
    ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Jayant\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\FileSyncShell.dll [2015-05-14] (Microsoft Corporation)
    ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jayant\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-11] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jayant\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-11] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jayant\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-11] (Dropbox, Inc.)

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...tp://go.microsoft.com/fwlink/p/?LinkId=255141
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...tp://go.microsoft.com/fwlink/p/?LinkId=255141
    HKU\S-1-5-21-79387585-851534780-2583910997-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://in.msn.com/?rd=1&ucc=IN&dcc=IN&opt=0&ocid=iehp
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2014-05-21] (Microsoft Corporation)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
    BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2014-05-14] (Microsoft Corporation)
    BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2014-05-21] (Microsoft Corporation)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-02-14] (Oracle Corporation)
    BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-22] (Microsoft Corporation)
    BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2014-05-14] (Microsoft Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-14] (Oracle Corporation)
    Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2014-03-12] (Microsoft Corporation)
    Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    FireFox:
    ========
    FF ProfilePath: C:\Users\Jayant\AppData\Roaming\Mozilla\Firefox\Profiles\r1rv7bla.default
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-04-15] ()
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
    FF Plugin: @wacom.com/wtPlugin,version=2.1.0.2 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2012-05-24] (Wacom)
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-15] ()
    FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2014-11-18] (Foxit Corporation)
    FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-10-08] (Google)
    FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-14] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-14] (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-10-17] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
    FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
    FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.2 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2012-05-23] (Wacom)
    FF Plugin HKU\S-1-5-21-79387585-851534780-2583910997-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\Jayant\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
    FF Plugin HKU\S-1-5-21-79387585-851534780-2583910997-1000: @talk.google.com/O1DPlugin -> C:\Users\Jayant\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
    FF Plugin HKU\S-1-5-21-79387585-851534780-2583910997-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Jayant\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
    FF Plugin HKU\S-1-5-21-79387585-851534780-2583910997-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Jayant\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
    FF Plugin HKU\S-1-5-21-79387585-851534780-2583910997-1000: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2012-05-24] (Wacom)
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-10-17] (Microsoft Corporation)
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2013-12-30] (Apple Inc.)
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2013-12-30] (Apple Inc.)
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2013-12-30] (Apple Inc.)
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2013-12-30] (Apple Inc.)
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2013-12-30] (Apple Inc.)
    FF Plugin ProgramFiles/Appdata: C:\Users\Jayant\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
    FF Plugin ProgramFiles/Appdata: C:\Users\Jayant\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
    FF Extension: Firebug - C:\Users\Jayant\AppData\Roaming\Mozilla\Firefox\Profiles\r1rv7bla.default\Extensions\[email protected] [2013-06-27]

