1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

[Solved] CTB-Locker removal help please

Discussion in 'Malware Removal Help' started by Tony D, May 10, 2015.

  1. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,062
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    As I mentioned in another thread, got hit with CTB-Locker. Still don't know how that happened. Would like to ensure that it's out of here. I do see remnants in the logs. Thank you very much.

    Malwarebytes Anti-Malware
    www.malwarebytes.org
    Scan Date: 5/10/2015
    Scan Time: 8:47:52 AM
    Logfile: MBAM log.txt
    Administrator: Yes
    Version: 2.01.6.1022
    Malware Database: v2015.05.10.03
    Rootkit Database: v2015.04.21.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: Owner
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 352642
    Time Elapsed: 18 min, 19 sec
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled
    Processes: 0
    (No malicious items detected)
    Modules: 0
    (No malicious items detected)
    Registry Keys: 1
    PUP.Optional.ArcadeSafari.A, HKU\S-1-5-21-10949600-3899849448-452949263-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Arcadesafari, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    Registry Values: 3
    Trojan.FakeVer.ED, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|1232336207, C:\ProgramData\msrtpwvm.exe, Quarantined, [dc1f9df445457eb8176ad97d4eb410f0]
    Trojan.FakeVer.ED, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|1232336207, C:\ProgramData\msrtpwvm.exe, Quarantined, [dc1f9df445457eb8176ad97d4eb410f0]
    Trojan.FakeMS.ED, HKU\S-1-5-21-10949600-3899849448-452949263-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|ODBC, C:\Users\Owner\AppData\Roaming\iedfbgir\ttbsgufh.exe, Quarantined, [986349488ffb74c23df3104603ff42be]
    Registry Data: 1
    PUM.Hijack.StartMenu, HKU\S-1-5-21-10949600-3899849448-452949263-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|Start_ShowSearch, 0, Good: (1), Bad: (0),Replaced,[0eed58391278a0966b55957e28de22de]
    Folders: 1
    PUP.Optional.ArcadeSafari.A, C:\Users\Owner\AppData\Local\Arcadesafari, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    Files: 10
    Trojan.FakeVer.ED, C:\ProgramData\msrtpwvm.exe, Quarantined, [dc1f9df445457eb8176ad97d4eb410f0],
    Trojan.FakeMS.ED, C:\Users\Owner\AppData\Roaming\iedfbgir\ttbsgufh.exe, Delete-on-Reboot, [986349488ffb74c23df3104603ff42be],
    PUP.Optional.WeCare.A, C:\Windows\Installer\264632c7.msi, Quarantined, [38c3375a672353e3f33eb17002fe629e],
    CTBLocker.Trace, C:\Users\Owner\Documents\!Decrypt-All-Files-zxyqgwd.bmp, Quarantined, [04f7e3ae6327cd693b2b065f13f219e7],
    PUP.Optional.ArcadeSafari.A, C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariGames.exe, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    PUP.Optional.ArcadeSafari.A, C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariLinkz.dll, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    PUP.Optional.ArcadeSafari.A, C:\Users\Owner\AppData\Local\Arcadesafari\ArcadeSafariPE.dll, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    PUP.Optional.ArcadeSafari.A, C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUninstall.exe, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    PUP.Optional.ArcadeSafari.A, C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    PUP.Optional.ArcadeSafari.A, C:\Users\Owner\AppData\Local\Arcadesafari\preference.dat, Quarantined, [6e8d652cf199af87186f02b962a1fe02],
    Physical Sectors: 0
    (No malicious items detected)
    (end)


    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-05-2015
    Ran by Owner (administrator) on OWNER-PC on 10-05-2015 09:20:24
    Running from C:\Users\Owner\Desktop
    Loaded Profiles: Owner (Available profiles: Owner)
    Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
    ==================== Processes (Whitelisted) =================
    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
    (Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
    (Корпорация Майкрософт) C:\Users\Owner\AppData\Local\Temp\jaflpga.exe
    (Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\BBSvc.EXE
    (Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\ccsvchst.exe
    (Symantec Corporation) C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe
    (Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
    () C:\Windows\System32\rpcnetp.exe
    (Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\ccsvchst.exe
    (www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
    (TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
    (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    (Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    (Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\Teco.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe
    (TOSHIBA) C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
    (TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
    (Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
    (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
    (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    (TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe

    ==================== Registry (Whitelisted) ==================
    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
    HKLM\...\Run: [] => [X]
    HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-05-17] (TOSHIBA Corporation)
    HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)
    HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [972672 2011-04-27] (TOSHIBA Corporation)
    HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [310912 2011-03-24] (Conexant Systems, Inc.)
    HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [562304 2011-06-30] (Conexant Systems, Inc.)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
    HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1544624 2011-05-24] (TOSHIBA Corporation)
    HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-07-01] (TOSHIBA Corporation)
    HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
    HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-06-10] (TOSHIBA Corporation)
    HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
    HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [252792 2010-06-04] (TOSHIBA)
    HKLM-x32\...\Run: [ToshibaServiceStation] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1298816 2011-07-11] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [NortonOnlineBackupReminder] => C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe [3218864 2011-06-22] (Toshiba)
    HKLM-x32\...\Run: [ToshibaAppPlace] => C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
    HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
    HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [380088 2012-07-27] (Citrix Systems, Inc.)
    HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
    Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\...\Run: [HP Photosmart 5510 series (NET)] => C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe [2676584 2011-09-16] (Hewlett-Packard Co.)
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\...\Policies\Explorer: [HideSCAHealth] 1
    AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [257208 2012-07-27] (Citrix Systems, Inc.)
    Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk [2012-10-05]
    ShortcutTarget: Monitor Ink Alerts - HP Photosmart 5510 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 5510 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    ==================== Internet (Whitelisted) ====================
    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=111
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.toshiba.com/?cid=C001B2Y
    SearchScopes: HKLM -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL = http://www.google.com/search?source...nputEncoding}&oe={outputEncoding}&rlz=1I7TSNO
    SearchScopes: HKLM-x32 -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL = http://www.google.com/search?source...nputEncoding}&oe={outputEncoding}&rlz=1I7TSNO
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-10949600-3899849448-452949263-1000 -> DefaultScope {A307E3F2-FD30-41D1-9F48-619CF8EFFD0D} URL = http://www.google.com/search?source...ding}&oe={outputEncoding}&rlz=1I7TSNO_enUS483
    SearchScopes: HKU\S-1-5-21-10949600-3899849448-452949263-1000 -> {A307E3F2-FD30-41D1-9F48-619CF8EFFD0D} URL = http://www.google.com/search?source...ding}&oe={outputEncoding}&rlz=1I7TSNO_enUS483
    SearchScopes: HKU\S-1-5-21-10949600-3899849448-452949263-1000 -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL =
    BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
    BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\amd64\BingExt.dll [2013-12-16] (Microsoft Corporation.)
    BHO: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll [2012-08-24] (TOSHIBA Corporation)
    BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\IPS\IPSBHO.DLL [2012-06-20] (Symantec Corporation)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-05-09] (Oracle Corporation)
    BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
    BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
    BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\BingExt.dll [2013-12-16] (Microsoft Corporation.)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-09] (Oracle Corporation)
    BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll [2012-08-24] (TOSHIBA Corporation)
    Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\amd64\BingExt.dll [2013-12-16] (Microsoft Corporation.)
    Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\BingExt.dll [2013-12-16] (Microsoft Corporation.)
    Toolbar: HKU\S-1-5-21-10949600-3899849448-452949263-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    FireFox:
    ========
    FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-05-09] ()
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-05-09] ()
    FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2012-07-27] (Citrix Systems, Inc.)
    FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-09] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-09] (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2010-01-03] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2010-01-03] (Google Inc.)
    FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll [2014-02-08] ()
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
    FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\IPSFFPlgn
    FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\IPSFFPlgn [2012-05-12]
    Chrome:
    =======
    CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default
    ==================== Services (Whitelisted) =================
    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
    R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [5020520 2015-03-24] (Emsisoft GmbH)
    S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-01-27] (WildTangent)
    S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
    R2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\ccSvcHst.exe [138272 2012-06-15] (Symantec Corporation)
    R2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe [132504 2013-11-02] (Symantec Corporation)
    R2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [126392 2011-07-19] (Symantec Corporation)
    R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
    S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
    ==================== Drivers (Whitelisted) ====================
    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
    R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20130531.001\BHDrvx64.sys [1393240 2013-05-31] (Symantec Corporation)
    R1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1309010.00E\ccSetx64.sys [167072 2012-06-07] (Symantec Corporation)
    R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-11-19] (Symantec Corporation)
    R1 epp64; C:\Windows\System32\DRIVERS\epp64.sys [135800 2015-03-24] (Emsisoft GmbH)
    R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [137648 2013-11-19] (Symantec Corporation) [File not signed]
    R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20130607.001\IDSvia64.sys [513184 2012-09-06] (Symantec Corporation)
    S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20130608.009\ENG64.SYS [126040 2013-05-22] (Symantec Corporation)
    S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20130608.009\EX64.SYS [2098776 2013-05-22] (Symantec Corporation)
    S3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1309010.00E\SRTSP64.SYS [737952 2012-07-05] (Symantec Corporation)
    R1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1309010.00E\SRTSPX64.SYS [37536 2012-07-05] (Symantec Corporation)
    R0 SymDS; C:\Windows\System32\drivers\NAVx64\1309010.00E\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)
    R0 SymEFA; C:\Windows\System32\drivers\NAVx64\1309010.00E\SYMEFA64.SYS [1129120 2012-05-21] (Symantec Corporation)
    R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-05-12] (Symantec Corporation)
    R1 SymIRON; C:\Windows\system32\drivers\NAVx64\1309010.00E\Ironx64.SYS [190072 2012-04-17] (Symantec Corporation)
    R1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1309010.00E\SYMNETS.SYS [405624 2012-04-17] (Symantec Corporation)
    ==================== NetSvcs (Whitelisted) ===================
    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

    ==================== One Month Created Files and Folders ========
    (If an entry is included in the fixlist, the file\folder will be moved.)
    2015-05-10 09:20 - 2015-05-10 09:20 - 00022151 _____ () C:\Users\Owner\Desktop\FRST.txt
    2015-05-10 09:19 - 2015-05-10 09:20 - 00000000 ____D () C:\FRST
    2015-05-10 09:18 - 2015-05-10 08:33 - 02204160 _____ () C:\Users\Owner\Desktop\adwcleaner_4.203.exe
    2015-05-10 09:17 - 2015-05-10 08:32 - 02102784 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe
    2015-05-10 09:16 - 2015-05-10 09:16 - 00000000 ____D () C:\Bea
    2015-05-10 08:46 - 2015-05-10 09:15 - 00136408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
    2015-05-10 08:39 - 2015-05-10 08:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2015-05-10 08:39 - 2015-05-10 08:39 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2015-05-10 08:39 - 2015-05-10 08:39 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
    2015-05-10 08:39 - 2015-04-14 09:37 - 00107736 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
    2015-05-10 08:39 - 2015-04-14 09:37 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
    2015-05-10 08:39 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
    2015-05-09 17:28 - 2015-05-09 17:28 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\www.shadowexplorer.com
    2015-05-09 17:28 - 2015-05-09 17:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
    2015-05-09 17:28 - 2015-05-09 17:28 - 00000000 ____D () C:\Program Files (x86)\ShadowExplorer
    2015-05-09 16:52 - 2015-05-09 16:52 - 00000000 ____D () C:\ProgramData\Emsisoft
    2015-05-09 15:36 - 2015-05-09 15:36 - 00001266 _____ () C:\Users\Owner\Documents\!Decrypt-All-Files-zxyqgwd.txt
    2015-05-09 15:32 - 2015-05-09 15:32 - 00001098 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
    2015-05-09 15:32 - 2015-05-09 15:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
    2015-05-09 15:31 - 2015-05-10 09:14 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
    2015-05-09 15:31 - 2015-05-09 15:36 - 00889702 _____ () C:\ProgramData\zsncrnm.html
    2015-05-09 15:31 - 2015-03-24 00:17 - 00135800 _____ (Emsisoft GmbH) C:\windows\system32\Drivers\epp64.sys
    2015-05-09 15:29 - 2015-05-09 15:29 - 00002866 _____ () C:\windows\System32\Tasks\cfywxgh
    2015-05-09 15:04 - 2015-05-09 15:03 - 00097888 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
    2015-05-09 15:03 - 2015-05-09 15:04 - 00000000 ____D () C:\ProgramData\Oracle
    2015-05-09 15:03 - 2015-05-09 15:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
    2015-05-09 15:03 - 2015-05-09 15:03 - 00000000 ____D () C:\Program Files (x86)\Java
    2015-05-09 15:00 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
    2015-05-09 15:00 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
    2015-05-09 15:00 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll
    2015-05-09 15:00 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
    2015-05-09 15:00 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\windows\system32\wups2.dll
    2015-05-09 15:00 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\windows\system32\wups.dll
    2015-05-09 15:00 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\windows\SysWOW64\wups.dll
    2015-05-09 15:00 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
    2015-05-09 15:00 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
    2015-05-09 15:00 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll
    2015-05-09 14:59 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
    2015-05-09 14:59 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll
    2015-05-09 14:59 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe
    2015-05-09 14:59 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe
    ==================== One Month Modified Files and Folders =======
    (If an entry is included in the fixlist, the file\folder will be moved.)
    2015-05-10 09:19 - 2009-07-14 01:13 - 00006206 _____ () C:\windows\system32\PerfStringBackup.INI
    2015-05-10 09:13 - 2013-10-09 13:37 - 00000000 __SHD () C:\Users\Owner\AppData\Roaming\iedfbgir
    2015-05-10 09:13 - 2012-03-18 20:01 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-05-10 09:13 - 2010-11-20 23:47 - 00417378 _____ () C:\windows\PFRO.log
    2015-05-10 09:13 - 2010-01-01 01:03 - 00017920 _____ () C:\windows\SysWOW64\rpcnetp.dll
    2015-05-10 09:13 - 2010-01-01 01:01 - 00017920 _____ () C:\windows\SysWOW64\rpcnetp.exe
    2015-05-10 09:13 - 2010-01-01 01:01 - 00017920 _____ () C:\windows\system32\rpcnetp.exe
    2015-05-10 09:13 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
    2015-05-10 09:13 - 2009-07-14 00:51 - 00040121 _____ () C:\windows\setupact.log
    2015-05-10 09:13 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\PolicyDefinitions
    2015-05-10 09:12 - 2012-03-18 20:01 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-05-10 09:01 - 2012-10-05 19:42 - 00000256 _____ () C:\windows\Tasks\HP Photo Creations Messager.job
    2015-05-10 08:54 - 2009-07-14 00:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-05-10 08:54 - 2009-07-14 00:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-05-10 08:37 - 2013-11-16 01:24 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
    2015-05-09 17:25 - 2012-03-18 19:35 - 01715369 _____ () C:\windows\WindowsUpdate.log
    2015-05-09 16:37 - 2013-11-16 01:24 - 00778416 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
    2015-05-09 16:37 - 2013-11-16 01:24 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
    2015-05-09 16:37 - 2011-11-03 02:12 - 00142512 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-05-09 15:36 - 2012-12-10 21:51 - 00000000 ____D () C:\Users\Owner\Desktop\Shadora_files
    2015-05-09 15:36 - 2012-06-09 21:58 - 00000000 ____D () C:\Users\Owner\Documents\Awesome Is The Lord Most High (by Chris Tomlin) - YouTube_files
    2015-05-09 15:36 - 2010-01-03 22:42 - 00000000 ____D () C:\Users\Owner\Desktop\_on site fixes
    2015-05-09 15:35 - 2012-07-06 22:05 - 00000000 ____D () C:\Users\Owner\Documents\Fax
    2015-05-09 15:34 - 2010-01-03 23:10 - 00000000 ____D () C:\Users\Owner\Desktop\New folder
    2015-05-09 15:31 - 2012-05-24 02:05 - 00000000 ____D () C:\ProgramData\Book Place
    2015-05-09 15:30 - 2012-03-18 19:48 - 00000000 ____D () C:\Program Files (x86)\Netwaiting
    2015-05-09 15:29 - 2013-12-04 19:08 - 00000000 ____D () C:\ProgramData\Symantec
    2015-05-09 15:29 - 2010-01-03 22:56 - 00000000 ____D () C:\AdwCleaner
    2015-05-09 15:27 - 2013-03-24 19:56 - 00000464 _____ () C:\windows\Tasks\Arcadesafari.job
    2015-05-09 15:12 - 2011-11-03 02:12 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
    2015-05-09 15:01 - 2012-10-05 19:40 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\HpUpdate
    2015-05-09 14:54 - 2012-03-18 20:01 - 00000000 ____D () C:\Program Files\Google
    2015-05-09 14:54 - 2012-03-18 20:00 - 00000000 ____D () C:\Program Files (x86)\Google
    2015-05-09 14:49 - 2012-05-12 22:52 - 00000000 ____D () C:\Users\Owner\AppData\Local\Google
    2015-05-09 14:49 - 2012-03-18 20:01 - 00000000 ____D () C:\ProgramData\Google
    ==================== Files in the root of some directories =======
    2012-10-05 19:37 - 2012-10-05 19:37 - 0000057 _____ () C:\ProgramData\Ament.ini
    2015-05-09 15:31 - 2015-05-09 15:36 - 0889702 _____ () C:\ProgramData\zsncrnm.html
    Some content of TEMP:
    ====================
    C:\Users\Owner\AppData\Local\Temp\apnpip.exe
    C:\Users\Owner\AppData\Local\Temp\APNSetup.exe
    C:\Users\Owner\AppData\Local\Temp\as_twc.exe
    C:\Users\Owner\AppData\Local\Temp\cdo2738778900.dll
    C:\Users\Owner\AppData\Local\Temp\cdo2990913542.dll
    C:\Users\Owner\AppData\Local\Temp\DefaultAssets.exe
    C:\Users\Owner\AppData\Local\Temp\DefaultOfflineContent.exe
    C:\Users\Owner\AppData\Local\Temp\dllnt_dump.dll
    C:\Users\Owner\AppData\Local\Temp\jaflpga.exe
    C:\Users\Owner\AppData\Local\Temp\KB00924649.exe
    C:\Users\Owner\AppData\Local\Temp\NLStubInstallerResources.dll
    C:\Users\Owner\AppData\Local\Temp\ose00000.exe
    C:\Users\Owner\AppData\Local\Temp\PCCU_Installer.exe
    C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
    C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
    C:\Users\Owner\AppData\Local\Temp\The_Weather_Channel_Application.exe