    Chrome:
    =======
    CHR HomePage: Profile 1 -> about:blank
    CHR StartupUrls: Profile 1 -> "hxxp://www.performancemma.com/", "hxxp://stores.ebay.com/online-led-store", "hxxp://www.ebay.com/itm/3W-LED-Tow-Truck-Utility-Service-Security-Vehicle-Deck-Warning-Light-Head-Amber-/111442440510?pt=Motors_Car_Truck_Parts_Accessories", "https://detroitwheelandtire.com/", "file:///D:/folder-x/detroit-wheels/concept.html", "https://www.google.com/search?q=create+metallic+effects+in+photoshop&safe=off&rlz=1C1KMZB_enIN523IN523&es_sm=93&source=lnms&tbm=isch&sa=X&ei=jUYAVIeYGpHGggSp1IK4Bg&ved=0CAkQ_AUoAg&biw=1600&bih=771", "hxxp://wegraphics.net/blog/tutorials/photoshop-quick-tip-ultra-glossy-text-effect/"
    CHR DefaultSuggestURL: Profile 1 -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
    CHR Profile: C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Default
    CHR Profile: C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1
    CHR Extension: (Entanglement Web App) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aciahcmjmecflokailenpkdchphgkefd [2014-08-28]
    CHR Extension: (Awesome Screenshot: Screen capture, Annotate) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\alelhddbbhepgpmgidjdcjakblofbmce [2014-08-28]
    CHR Extension: (app.telemetry Page Speed Monitor) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\anlomjepbdgcgkebglgfpkinmdjgelhd [2014-09-14]
    CHR Extension: (eRail.in) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aopfgjfeiimeioiajeknfidlljpoebgc [2014-08-28]
    CHR Extension: (YouTube) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-28]
    CHR Extension: (Adblock Plus) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-08-28]
    CHR Extension: (Google Search) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-28]
    CHR Extension: (Gmail Offline) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk [2014-08-28]
    CHR Extension: (ZenMate Security, Privacy & Unblock VPN) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2014-08-28]
    CHR Extension: (Chrome Notepad) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ffbhefmlcoihbjcmibbfkocmnaiacinp [2014-08-28]
    CHR Extension: (HTTPS Everywhere) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2014-08-28]
    CHR Extension: (Quick Javascript Switcher) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\geddoclleiomckbhadiaipdggiiccfje [2014-08-28]
    CHR Extension: (Muzli - Design Breakfast) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\glcipcfhmopcgidicgdociohdoicpdfc [2014-09-15]
    CHR Extension: (Bookmark Manager) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-01-25]
    CHR Extension: (New Tab Redirect) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2014-08-28]
    CHR Extension: (Reddit Enhancement Suite) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2014-08-28]
    CHR Extension: (StumbleUpon) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\kcahibnffhnnjcedflmchmokndkjnhpg [2014-08-28]
    CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-18]
    CHR Extension: (Harmony) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mbbibdblnnlapclckbdennhlbcnkkgcn [2014-08-28]
    CHR Extension: (Poppit!) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-08-28]
    CHR Extension: (Quick Note) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mijlebbfndhelmdpmllgcfadlkankhok [2014-08-28]
    CHR Extension: (Ghostery) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2014-08-28]
    CHR Extension: (Google Wallet) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-20]
    CHR Extension: (ColorPick Eyedropper) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ohcpnigalekghcmgcdcenkpelffpdolg [2014-11-30]
    CHR Extension: (Gmail) - C:\Users\Jayant\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-28]

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 fexservice; C:\Program Files (x86)\FontExplorer X\FontExplorer X Pro\FontManagementServices.exe [56632 2014-03-31] (FontExplorer X)
    R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [244392 2015-05-11] (Foxit Software Inc.)
    R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2014-06-27] (Nero AG)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
    R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2009-05-14] (Hewlett-Packard) [File not signed]
    R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
    R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2009-05-14] (Hewlett-Packard) [File not signed]
    R2 Realtek8723AU; C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RtlService.exe [36864 2012-05-10] (Realtek Semiconductor Corp.) [File not signed]
    R2 RunSwUSB; C:\Windows\runSW.exe [44104 2013-05-14] ()
    R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [187592 2014-01-18] (Sandboxie Holdings, LLC)
    R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
    S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
    R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
    R2 UDisk Monitor; C:\Program Files\MBlaze UI\bin\MonServiceUDisk.exe [405504 2013-05-10] () [File not signed]
    S3 wampapache; D:\wamp\bin\apache\apache2.4.4\bin\httpd.exe [24576 2013-06-23] (Apache Software Foundation) [File not signed]
    S3 wampmysqld; D:\wamp\bin\mysql\mysql5.6.12\bin\mysqld.exe [12867584 2013-06-23] () [File not signed]
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
    R2 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [619904 2012-12-11] (Wacom Technology, Corp.)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S3 Generalusbserialser20679; C:\Windows\System32\DRIVERS\CT_U_USBSER.sys [124160 2013-03-22] (Incorporated)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
    S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [19032 2013-07-01] ()
    S3 pwdspio; C:\Windows\system32\pwdspio.sys [12384 2013-07-01] ()
    R3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [2350152 2013-05-07] (Realtek Semiconductor Corporation )
    R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [202600 2014-01-18] (Sandboxie Holdings, LLC)
    S3 wovad_micarray; C:\Windows\System32\drivers\womic.sys [59344 2013-11-23] (Windows (R) Win 7 DDK provider)
    S1 BAPIDRV; system32\DRIVERS\BAPIDRV64.sys [X]
    R3 efavdrv; \??\C:\Windows\system32\drivers\efavdrv.sys [X]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-20 21:38 - 2015-05-20 21:39 - 00024847 _____ () C:\Users\Jayant\Downloads\FRST.txt
    2015-05-20 21:38 - 2015-05-20 21:38 - 00000000 ____D () C:\FRST
    2015-05-20 21:37 - 2015-05-20 21:38 - 02107904 _____ (Farbar) C:\Users\Jayant\Downloads\FRST64.exe
    2015-05-20 18:56 - 2015-05-20 18:56 - 00003260 _____ () C:\Windows\System32\Tasks\ParetoLogic Update Version3
    2015-05-20 18:56 - 2015-05-20 18:56 - 00003136 _____ () C:\Windows\System32\Tasks\ParetoLogic Registration3
    2015-05-20 18:56 - 2015-05-20 18:56 - 00002924 _____ () C:\Windows\System32\Tasks\ParetoLogic Update Version3 Startup Task
    2015-05-20 18:56 - 2015-05-20 18:56 - 00001257 _____ () C:\Users\Jayant\Desktop\Data Recovery Pro.lnk
    2015-05-20 18:56 - 2015-05-20 18:56 - 00000496 _____ () C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job
    2015-05-20 18:56 - 2015-05-20 18:56 - 00000470 _____ () C:\Windows\Tasks\ParetoLogic Registration3.job
    2015-05-20 18:56 - 2015-05-20 18:56 - 00000444 _____ () C:\Windows\Tasks\ParetoLogic Update Version3.job
    2015-05-20 18:56 - 2015-05-20 18:56 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ParetoLogic
    2015-05-20 18:56 - 2015-05-20 18:56 - 00000000 ____D () C:\ProgramData\ParetoLogic