    ==================== Bamital & volsnap Check =================
    (There is no automatic fix for files that do not pass verification.)
    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2014-02-01 13:33
    ==================== End Of Log ============================

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 09-05-2015
    Ran by Owner at 2015-05-10 09:21:13
    Running from C:\Users\Owner\Desktop
    Boot Mode: Normal
    ==========================================================

    ==================== Accounts: =============================
    Administrator (S-1-5-21-10949600-3899849448-452949263-500 - Administrator - Disabled)
    Guest (S-1-5-21-10949600-3899849448-452949263-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-10949600-3899849448-452949263-1002 - Limited - Enabled)
    Owner (S-1-5-21-10949600-3899849448-452949263-1000 - Administrator - Enabled) => C:\Users\Owner
    ==================== Security Center ========================
    (If an entry is included in the fixlist, it will be removed.)
    AV: Norton AntiVirus (Disabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
    AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Norton AntiVirus (Disabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
    ==================== Installed Programs ======================
    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
    Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19140 - Adobe Systems Incorporated)
    Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
    Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.169 - Adobe Systems Incorporated)
    Adobe Reader X (10.1.13) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.13 - Adobe Systems Incorporated)
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.36 - Atheros Communications Inc.)
    Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
    Bing Bar (HKLM-x32\...\{FF6DD716-7B10-4269-9F19-FFB07AC4CD95}) (Version: 7.3.124.0 - Microsoft Corporation)
    Bing Rewards Client Installer (x32 Version: 16.0.345.0 - Microsoft Corporation) Hidden
    Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
    Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
    Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
    Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.3.0.55 - Citrix Systems, Inc.)
    Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.51.2.51 - Conexant)
    CWA Reminder by We-Care.com v4.1.21.3 (HKLM-x32\...\{A6558E2A-FAF9-4570-AA49-6328D0354517}) (Version: 4.1.21.3 - We-Care.com)
    D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
    Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd.)
    FATE - The Traitor Soul (x32 Version: 2.2.0.95 - WildTangent) Hidden
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.135 - Google Inc.)
    Google Update Helper (x32 Version: 1.3.22.5 - Google Inc.) Hidden
    Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
    HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
    HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.5192 - HP Photo Creations)
    HP Photosmart 5510 series Basic Device Software (HKLM\...\{424E8E17-A7B7-45B5-8C79-D58F04D9D920}) (Version: 25.0.621.0 - Hewlett-Packard Co.)
    HP Photosmart 5510 series Help (HKLM-x32\...\{E02964EA-0E1B-4620-A26E-CBAB0341B1BB}) (Version: 140.0.2.2 - Hewlett Packard)
    HP Photosmart 5510 series Product Improvement Study (HKLM\...\{1AE1848C-D592-4222-8048-AEE1694D2959}) (Version: 25.0.621.0 - Hewlett-Packard Co.)
    HP Update (HKLM-x32\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
    HPDiagnosticAlert (x32 Version: 1.00.0000 - Microsoft) Hidden
    Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
    Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2509 - Intel Corporation)
    Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.6.0.1002 - Intel Corporation)
    Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
    Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Label@Once 1.0 (HKLM-x32\...\{0D795777-9D60-4692-8386-F2B3F2B5E5BF}) (Version: 1.0 - Corel)
    Letters from Nowhere 2 (x32 Version: 2.2.0.97 - WildTangent) Hidden
    Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
    Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
    Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
    Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
    Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
    Netwaiting (HKLM-x32\...\{74B8998B-2B1B-4414-AD5D-17E7E9B5FF0A}) (Version: 1.0.1 - Conexant Systems, Inc)
    Norton AntiVirus (HKLM-x32\...\NAV) (Version: 19.9.1.14 - Symantec Corporation)
    Norton PC Checkup (HKLM-x32\...\Norton PC Checkup_is1) (Version: 3.0.4.49.0 - Symantec Corporation)
    Online Plug-in (x32 Version: 13.3.0.55 - Citrix Systems, Inc.) Hidden
    Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
    PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
    PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
    Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
    Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 1.0.0.15 - Realtek Semiconductor Corp.)
    Realtek WLAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4fed-B2B9-173001290E16}) (Version: 2.00.0013 - REALTEK Semiconductor Corp.)
    RollerCoaster Tycoon 3: Platinum (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Run N Gun Football (x32 Version: 2.2.0.95 - WildTangent) Hidden
    Self-service Plug-in (x32 Version: 3.3.0.27839 - Citrix Systems, Inc.) Hidden
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
    ShadowExplorer 0.9 (HKLM-x32\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
    Skype Launcher (HKLM-x32\...\{DA84ECBF-4B79-47F2-B34C-95C38484C058}) (Version: 2.01 - TOSHIBA Corporation)
    Sportball Challenge (x32 Version: 2.2.0.95 - WildTangent) Hidden
    Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.2.11.1 - Synaptics Incorporated)
    Tales of Lagoona (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Toshiba App Place (HKLM-x32\...\{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}) (Version: 1.0.6.3 - Toshiba)
    TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.2 - TOSHIBA)
    TOSHIBA Assist (HKLM-x32\...\{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}) (Version: 4.2.3.0 - TOSHIBA CORPORATION)
    Toshiba Book Place (HKLM-x32\...\{C31337DE-0CDC-45A9-9A32-F099AC78D557}) (Version: 3.0.9490 - K-NFB Reading Technology, Inc.)
    TOSHIBA Bulletin Board (HKLM-x32\...\InstallShield_{1C8C049A-145F-4A6E-8290-B5C245EBE39D}) (Version: 1.6.11.64 - TOSHIBA Corporation)
    TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.1.0.11 for x64 - TOSHIBA Corporation)
    TOSHIBA eco Utility (HKLM\...\{C2F94B5E-201A-4754-8F2F-4395E1D90DA3}) (Version: 1.3.5.64 - TOSHIBA Corporation)
    TOSHIBA Face Recognition (HKLM-x32\...\InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}) (Version: 3.1.17.64 - TOSHIBA Corporation)
    TOSHIBA Hardware Setup (HKLM-x32\...\InstallShield_{C4FFA951-9678-4D51-84B4-AFD15D3C45AD}) (Version: 4.08.09.00 - TOSHIBA)
    TOSHIBA HDD/SSD Alert (HKLM\...\{D4322448-B6AF-4316-B859-D8A0E84DCB38}) (Version: 3.1.64.9 - TOSHIBA Corporation)
    Toshiba Laptop Checkup (HKLM-x32\...\NortonPCCheckup) (Version: 2.0.13.11 - Symantec Corporation)
    TOSHIBA Media Controller (HKLM-x32\...\{C7A4F26F-F9B0-41B2-8659-99181108CDE3}) (Version: 1.0.87.4 - TOSHIBA CORPORATION)
    TOSHIBA Media Controller Plug-in (HKLM-x32\...\{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}) (Version: 1.0.8.0 - TOSHIBA CORPORATION)
    Toshiba Online Backup (HKLM-x32\...\{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}) (Version: 2.0.0.31 - Toshiba)
    TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.7.9.64 - TOSHIBA Corporation)
    TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.4 - TOSHIBA)
    TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.1.5.5109a - TOSHIBA CORPORATION)
    TOSHIBA ReelTime (HKLM-x32\...\InstallShield_{24811C12-F4A9-4D0F-8494-A7B8FE46123C}) (Version: 1.7.21.64 - TOSHIBA Corporation)
    TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.1.2001 - TOSHIBA Corporation)
    TOSHIBA Service Station (HKLM-x32\...\{AC6569FA-6919-442A-8552-073BE69E247A}) (Version: 2.2.12 - TOSHIBA)
    TOSHIBA Sleep Utility (HKLM-x32\...\{654F7484-88C5-46DC-AB32-C66BCB0E2102}) (Version: 1.4.2.8 - TOSHIBA Corporation)
    TOSHIBA Supervisor Password (HKLM-x32\...\InstallShield_{CBD6B23D-41D5-4A46-8019-6208516C9712}) (Version: 4.08.09.00 - TOSHIBA)
    TOSHIBA Value Added Package (HKLM-x32\...\InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}) (Version: 1.6.1.64 - TOSHIBA Corporation)
    TOSHIBA Web Camera Application (HKLM-x32\...\InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}) (Version: 2.0.3.3 - TOSHIBA Corporation)
    TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.0.7 - TOSHIBA)
    Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
    Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.97 - WildTangent) Hidden
    WildTangent Games (HKLM-x32\...\WildTangent toshiba Master Uninstall) (Version: 1.0.2.5 - WildTangent)
    WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
    WildTangent Games App (Toshiba Games) (x32 Version: 4.0.11.2 - WildTangent) Hidden
    Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
    Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
    Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden
    ==================== Custom CLSID (selected items): ==========================
    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

    ==================== Restore Points =========================

    ==================== Hosts content: ==========================
    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)
    2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____N C:\windows\system32\Drivers\etc\hosts
    ==================== Scheduled Tasks (whitelisted) =============
    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
    Task: {04DB0683-5732-48B0-8958-F6F6A0637047} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-01-03] (Google Inc.)
    Task: {0AFDDB97-7A70-479A-872A-2D068FEA9A14} - System32\Tasks\HPCustParticipation HP Photosmart 5510 series => C:\Program Files\HP\HP Photosmart 5510 series\Bin\HPCustPartic.exe [2011-09-16] (Hewlett-Packard Co.)
    Task: {1280578E-CF1C-4C4D-9009-B7D2E90F3C09} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-09] (Adobe Systems Incorporated)
    Task: {2A5D8511-7E2F-4272-BD73-E28E1FBD442B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-01-03] (Google Inc.)
    Task: {4110451E-7C13-491D-A4A0-D3C7F3EF05A5} - System32\Tasks\Norton AntiVirus\Norton Error Analyzer => C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\SymErr.exe [2012-02-03] (Symantec Corporation)
    Task: {4BC913B1-FC64-4E39-A1AE-7D94043E97C8} - System32\Tasks\Norton AntiVirus\Norton Error Processor => C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\SymErr.exe [2012-02-03] (Symantec Corporation)
    Task: {5057F0A4-61B7-4D14-9B00-D5AB1B4A66DC} - System32\Tasks\HP Photo Creations Messager => C:\ProgramData\HP Photo Creations\MessageCheck.exe [2011-02-15] ()
    Task: {6B84A328-0647-4935-9DE0-4E4A84C3DACF} - System32\Tasks\PC Checkup 3 Weekly Scan => C:\Program Files (x86)\PC Checkup\NLAppLauncher.exe [2013-11-02] (Symantec Corporation)
    Task: {93835C6C-09F8-4162-9D5A-D31129913391} - System32\Tasks\cfywxgh => C:\Users\Owner\AppData\Local\Temp\jaflpga.exe [2015-05-09] (Корпорация Майкрософт) <==== ATTENTION
    Task: {E3761150-84A6-4316-9E8C-589B68CFB510} - System32\Tasks\Arcadesafari => C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe
    Task: {F2274E15-3475-4DAF-BFC7-C5F65788E37A} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\WSCStub.exe [2013-02-02] (Symantec Corporation)
    Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\windows\Tasks\Arcadesafari.job => C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe
    Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\windows\Tasks\HP Photo Creations Messager.job => C:\ProgramData\HP Photo Creations\MessageCheck.exe
    ==================== Loaded Modules (whitelisted) ==============
    2010-01-01 01:01 - 2015-05-10 09:13 - 00017920 _____ () C:\windows\System32\rpcnetp.exe
    2010-11-18 20:18 - 2010-11-18 20:18 - 11190784 _____ () C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
    2010-12-15 18:19 - 2010-12-15 18:19 - 00124320 _____ () C:\Program Files\TOSHIBA\TECO\MUIHelp.dll
    2011-08-31 15:13 - 2011-08-31 15:13 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
    2011-06-10 00:09 - 2011-06-10 00:09 - 00079784 _____ () C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll
    ==================== Alternate Data Streams (whitelisted) =========
    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
    AlternateDataStreams: C:\windows\system32\autochk.exe:BAK
    ==================== Safe Mode (whitelisted) ===================
    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

    ==================== EXE Association (whitelisted) ===============
    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

    ==================== Internet Explorer trusted/restricted ===============
    (If an entry is included in the fixlist, the associated entry will be removed from the registry.)

    ==================== Other Areas ============================
    (Currently there is no automatic fix for this section.)
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Owner\Documents\!Decrypt-All-Files-zxyqgwd.bmp
    DNS Servers: 192.168.0.1
    ==================== MSCONFIG/TASK MANAGER disabled items ==
    (Currently there is no automatic fix for this section.)

    ==================== FirewallRules (whitelisted) ===============
    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
    FirewallRules: [{56750813-2DEB-431C-9BBF-2DC5534E51BD}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    FirewallRules: [{F44B56C4-B71A-4D94-BE9C-D6D80D16CDD3}] => (Allow) LPort=2869
    FirewallRules: [{FF7AC202-B0FA-43C1-A112-5BA874211943}] => (Allow) LPort=1900
    FirewallRules: [{97C9FCD5-ED4A-4A8F-A29A-34C07ADB3409}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    FirewallRules: [{A7DBBE3D-69BC-491C-8E40-2ECD1620E021}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
    FirewallRules: [{5BDEE6C4-CDC4-47FE-9C29-F67D9889019A}] => (Allow) C:\Program Files\HP\HP Photosmart 5510 series\Bin\DeviceSetup.exe
    FirewallRules: [{6C43F3DB-0D4F-432C-B22D-27B0479C3CE9}] => (Allow) C:\Program Files\HP\HP Photosmart 5510 series\Bin\HPNetworkCommunicator.exe
    FirewallRules: [{46D35222-6861-452B-BE01-32185A1C420C}] => (Allow) LPort=10255
    FirewallRules: [{F67EFD60-633E-43BE-A0C9-A55F75B3F60A}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    ==================== Faulty Device Manager Devices =============
    Name: Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20) #2
    Description: Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: Atheros
    Service: L1C
    Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
    Resolution: Update the driver

    ==================== Event log errors: =========================
    Application errors:
    ==================
    Error: (05/10/2015 09:19:22 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
    Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
    Error: (05/10/2015 09:19:22 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
    Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.
    Error: (05/10/2015 09:15:09 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/10/2015 09:14:07 AM) (Source: Toshiba App Place) (EventID: 0) (User: )
    Description: System.NullReferenceException: Object reference not set to an instance of an object.
    Stack Trace:
    at SnappCloud.ActivationReminder.Program.Main(String[] args)
    Error: (05/10/2015 08:52:19 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
    Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
    Error: (05/10/2015 08:52:19 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
    Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.
    Error: (05/10/2015 08:46:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/10/2015 08:45:21 AM) (Source: Toshiba App Place) (EventID: 0) (User: )
    Description: System.NullReferenceException: Object reference not set to an instance of an object.
    Stack Trace:
    at SnappCloud.ActivationReminder.Program.Main(String[] args)
    Error: (05/10/2015 08:39:41 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
    Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
    Error: (05/10/2015 08:39:41 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
    Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

    System errors:
    =============
    Error: (05/10/2015 09:14:09 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
    Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    Error: (05/10/2015 08:46:49 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).
    Error: (05/10/2015 08:45:27 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
    Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    Error: (05/10/2015 08:27:19 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
    Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    Error: (05/10/2015 08:27:04 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The ShadowExplorer Service service failed to start due to the following error:
    %%1053
    Error: (05/10/2015 08:27:04 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
    Description: A timeout was reached (30000 milliseconds) while waiting for the ShadowExplorer Service service to connect.
    Error: (05/10/2015 08:25:59 AM) (Source: volsnap) (EventID: 29) (User: )
    Description: The shadow copies of volume C: were aborted during detection.
    Error: (05/09/2015 04:03:13 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
    Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    Error: (05/09/2015 04:01:38 PM) (Source: volsnap) (EventID: 29) (User: )
    Description: The shadow copies of volume C: were aborted during detection.
    Error: (05/09/2015 02:53:53 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
    Description: The Windows Update service did not shut down properly after receiving a preshutdown control.

    Microsoft Office Sessions:
    =========================
    Error: (05/10/2015 09:19:22 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
    Description: WmiApRplWmiApRpl8F20300004D070000
    Error: (05/10/2015 09:19:22 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
    Description: Performance1637070000000000000000000009030000
    Error: (05/10/2015 09:15:09 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/10/2015 09:14:07 AM) (Source: Toshiba App Place) (EventID: 0) (User: )
    Description: System.NullReferenceException: Object reference not set to an instance of an object.
    Stack Trace:
    at SnappCloud.ActivationReminder.Program.Main(String[] args)
    Error: (05/10/2015 08:52:19 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
    Description: WmiApRplWmiApRpl8F20300004D070000
    Error: (05/10/2015 08:52:19 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
    Description: Performance1637070000000000000000000009030000
    Error: (05/10/2015 08:46:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/10/2015 08:45:21 AM) (Source: Toshiba App Place) (EventID: 0) (User: )
    Description: System.NullReferenceException: Object reference not set to an instance of an object.
    Stack Trace:
    at SnappCloud.ActivationReminder.Program.Main(String[] args)
    Error: (05/10/2015 08:39:41 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
    Description: WmiApRplWmiApRpl8F20300004D070000
    Error: (05/10/2015 08:39:41 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
    Description: Performance1637070000000000000000000009030000

    ==================== Memory info ===========================
    Processor: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz
    Percentage of memory in use: 36%
    Total physical RAM: 4043.86 MB
    Available physical RAM: 2560.51 MB
    Total Pagefile: 8085.9 MB
    Available Pagefile: 5995.9 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.83 MB
    ==================== Drives ================================
    Drive c: (TI106320W0D) (Fixed) (Total:449.62 GB) (Free:402.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 7FE1B5BF)
    Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
    Partition 2: (Not Active) - (Size=449.6 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=14.7 GB) - (Type=17)
    ==================== End Of Log ============================

    # AdwCleaner v4.203 - Logfile created 10/05/2015 at 09:32:02
    # Updated 30/04/2015 by Xplode
    # Database : 2015-05-09.1 [Server]
    # Operating system : Windows 7 Home Premium Service Pack 1 (x64)
    # Username : Owner - OWNER-PC
    # Running from : C:\Users\Owner\Desktop\adwcleaner_4.203.exe
    # Option : Cleaning
    ***** [ Services ] *****

    ***** [ Files / Folders ] *****
    File Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ippkomaaonokjnfjoikaemidanojkfmm_0.localstorage
    ***** [ Scheduled tasks ] *****

    ***** [ Shortcuts ] *****

    ***** [ Registry ] *****
    Key Deleted : HKU\.DEFAULT\Software\AskPartnerNetwork
    ***** [ Web browsers ] *****
    -\\ Internet Explorer v11.0.9600.16518

    -\\ Google Chrome v42.0.2311.135

    *************************
    AdwCleaner[R1].txt - [959 bytes] - [10/05/2015 09:30:09]
    AdwCleaner[S1].txt - [889 bytes] - [10/05/2015 09:32:02]
    ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [947 bytes] ##########
     
  2. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Tony,

    Sorry for the delay.... Having Internet connection problems here.
    They've been trying to fix it for a few days now.

    First off, this is what you are dealing with:
    http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information
    You did ask where this possibly came from......
    Take a look at the date and times:
    Then look for something else you did about that time:

    Now the big question is... Why didn't you go to Emsisoft for the AntiMalware??
    Why go to another site?
    Seems there's a good possibility that the site you used is infected.
    I'd play safe and get rid of Emsisoft Antimalware as anything from the site you used obviously can't be trusted.

    Anything encrypted is gone forever.
    There's still quite a bit showing in the reports.


    Step 1
    Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.
    NOTE.
    It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine.
    Running this on another machine may cause damage to your operating system


    Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

    2cf1672fdd2151dad6f349c704143429.png

    The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.


    Step 2
    Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2

    43c570796652d991e1e20da3e3b6dbf8.gif


    800cf471fe28906ff16e98b15f499276.gif

    This is an example, you may rename ComboFix to anything you want.
    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.

    Vista/Win7 users should right click on the icon and select Run as Administrator.

    Click on Yes, to continue scanning for malware.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    In your next reply, please submit:
    fixlog.txt
    Combofix.txt

    You should also decide what you are doing about an AntiVirus.
    If you are going to use Emsisoft AntiMalware, then get it from the vendors own site.
    https://www.emsisoft.com/en/software/antimalware/

    But whatever AV you decide on..... don't forget to remove Norton first!!
    and then run the removal tool:
    Norton Removal Tool


    Thanks.
     

    Attached Files:

  3. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,062
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Thank you Pete,
    Here's the FRST log. When right-click on the ComboFix download and use Run as Administrator - ComboFix opened and created a restore point, then quit with the message that "You need Administrator privileges to run this tool".

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-05-2015
    Ran by Owner at 2015-05-12 09:10:55 Run:1
    Running from C:\Users\Owner\Desktop
    Loaded Profiles: Owner (Available profiles: Owner)
    Boot Mode: Normal
    ==============================================
    Content of fixlist:
    *****************
    (Корпорация Майкрософт) C:\Users\Owner\AppData\Local\Temp\jaflpga.exe
    HKLM\...\Run: [] => [X]
    HKLM-x32\...\Run: [] => [X]
    HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-10949600-3899849448-452949263-1000 -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL =
    Toolbar: HKU\S-1-5-21-10949600-3899849448-452949263-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    2015-05-09 15:36 - 2015-05-09 15:36 - 00001266 _____ () C:\Users\Owner\Documents\!Decrypt-All-Files-zxyqgwd.txt
    2015-05-09 15:31 - 2015-05-09 15:36 - 00889702 _____ () C:\ProgramData\zsncrnm.html
    2015-05-09 15:29 - 2015-05-09 15:29 - 00002866 _____ () C:\windows\System32\Tasks\cfywxgh
    2015-05-09 15:27 - 2013-03-24 19:56 - 00000464 _____ () C:\windows\Tasks\Arcadesafari.job
    C:\Users\Owner\AppData\Local\Temp\apnpip.exe
    C:\Users\Owner\AppData\Local\Temp\APNSetup.exe
    C:\Users\Owner\AppData\Local\Temp\as_twc.exe
    C:\Users\Owner\AppData\Local\Temp\cdo2738778900.dll
    C:\Users\Owner\AppData\Local\Temp\cdo2990913542.dll
    C:\Users\Owner\AppData\Local\Temp\DefaultAssets.exe
    C:\Users\Owner\AppData\Local\Temp\DefaultOfflineContent.exe
    C:\Users\Owner\AppData\Local\Temp\dllnt_dump.dll
    C:\Users\Owner\AppData\Local\Temp\jaflpga.exe
    C:\Users\Owner\AppData\Local\Temp\KB00924649.exe
    C:\Users\Owner\AppData\Local\Temp\NLStubInstallerResources.dll
    C:\Users\Owner\AppData\Local\Temp\ose00000.exe
    C:\Users\Owner\AppData\Local\Temp\PCCU_Installer.exe
    C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
    C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
    C:\Users\Owner\AppData\Local\Temp\The_Weather_Channel_Application.exe
    Task: {93835C6C-09F8-4162-9D5A-D31129913391} - System32\Tasks\cfywxgh => C:\Users\Owner\AppData\Local\Temp\jaflpga.exe [2015-05-09] (Корпорация Майкрософт) <==== ATTENTION
    Task: {E3761150-84A6-4316-9E8C-589B68CFB510} - System32\Tasks\Arcadesafari => C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe
    Task: C:\windows\Tasks\Arcadesafari.job => C:\Users\Owner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe
    C:\Users\Owner\AppData\Local\Arcadesafari
    CMD: ipconfig /flushdns
    EmptyTemp:
    Hosts:
    *****************
    [1640] C:\Users\Owner\AppData\Local\Temp\jaflpga.exe => Process closed successfully.
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value deleted successfully.
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
    "HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
    HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
    HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
    HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
    "HKU\S-1-5-21-10949600-3899849448-452949263-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}" => Key deleted successfully.
    HKCR\CLSID\{{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} => Key not found.
    HKU\S-1-5-21-10949600-3899849448-452949263-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
    HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
    C:\Users\Owner\Documents\!Decrypt-All-Files-zxyqgwd.txt => Moved successfully.
    C:\ProgramData\zsncrnm.html => Moved successfully.
    C:\windows\System32\Tasks\cfywxgh => Moved successfully.
    C:\windows\Tasks\Arcadesafari.job => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\apnpip.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\APNSetup.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\as_twc.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\cdo2738778900.dll => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\cdo2990913542.dll => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\DefaultAssets.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\DefaultOfflineContent.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\jaflpga.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\KB00924649.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\NLStubInstallerResources.dll => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\ose00000.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\PCCU_Installer.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\Quarantine.exe => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\sqlite3.dll => Moved successfully.
    C:\Users\Owner\AppData\Local\Temp\The_Weather_Channel_Application.exe => Moved successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{93835C6C-09F8-4162-9D5A-D31129913391}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{93835C6C-09F8-4162-9D5A-D31129913391}" => Key deleted successfully.
    C:\Windows\System32\Tasks\cfywxgh not found.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\cfywxgh" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E3761150-84A6-4316-9E8C-589B68CFB510}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E3761150-84A6-4316-9E8C-589B68CFB510}" => Key deleted successfully.
    C:\Windows\System32\Tasks\Arcadesafari => Moved successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Arcadesafari" => Key deleted successfully.
    C:\windows\Tasks\Arcadesafari.job not found.
    "C:\Users\Owner\AppData\Local\Arcadesafari" => File/Directory not found.
    ========= ipconfig /flushdns =========

    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    ========= End of CMD: =========
    C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
    Hosts was reset successfully.
    EmptyTemp: => Removed 1.6 GB temporary data.

    The system needed a reboot.
    ==== End of Fixlog 09:13:06 ====
     
  4. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Tony,

    Well the account does have Admin privileges because FRST requires them as well.... and that ran ok.

    Can you just try and see if CF will run in Safe Mode.
     
  5. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,062
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Oh my, CF won't run with the machine booted to Safe Mode.

    I booted to Safe Mode. Then Right-Click on CF and chose Run as Administrator. Same isssue, it creates a Restore Point and then I receive a message that You need Administrative privileges to run this tool.

    I then created a new Administrator account. Couldn't get CF to run from there either. If creates a Restore Point, then I get the messge about needing Admin privileges.
     
  6. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Tony,

    Ok then.

    What AV's are installed now?
    Is Emsisoft and Norton still installed?
    Remember, only one AV should be installed at any one time.

    I'd like you to do an ESET OnlineScan
    64Bit users, please see note at the bottom.

    You may find it beneficial to close your resident AV program before running the scan.

    It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
    To prevent this happening:
    When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

    Enable Anti-Stealth technology

    9be2a7734ccc4d2fa4b41730731e62da.png

    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the 46f7f10744e13506f4483b26b7c0b744.png button.
    • If asked, allow the activex control to install
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on [​IMG] to download the ESET Smart Installer.
        Save it to your desktop.
      • Double click on the b25a14025e44aea52d349b599dbd8ed4.png icon on your desktop.
    • Check [​IMG]
    • Click the 4cb888989b2b46a17d2069242390cd99.png button.
    • Accept any security warnings from your browser.
    • Check f6925f9e2cee93785c10d5a7b7c145e6.png
    • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
    • Click the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Click [​IMG], and save the file to your desktop using a unique name, such as ESETScan.
      Include the contents of this report in your next reply.
    • Click the 6a81e531e97f5ac40491a9cf9d075881.png button.
    • Click [​IMG]
    A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

    Note:
    As you are running a 64bit system:
    The ESET Online Scanner is a 32-bit application, which means it must be run through in the 32-bit version of Internet Explorer, and as an Administrator. To do so, right-click on the Internet Explorer (32-bit) icon in the Start Menu and select "Run as administrator" from the context menu.
    Or use either Firefox or Chrome which almost certainly will be 32bit versions.

    Please post the Eset report if anything is found.

    Thanks
     
  7. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,062
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Thanks Pete, Here's the ESET log
    C:\AdwCleaner\Quarantine\C\Program Files (x86)\FastAgain PC Booster\PCBooster.exe.vir a variant of Win32/Systweak potentially unwanted application deleted - quarantined
    C:\AdwCleaner\Quarantine\C\Program Files (x86)\VNT\vntldr.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Local\VNT\vntldr.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
    C:\AdwCleaner\Quarantine\C\windows\System32\roboot64.exe.vir a variant of Win64/Systweak.A potentially unwanted application deleted - quarantined
    C:\FRST\Quarantine\C\Users\Owner\AppData\Local\Temp\apnpip.exe.xBAD a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application deleted - quarantined
    C:\FRST\Quarantine\C\Users\Owner\AppData\Local\Temp\APNSetup.exe.xBAD a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application deleted - quarantined
    C:\FRST\Quarantine\C\Users\Owner\AppData\Local\Temp\jaflpga.exe.xBAD a variant of Win32/Kryptik.DHUX trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\C\Users\Owner\AppData\Local\Temp\KB00924649.exe.xBAD a variant of Win32/Kryptik.DHUX trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\C\Users\Owner\Documents\!Decrypt-All-Files-zxyqgwd.txt.xBAD Win32/Filecoder.DA trojan deleted - quarantined
    C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\LanguageNames2\!Decrypt-All-Files-zxyqgwd.txt Win32/Filecoder.DA trojan deleted - quarantined
    C:\Users\Owner\Documents\APNSetup.exe a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application deleted - quarantined

    Any idea what's going on with
    C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\LanguageNames2\!Decrypt-All-Files-zxyqgwd.txt Win32/Filecoder.DA trojan deleted - quarantined

    I had updated Adobe Reader just before I installed the Emsisoft AntiMalware. Can't remember if I did it from Adobe.com or if from the Reader application itself.
     
  8. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Tony,

    That's a new one on me.
    The: C\Users\Owner\Documents\!Decrypt-All-Files-zxyqgwd.txt is the usual .txt file that is found.
    It gives the info on how to pay if you go over the time limit for paying.

    Eset only found a couple of things as most entries had already been removed and were in quarantine.
    So that's good.
    C:\Program Files (x86)\Adobe\Reader 10.0.................. I'm running Reader 11,
    Latest Adobe versions

    How is the system running in general?
     
  9. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,062
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Thanks Pete, the system is running well.
     
  10. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    The problem with Combofix..... I have seen before (but not for quite awhile) and there never seems a satisfactory reason for it.
    As MBAM found quite a bit to start with, you might want to update it and run another scan.... just as a double check.

    But if there's no other problems.....

    Step 1
    Restart MBAM.
    Click on the History tab >> Quarantine
    Tick to select all items (if any there ) and then click the Delete button.
    Close MBAM.


    Step 2
    Download Delfix and save it to your desktop.
    • Ensure Remove disinfection tools is checked.
    • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore

      e784dacb6998c919c2f136ca95e82545.png
      .
    • Click the Run button.
    When the tool has finished, a log will open in notepad.... but i don't actually need this report


    Step 3

    Eset can be removed using the Remove Programs feature in Control Panel.
     
  11. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,062
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Roger that. Thanks Pete. I owe ya a few.
     

Share This Page