    2015-05-20 18:56 - 2015-05-20 18:56 - 00000000 ____D () C:\Program Files (x86)\ParetoLogic
    2015-05-20 18:56 - 2015-05-20 18:56 - 00000000 _____ () C:\FileRecovery.log
    2015-05-20 18:54 - 2015-05-20 18:55 - 02936752 _____ (ParetoLogic) C:\Users\Jayant\Downloads\Pareto_DR_Setup_RW.exe
    2015-05-20 15:51 - 2015-05-20 16:11 - 00000000 ____D () C:\Users\Jayant\AppData\Local\LogMeIn Rescue Applet
    2015-05-20 14:55 - 2015-05-20 14:55 - 00000000 ____D () C:\Users\Jayant\pip
    2015-05-20 14:16 - 2015-05-20 18:36 - 00000000 ____D () C:\Program Files (x86)\Stellar Phoenix Windows Data Recovery
    2015-05-20 13:40 - 2015-05-20 13:40 - 00000000 ____D () C:\Log
    2015-05-20 13:25 - 2015-05-20 15:48 - 00000000 ____D () C:\ProgramData\TEMP
    2015-05-20 13:15 - 2015-05-20 13:15 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\www.shadowexplorer.com
    2015-05-20 13:15 - 2015-05-20 13:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
    2015-05-20 13:15 - 2015-05-20 13:15 - 00000000 ____D () C:\Program Files (x86)\ShadowExplorer
    2015-05-20 11:54 - 2015-05-20 11:54 - 00000000 ____D () C:\ProgramData\ESET
    2015-05-20 10:59 - 2015-05-20 10:59 - 00000000 _____ () C:\autoexec.bat
    2015-05-20 10:13 - 2015-05-20 11:47 - 00002620 _____ () C:\Windows\runSW.log
    2015-05-20 01:31 - 2015-05-20 11:47 - 00000224 _____ () C:\Windows\setupact.log
    2015-05-20 01:31 - 2015-05-20 01:31 - 00000000 _____ () C:\Windows\setuperr.log
    2015-05-19 18:03 - 2015-05-19 18:04 - 10260552 _____ () C:\Windows\system32\FNTCACHE.DAT
    2015-05-19 15:59 - 2015-05-20 19:03 - 00025668 _____ () C:\Windows\WindowsUpdate.log
    2015-05-19 15:59 - 2015-05-19 15:59 - 00170384 _____ () C:\Users\Jayant\AppData\Local\GDIPFONTCACHEV1.DAT
    2015-05-17 02:08 - 2015-05-17 02:08 - 00076304 _____ () C:\Users\Jayant\Downloads\Life in India in The 19th Century (21).jpeg
    2015-05-16 20:45 - 2015-05-16 20:45 - 00000872 _____ () C:\Users\Jayant\Downloads\token-Led-Supplies.txt
    2015-05-16 12:05 - 2015-05-16 12:06 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
    2015-05-14 18:52 - 2015-05-14 18:52 - 00000000 ____D () C:\Users\Jayant\Desktop\Renault
    2015-05-05 12:51 - 2015-05-05 12:51 - 00002124 _____ () C:\Users\Public\Desktop\REALTEK USB Wireless LAN Utility.lnk
    2015-05-05 12:51 - 2015-05-05 12:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\REALTEK USB Wireless LAN Utility
    2015-05-05 12:51 - 2015-05-05 12:51 - 00000000 ____D () C:\Program Files (x86)\Cisco
    2015-05-05 12:50 - 2015-05-05 12:50 - 00000000 ____D () C:\Program Files (x86)\REALTEK
    2015-05-05 12:50 - 2013-05-14 13:24 - 00445512 _____ (Realtek) C:\Windows\SwUSB.exe
    2015-05-05 12:50 - 2013-05-14 13:24 - 00044104 _____ () C:\Windows\runSW.exe
    2015-05-05 12:50 - 2013-05-07 14:43 - 02350152 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\rtwlanu.sys
    2015-05-05 12:50 - 2012-02-14 19:37 - 00594432 _____ (Realtek Semiconductor Corp. ) C:\Windows\system32\Rtlihvs.dll
    2015-05-05 12:50 - 2010-12-01 09:31 - 00451072 _____ () C:\Windows\SysWOW64\ISSRemoveSP.exe
    2015-05-05 12:50 - 2009-03-31 14:31 - 00380928 _____ (Realtek) C:\Windows\RtlUI2.exe
    2015-05-05 12:50 - 2009-01-05 20:31 - 00000901 _____ () C:\Windows\RtlUI2.exe.manifest
    2015-05-05 12:50 - 2008-07-01 12:31 - 00614400 _____ (Realtek Semiconductor Corp. ) C:\Windows\SysWOW64\Rtlihvs.dll
    2015-05-05 12:50 - 2007-04-26 14:05 - 00100000 _____ () C:\Windows\SysWOW64\EAPPkt9x.VXD
    2015-05-05 12:50 - 2001-09-26 11:03 - 00012981 _____ () C:\Windows\SysWOW64\REALPKT.VXD
    2015-05-05 10:37 - 2015-05-07 11:24 - 00000000 ____D () C:\Users\Jayant\Downloads\Vistaprint_Business_Cards
    2015-05-01 23:46 - 2015-05-19 04:45 - 00015409 _____ () C:\Users\Jayant\Desktop\macros.xlsx

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-20 21:36 - 2013-02-14 22:55 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-05-20 21:24 - 2013-07-26 21:22 - 00004966 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for Jayant-PC-Jayant Jayant-PC
    2015-05-20 21:05 - 2013-02-14 22:54 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-05-20 20:51 - 2013-11-13 19:57 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-79387585-851534780-2583910997-1000UA.job
    2015-05-20 16:36 - 2013-02-14 22:55 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-05-20 16:11 - 2013-12-15 22:52 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\ViberPC
    2015-05-20 16:11 - 2013-12-15 22:50 - 00000000 ____D () C:\Users\Jayant\AppData\Local\Viber
    2015-05-20 14:55 - 2014-11-25 17:56 - 00000000 ____D () C:\Python34
    2015-05-20 14:55 - 2013-02-14 20:09 - 00000000 ____D () C:\Users\Jayant
    2015-05-20 14:17 - 2013-02-16 00:13 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\uTorrent
    2015-05-20 13:10 - 2009-07-14 10:15 - 00017360 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-05-20 13:10 - 2009-07-14 10:15 - 00017360 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-05-20 13:08 - 2013-02-16 01:21 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\vlc
    2015-05-20 12:31 - 2015-01-01 16:07 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2015-05-20 12:30 - 2015-01-01 16:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2015-05-20 12:30 - 2015-01-01 16:07 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
    2015-05-20 11:52 - 2009-07-14 10:43 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
    2015-05-20 11:49 - 2013-10-11 11:01 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\Dropbox
    2015-05-20 11:49 - 2013-07-04 08:37 - 00000000 ____D () C:\Users\Jayant\AppData\Local\HTC MediaHub
    2015-05-20 11:47 - 2009-07-14 10:38 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-05-19 14:02 - 2015-04-05 16:37 - 00000000 ____D () C:\Users\Jayant\AppData\Local\CrashDumps
    2015-05-19 14:02 - 2013-06-26 19:05 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\TeamViewer
    2015-05-19 10:28 - 2013-02-15 00:10 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\Skype
    2015-05-19 04:51 - 2013-11-13 19:57 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-79387585-851534780-2583910997-1000Core.job
    2015-05-19 04:45 - 2015-02-11 15:05 - 00000165 ____H () C:\Users\Jayant\Desktop\~$e.xlsx
    2015-05-19 04:45 - 2014-12-18 11:43 - 00000165 ____H () C:\Users\Jayant\Desktop\~$expenses.xlsx
    2015-05-17 16:31 - 2013-02-14 22:55 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
    2015-05-17 16:31 - 2013-02-14 22:55 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
    2015-05-16 12:06 - 2013-05-17 10:05 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
    2015-05-16 08:19 - 2015-01-23 18:58 - 00000000 ____D () C:\Users\Jayant\Downloads\images
    2015-05-16 04:46 - 2013-11-13 19:57 - 00003884 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-79387585-851534780-2583910997-1000UA
    2015-05-16 04:46 - 2013-11-13 19:57 - 00003488 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-79387585-851534780-2583910997-1000Core
    2015-05-15 08:35 - 2013-05-27 07:41 - 00001456 _____ () C:\Users\Jayant\AppData\Local\Adobe Save for Web 13.0 Prefs
    2015-05-15 06:59 - 2013-05-17 16:30 - 00001514 _____ () C:\Windows\Sandboxie.ini
    2015-05-15 00:20 - 2013-09-26 15:57 - 00000000 ____D () C:\Users\Jayant\Downloads\files
    2015-05-14 19:02 - 2014-02-20 19:20 - 00002156 _____ () C:\Users\Jayant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
    2015-05-08 14:10 - 2013-10-11 11:02 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
    2015-05-05 12:50 - 2013-05-18 10:49 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
    2015-05-04 14:30 - 2013-02-15 00:10 - 00000000 ____D () C:\ProgramData\Skype
    2015-04-30 10:07 - 2013-02-14 21:08 - 140425016 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2015-04-28 16:38 - 2014-05-04 19:09 - 00000000 ____D () C:\Windows\Minidump
    2015-04-28 16:38 - 2013-10-14 12:46 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\inkscape
    2015-04-28 16:38 - 2013-05-25 00:34 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\FileZilla
    2015-04-21 04:46 - 2013-02-15 00:14 - 00000000 ____D () C:\Users\Jayant\AppData\Roaming\Mozilla
    2015-04-20 15:33 - 2013-02-15 00:10 - 00000000 ____D () C:\Program Files (x86)\TeamViewer

    ==================== Files in the root of some directories =======

    2014-11-27 12:27 - 2014-11-27 12:27 - 0000132 _____ () C:\Users\Jayant\AppData\Roaming\Adobe IllExport Filter CS6 Prefs
    2015-01-01 15:22 - 2015-01-01 15:22 - 0000043 _____ () C:\Users\Jayant\AppData\Roaming\WB.CFG
    2013-05-27 07:41 - 2015-05-15 08:35 - 0001456 _____ () C:\Users\Jayant\AppData\Local\Adobe Save for Web 13.0 Prefs
    2014-09-05 15:31 - 2015-04-08 10:50 - 0000600 _____ () C:\Users\Jayant\AppData\Local\PUTTY.RND
    2015-02-12 21:24 - 2015-02-12 21:24 - 0000764 _____ () C:\Users\Jayant\AppData\Local\recently-used.xbel
    2013-06-09 12:57 - 2013-06-09 13:01 - 0000356 _____ () C:\ProgramData\hpzinstall.log
    2013-02-16 12:04 - 2010-11-20 17:47 - 85598208 ___SH (Miva Merchant) C:\ProgramData\mseurs.exe

    Files to move or delete:
    ====================
    C:\ProgramData\mseurs.exe


    Some content of TEMP:
    ====================
    C:\Users\Jayant\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpvn1joh.dll
    C:\Users\Jayant\AppData\Local\Temp\KB327374213.exe


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-05-14 14:49

    ==================== End Of Log ============================
     

    Attached Files:

  4. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    You seem to have try some cleaning such as, Shadow Explorer. IF it is in fact Bitcryptor, the infection is fairly new. Our experts are already on it, but at this time no decryption is available. Your computer however, shows signs of problems on the disk. You should perform CHKDSK in the Recovery Environment as follows:

    Enter the System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
      To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



      To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    • On the System Recovery Options menu you will get the following options:
    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt

      Once in the Command Prompt:

    • Type in the following and press Enter.
      .
      bcdedit | find "osdevice"​

    • Note the osdevice partition letter, then type.

      CHKDSK X: /R​

    • Where X is the osdevice letter, and press Enter
    • The tool will start to run.

    Upon finished, type exit and press Enter. Restart the computer

    Let us know if that helps in the performance.
     
  5. ontheroad343

    ontheroad343 Thread Starter

    Joined:
    May 19, 2015
    Messages:
    9
    I did exactly as you said. Don't see any improvements. How did you find there were issues?

    Also what about the virus? am I clear of all it's traces? You didn't mention anything about it? I only downloaded and installed Shadow Explorer to see if i can recover some of the files (but no luck).

    Yes it is inface BitCryptor (see attachment). Do you think a solution will be ready in next year or so? I don't want to delete those encrypted files as a lot of official and personal photos, pdf and text documents are there which are very important. Hope you guys can find a way to decrypt this quickly.
     

    Attached Files:

  6. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    On the additional report:

    The best defensive strategy is a comprehensive approach...make sure you are running an updated anti-virus and anti-malware product, use supplemental security tools capable of stopping (preventing) infection before it can cause any damage, update all vulnerable software and routinely backup your data.

    Ransomware Prevention Tools:

    Backing up your data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

    The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis. The only reliable way to effectively protect your data and limit the loss with this type of infection is user education and to have an effective backup strategy. A backup strategy is not only effective against ransomware and other harmful malware but also helps with catastrophic scenarios like hard disk failure, power failure and power surges which can damage internal hardware components. In some cases, the system can be rendered unbootable and you may not have access to the computer to back up any data. A computer's hard drive will not last forever and at some point its going to fail and eventually need replacing. Hard disk failure can occur suddenly without warning or it could occur gradually due to failing areas of the disc requiring repeated read attempts before successful access or as a result of bad clusters accumulating over time to the point the drive becomes unusable.

    Note: US-CERT advises crypto malware has the ability to target, find and encrypt files located within shared (or mapped) network drives, USB drives, external hard drives, network file shares and even some cloud storage drives if they have a drive letter. In most cases, if you're using a cloud backup that provides strong encryption, includes versioning and does not utilize a drive letter (cloud backups typically do not use those), then you should be safe from crypto ransomware as you can back up to the date prior to the infection.

    From time to time we receive information about the progress done. Since there are two keys, one sold by the hacker, it is difficult to decrypt these files. You must keep up, perhaps joining us, or BleepingComputer in Facebook.

    Take a look at these links:

    http://www.bleepingcomputer.com/for...the-wild-from-the-same-creators-as-coinvault/
    http://www.bleepingcomputer.com/forums/t/575944/infected-with-bit-cryptor-virus/
     
    Last edited: May 20, 2015
  7. ontheroad343

    ontheroad343 Thread Starter

    Joined:
    May 19, 2015
    Messages:
    9
    Thank you for your help. Can you please check my current setup.

    I have purchased ESET Smart Security. Also installed CryptoMonitor.

    Do you think I still need to install HitmanPro Alert and CryptoPrevent? Is there any issue if I keep them installed? Will they cause conflict?

    After your reply we can mark thread as solved.
     
  8. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    CryptoMonitor is enough. We just can overprotect the computer as it will become slow. ESET is a very good Antivirus program. Just keep good practices while on the Internet.

    For information and guidelines to follow to prevent future infections you can read this article by Miekiemoes.

    Best wishes! [​IMG]
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1148480

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice