Page 1 of 3 123 LastLast
Results 1 to 10 of 22
  1. #1
    Member Spyware Fighter DonnaB's Avatar
    Join Date
    Apr 2009
    Location
    Illiana, Ill. USA
    Posts
    3,521
    Points
    563

    Default Cryptowall 3.0 cleanup

    Hey Joe! You out there?

    Just ran two new FRST logs. I do have the previous logs and the fixlog if needed, or we can link back to Bryan's topic at GTG. Your choice.


    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-05-2015
    Ran by bcdra_000 (administrator) on CALVERT on 02-05-2015 17:12:11
    Running from C:\Users\bcdra_000\Desktop
    Loaded Profiles: bcdra_000 & (Available profiles: bcdra_000)
    Platform: Windows 8.1 (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (ASUSTeK Computer Inc.) C:\Windows\System32\FBAgent.exe
    (Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    (Microsoft Corporation) C:\Windows\System32\dasHost.exe
    (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
    (Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    (Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
    (MyCity) C:\Program Files (x86)\MCShield\MCShieldRTM.exe
    (Intel Corporation) C:\Windows\System32\igfxsrvc.exe
    () C:\Program Files (x86)\TopTab\Chrome Launcher\ChromeLauncher.exe
    (Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastUI.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
    (ASUS) C:\Program Files\ASUS\P4G\InsOnSrv.exe
    (ASUS) C:\Program Files\ASUS\P4G\InsOnWMI.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    () C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
    (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    (ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    (ASUSTek Computer INC.) C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe
    (ASUSTek Computer Inc.) C:\Program Files\ASUS\ASUS VivoBook\ASUSWakeupService.exe
    (ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\ASUS VivoBook\VivoBook.exe
    () C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
    (AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
    (AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
    (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe
    (AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Microsoft Corporation) C:\Windows\System32\wsqmcons.exe
    (Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
    (Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
    (Microsoft Corporation) C:\Windows\System32\GWX\GWXConfigManager.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5512912 2015-04-11] (Avast Software s.r.o.)
    Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\...\Run: [MCShield Monitor] => C:\Program Files (x86)\MCShield\mcshieldrtm.exe [650816 2014-04-11] (MyCity)
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\...\Run: [Facebook Update] => C:\Users\bcdra_000\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2014-10-11] (Facebook Inc.)
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\...\Run: [ChromeLauncher] => C:\PROGRAM FILES (X86)\TOPTAB\CHROME LAUNCHER\CHROMELAUNCHER.EXE [91136 2014-11-01] ()
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\...\RunOnce: [Adobe Speed Launcher] => 1430501451
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [MCShield Monitor] => C:\Program Files (x86)\MCShield\mcshieldrtm.exe [650816 2014-04-11] (MyCity)
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Facebook Update] => C:\Users\bcdra_000\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2014-10-11] (Facebook Inc.)
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [ChromeLauncher] => C:\PROGRAM FILES (X86)\TOPTAB\CHROME LAUNCHER\CHROMELAUNCHER.EXE [91136 2014-11-01] ()
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\RunOnce: [Adobe Speed Launcher] => 1430501451
    ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll [2012-09-27] (ASUS Cloud Corporation.)
    ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll [2012-09-27] (ASUS Cloud Corporation.)
    ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll [2012-09-27] (ASUS Cloud Corporation.)
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-04-11] (Avast Software s.r.o.)

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = msn
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = msn
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-04-11] (Avast Software s.r.o.)
    BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-04] (Google Inc.)
    BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-04-11] (Avast Software s.r.o.)
    BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-04] (Google Inc.)
    Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-04] (Google Inc.)
    Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-04] (Google Inc.)
    Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

    FireFox:
    ========
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-08] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-08] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
    FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
    FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
    FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
    FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-03-23]

    Chrome:
    =======
    CHR HomePage: Default -> https://www.facebook.com/
    CHR StartupUrls: Default -> "hxxp://www.google.com/"
    CHR Profile: C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Docs) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-23]
    CHR Extension: (Google Drive) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-23]
    CHR Extension: (YouTube) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-23]
    CHR Extension: (Google Search) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-23]
    CHR Extension: (Avast Online Security) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-03-23]
    CHR Extension: (Chrome Hotword Shared Module) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-14]
    CHR Extension: (Google Wallet) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-23]
    CHR Extension: (Gmail) - C:\Users\bcdra_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-23]
    CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-11]

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R3 ASUS InstantOn; C:\Program Files\ASUS\P4G\InsOnSrv.exe [277120 2013-03-26] (ASUS)
    R3 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe [72192 2012-12-19] () [File not signed]
    R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-04-11] (Avast Software s.r.o.)
    S3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4030800 2015-04-11] (Avast Software)
    S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
    R3 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
    R3 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
    R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
    R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
    R3 WakeupService; C:\Program Files\ASUS\ASUS VivoBook\ASUSWakeupService.exe [45488 2012-12-20] (ASUSTek Computer Inc.)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-04-11] ()
    R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28144 2015-04-11] (Avast Software s.r.o.)
    R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [88408 2015-04-11] (Avast Software s.r.o.)
    R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-04-11] (Avast Software s.r.o.)
    R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-04-11] ()
    R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-04-11] (Avast Software s.r.o.)
    R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [442264 2015-04-11] (Avast Software s.r.o.)
    R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [136752 2015-04-11] (Avast Software s.r.o.)
    R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [271200 2015-04-11] ()
    R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3837440 2013-08-14] (Qualcomm Atheros Communications, Inc.)
    R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [65784 2013-02-06] (ASUS Corporation)
    S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows (R) Win 7 DDK provider)
    S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows (R) Win 7 DDK provider)
    S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
    R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-01] ( )
    R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
    R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [136408 2015-05-01] (Malwarebytes Corporation)
    R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
    S3 S3XXx64; C:\Windows\system32\DRIVERS\S3XXx64.sys [73856 2015-02-17] (Identiv)
    R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [273824 2015-04-11] (Avast Software)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-02 17:12 - 2015-05-02 17:12 - 00017293 _____ () C:\Users\bcdra_000\Desktop\FRST.txt
    2015-05-02 17:11 - 2015-05-02 17:11 - 00000000 ____D () C:\Users\bcdra_000\Desktop\FRST-OlderVersion
    2015-04-22 17:40 - 2015-05-02 17:11 - 00000000 ____D () C:\Users\bcdra_000\Desktop\FRST
    2015-04-22 10:46 - 2015-04-13 18:24 - 00792056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
    2015-04-22 10:46 - 2015-04-13 18:24 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
    2015-04-19 16:20 - 2015-03-22 17:45 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
    2015-04-19 16:20 - 2015-03-22 17:09 - 01111552 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
    2015-04-19 16:20 - 2015-03-22 17:09 - 00957440 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
    2015-04-19 16:20 - 2015-03-22 17:09 - 00769024 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
    2015-04-19 16:20 - 2015-03-22 17:09 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
    2015-04-19 16:20 - 2015-03-22 17:09 - 00419328 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
    2015-04-19 16:20 - 2015-03-22 17:09 - 00030720 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
    2015-04-19 15:12 - 2015-04-19 15:12 - 00002053 _____ () C:\Users\bcdra_000\Documents\malware apr 19 2015.txt
    2015-04-18 17:24 - 2015-04-18 17:24 - 00002053 _____ () C:\Users\bcdra_000\Documents\malware apr 18 2015.txt
    2015-04-18 16:36 - 2010-12-11 14:06 - 727339008 _____ () C:\Users\bcdra_000\Desktop\Up2009KiRo.avi
    2015-04-18 16:33 - 2013-05-17 19:03 - 734615290 ____R () C:\Users\bcdra_000\Desktop\Tangled.avi
    2015-04-18 16:32 - 2014-04-06 18:25 - 733808640 _____ () C:\Users\bcdra_000\Desktop\The Pirate Fairy.avi
    2015-04-18 16:32 - 2014-04-06 17:32 - 1451961123 _____ () C:\Users\bcdra_000\Desktop\Frozen.avi
    2015-04-18 16:32 - 2013-07-12 14:17 - 1506490897 ____R () C:\Users\bcdra_000\Desktop\Wreck it Ralph.mp4
    2015-04-18 16:32 - 2013-05-22 16:49 - 629321692 ____R () C:\Users\bcdra_000\Desktop\Hotel Transylvania.mp4
    2015-04-18 16:31 - 2014-02-01 21:27 - 1600787538 _____ () C:\Users\bcdra_000\Desktop\Despicable Me.avi
    2015-04-18 16:31 - 2014-01-23 21:22 - 1176881238 _____ () C:\Users\bcdra_000\Desktop\Brave.avi
    2015-04-18 16:31 - 2013-07-15 16:04 - 1919887890 ____R () C:\Users\bcdra_000\Desktop\Despicable Me 2.avi
    2015-04-18 16:30 - 2015-03-05 21:47 - 1197549818 _____ () C:\Users\bcdra_000\Desktop\Tinker Bell and the Legend of the Neverbeast 2014 1080p BluRay x264 AAC - Ozlem.mp4
    2015-04-16 19:55 - 2015-03-12 23:32 - 24980480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2015-04-16 19:55 - 2015-03-12 23:08 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
    2015-04-16 19:55 - 2015-03-12 23:07 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2015-04-16 19:55 - 2015-03-12 22:53 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
    2015-04-16 19:55 - 2015-03-12 22:50 - 06025216 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
    2015-04-16 19:55 - 2015-03-12 22:42 - 19695616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2015-04-16 19:55 - 2015-03-12 22:28 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
    2015-04-16 19:55 - 2015-03-12 22:26 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
    2015-04-16 19:55 - 2015-03-12 22:22 - 02278400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2015-04-16 19:55 - 2015-03-12 22:17 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
    2015-04-16 19:55 - 2015-03-12 22:16 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
    2015-04-16 19:55 - 2015-03-12 22:08 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
    2015-04-16 19:55 - 2015-03-12 22:07 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
    2015-04-16 19:55 - 2015-03-12 22:00 - 14397440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
    2015-04-16 19:55 - 2015-03-12 21:50 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
    2015-04-16 19:55 - 2015-03-12 21:49 - 04305408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
    2015-04-16 19:55 - 2015-03-12 21:45 - 02358784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
    2015-04-16 19:55 - 2015-03-12 21:44 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
    2015-04-16 19:55 - 2015-03-12 21:34 - 12825600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
    2015-04-16 19:55 - 2015-03-12 21:33 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
    2015-04-16 19:55 - 2015-03-12 21:22 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
    2015-04-16 19:55 - 2015-03-12 21:20 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
    2015-04-16 19:55 - 2015-03-12 21:16 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
    2015-04-16 19:55 - 2015-03-12 21:14 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
    2015-04-16 19:31 - 2015-03-23 16:59 - 07476032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
    2015-04-16 19:31 - 2015-03-23 16:59 - 01733952 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
    2015-04-16 19:31 - 2015-03-23 16:59 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\system32\sechost.dll
    2015-04-16 19:31 - 2015-03-23 16:58 - 01498872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
    2015-04-16 19:31 - 2015-03-23 16:45 - 00257216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sechost.dll
    2015-04-16 19:31 - 2015-03-19 23:12 - 00246272 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
    2015-04-16 19:31 - 2015-03-19 23:10 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
    2015-04-16 19:31 - 2015-03-19 23:10 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
    2015-04-16 19:31 - 2015-03-19 22:17 - 00411648 _____ (Microsoft Corporation) C:\WINDOWS\system32\tracerpt.exe
    2015-04-16 19:31 - 2015-03-19 21:41 - 00369152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tracerpt.exe
    2015-04-16 19:31 - 2015-03-19 21:40 - 00950784 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll
    2015-04-16 19:31 - 2015-03-19 21:16 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll
    2015-04-16 17:14 - 2015-04-16 17:14 - 00000000 ____D () C:\Users\bcdra_000\AppData\Local\Intel_Corporation
    2015-04-16 15:31 - 2015-02-24 03:32 - 00991552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
    2015-04-16 15:15 - 2015-03-14 03:54 - 00133256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
    2015-04-16 15:15 - 2015-03-13 20:56 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
    2015-04-16 15:15 - 2015-03-13 20:56 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
    2015-04-16 15:15 - 2015-03-13 20:51 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wu.upgrade.ps.dll
    2015-04-16 15:15 - 2015-03-13 20:37 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll
    2015-04-16 15:15 - 2015-03-13 20:14 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
    2015-04-16 15:15 - 2015-03-13 19:22 - 03678720 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
    2015-04-16 15:15 - 2015-03-13 19:12 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
    2015-04-16 15:15 - 2015-03-13 19:12 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
    2015-04-16 15:15 - 2015-03-13 19:09 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
    2015-04-16 15:15 - 2015-03-13 19:08 - 00408064 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
    2015-04-16 15:15 - 2015-03-13 19:08 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
    2015-04-16 15:15 - 2015-03-13 19:06 - 02373632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
    2015-04-16 15:15 - 2015-03-13 19:06 - 00891392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
    2015-04-16 15:15 - 2015-03-13 19:02 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
    2015-04-16 15:15 - 2015-03-13 19:02 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
    2015-04-16 15:15 - 2015-03-13 18:59 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
    2015-04-16 15:15 - 2015-03-13 18:59 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
    2015-04-16 14:16 - 2015-03-14 03:20 - 01385256 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
    2015-04-16 14:16 - 2015-03-14 03:13 - 01124352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
    2015-04-16 14:15 - 2015-02-20 18:49 - 00780800 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsm.dll
    2015-04-16 14:13 - 2015-03-12 21:58 - 00259072 _____ (Microsoft Corporation) C:\WINDOWS\system32\pku2u.dll
    2015-04-16 14:13 - 2015-03-12 21:37 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\pku2u.dll
    2015-04-16 13:53 - 2015-03-04 05:25 - 00377152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys
    2015-04-16 13:53 - 2015-03-03 22:04 - 00075264 _____ (Microsoft Corporation) C:\WINDOWS\system32\clfsw32.dll
    2015-04-16 13:53 - 2015-03-03 21:19 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clfsw32.dll
    2015-04-12 12:12 - 2015-04-12 16:40 - 00000000 ___SD () C:\WINDOWS\system32\GWX
    2015-04-12 12:12 - 2015-04-12 12:12 - 00000000 ___SD () C:\WINDOWS\SysWOW64\GWX
    2015-04-11 19:01 - 2015-04-11 19:01 - 00002000 _____ () C:\Users\Public\Desktop\Avast SafeZone.lnk
    2015-04-11 19:01 - 2015-04-11 19:01 - 00001940 _____ () C:\Users\Public\Desktop\Avast Pro Antivirus.lnk
    2015-04-11 19:00 - 2015-04-11 18:59 - 00028144 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswKbd.sys
    2015-04-11 18:59 - 2015-04-11 18:59 - 00364472 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\aswBoot.exe
    2015-04-11 18:59 - 2015-04-11 18:59 - 00043112 _____ (Avast Software s.r.o.) C:\WINDOWS\avastSS.scr
    2015-04-10 18:25 - 2015-04-10 18:25 - 00002418 _____ () C:\April 10 Malwarebytes.txt

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-05-02 17:12 - 2015-03-15 17:45 - 00000000 ____D () C:\FRST
    2015-05-02 17:11 - 2015-03-15 17:44 - 02101248 _____ (Farbar) C:\Users\bcdra_000\Desktop\FRST64.exe
    2015-05-02 17:08 - 2014-12-26 14:03 - 01742264 _____ () C:\WINDOWS\WindowsUpdate.log
    2015-05-02 17:06 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\system32\sru
    2015-05-01 21:30 - 2014-03-23 12:41 - 00000922 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    2015-05-01 21:30 - 2014-03-23 12:41 - 00000918 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    2015-05-01 20:40 - 2014-12-31 12:59 - 00003938 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{046B8562-7587-48D7-8BA9-205DC6328515}
    2015-05-01 19:30 - 2014-08-11 06:38 - 00136408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2015-05-01 16:28 - 2014-10-11 13:23 - 00000960 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2527169477-3933765654-3061340152-1001UA.job
    2015-05-01 14:18 - 2014-02-10 21:17 - 00003600 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2527169477-3933765654-3061340152-1001
    2015-05-01 13:59 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
    2015-05-01 13:28 - 2014-10-11 13:23 - 00000938 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2527169477-3933765654-3061340152-1001Core.job
    2015-05-01 12:39 - 2014-02-10 21:14 - 00000062 _____ () C:\Users\bcdra_000\AppData\Roaming\sp_data.sys
    2015-05-01 12:39 - 2013-07-17 19:44 - 00003260 _____ () C:\WINDOWS\System32\Tasks\ASUS Patch for Touch Panel
    2015-05-01 12:39 - 2013-07-17 19:39 - 00003056 _____ () C:\WINDOWS\System32\Tasks\ASUS P4G
    2015-05-01 12:39 - 2013-07-17 19:39 - 00003004 _____ () C:\WINDOWS\System32\Tasks\ASUS Splendid ColorU
    2015-05-01 12:39 - 2013-07-17 19:39 - 00002988 _____ () C:\WINDOWS\System32\Tasks\ASUS Splendid ACMON
    2015-05-01 12:39 - 2013-07-17 19:38 - 00003114 _____ () C:\WINDOWS\System32\Tasks\ASUS Live Update
    2015-05-01 12:39 - 2013-07-17 19:38 - 00003028 _____ () C:\WINDOWS\System32\Tasks\ASUS USB Charger Plus
    2015-05-01 12:39 - 2013-07-17 19:34 - 00003542 _____ () C:\WINDOWS\System32\Tasks\ASUS Touchpad Launcher (x64)
    2015-05-01 12:30 - 2014-12-26 23:12 - 00000000 ____D () C:\Users\bcdra_000\OneDrive
    2015-05-01 12:30 - 2014-12-26 13:35 - 00000000 ____D () C:\Users\bcdra_000
    2015-05-01 12:30 - 2014-03-23 21:59 - 00000000 ____D () C:\ProgramData\MCShield
    2015-05-01 12:27 - 2013-08-22 09:46 - 00294523 _____ () C:\WINDOWS\setupact.log
    2015-05-01 12:27 - 2013-08-22 09:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
    2015-05-01 10:32 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
    2015-04-27 19:39 - 2014-08-11 06:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2015-04-27 19:39 - 2014-08-11 06:37 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
    2015-04-23 21:32 - 2014-03-23 12:43 - 00004182 _____ () C:\WINDOWS\System32\Tasks\avast! Emergency Update
    2015-04-22 20:43 - 2013-08-22 08:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
    2015-04-22 20:28 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\rescache
    2015-04-22 12:49 - 2013-08-22 10:36 - 00000000 ____D () C:\WINDOWS\AppCompat
    2015-04-22 10:43 - 2015-01-31 09:28 - 00000000 ____D () C:\WINDOWS\system32\appraiser
    2015-04-22 10:43 - 2014-09-24 04:50 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel
    2015-04-22 10:43 - 2014-09-24 02:03 - 00139602 _____ () C:\WINDOWS\PFRO.log
    2015-04-21 22:27 - 2014-02-14 15:31 - 00000000 ____D () C:\WINDOWS\system32\MRT
    2015-04-21 22:27 - 2014-02-14 15:30 - 128913832 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2015-04-19 17:35 - 2014-02-16 19:07 - 00000000 ____D () C:\Users\bcdra_000\AppData\Roaming\uTorrent
    2015-04-19 16:45 - 2012-07-26 02:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
    2015-04-17 22:52 - 2014-06-27 12:09 - 00000000 ____D () C:\Users\bcdra_000\AppData\Roaming\vlc
    2015-04-16 20:00 - 2014-07-22 10:39 - 00000000 ____D () C:\Users\bcdra_000\Desktop\SCWS
    2015-04-16 19:40 - 2014-02-17 22:27 - 00000000 ____D () C:\Users\bcdra_000\AppData\Roaming\Skype
    2015-04-16 19:39 - 2014-11-01 05:57 - 00000000 ____D () C:\Users\bcdra_000\AppData\Roaming\LibreOffice
    2015-04-16 19:39 - 2014-03-23 12:44 - 00000000 ____D () C:\Users\bcdra_000\AppData\Roaming\AVAST Software
    2015-04-16 19:39 - 2014-03-23 12:41 - 00000000 ____D () C:\Users\bcdra_000\AppData\Local\Google
    2015-04-16 19:39 - 2014-02-17 22:27 - 00000000 ____D () C:\Users\bcdra_000\AppData\Local\Skype
    2015-04-16 19:39 - 2014-02-10 21:11 - 00000000 ____D () C:\Users\bcdra_000\AppData\Roaming\Adobe
    2015-04-16 19:38 - 2014-10-18 09:03 - 00000000 ____D () C:\Users\bcdra_000\AppData\Local\Ankama
    2015-04-16 19:38 - 2014-10-11 13:23 - 00000000 ____D () C:\Users\bcdra_000\AppData\Local\Facebook
    2015-04-16 19:38 - 2014-02-10 21:13 - 00000000 ____D () C:\Users\bcdra_000\AppData\Local\ASUS
    2015-04-16 13:09 - 2014-12-26 15:11 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaext.dll
    2015-04-14 09:38 - 2014-08-11 06:37 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
    2015-04-14 09:37 - 2014-08-11 06:37 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
    2015-04-14 09:37 - 2014-03-23 10:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
    2015-04-11 21:11 - 2014-10-16 12:07 - 00000000 ___RD () C:\Program Files (x86)\Skype
    2015-04-11 21:10 - 2014-09-24 02:15 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
    2015-04-11 21:09 - 2014-02-17 22:27 - 00000000 ____D () C:\ProgramData\Skype
    2015-04-11 21:07 - 2014-06-27 12:07 - 00001088 _____ () C:\Users\Public\Desktop\VLC media player.lnk
    2015-04-11 19:12 - 2013-08-22 08:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
    2015-04-11 18:59 - 2014-06-01 06:18 - 00029168 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
    2015-04-11 18:59 - 2014-03-23 12:40 - 01047320 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswSnx.sys
    2015-04-11 18:59 - 2014-03-23 12:40 - 00442264 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswSP.sys
    2015-04-11 18:59 - 2014-03-23 12:40 - 00271200 _____ () C:\WINDOWS\system32\Drivers\aswVmm.sys
    2015-04-11 18:59 - 2014-03-23 12:40 - 00136752 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswStm.sys
    2015-04-11 18:59 - 2014-03-23 12:40 - 00093528 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswRdr2.sys
    2015-04-11 18:59 - 2014-03-23 12:40 - 00088408 _____ (Avast Software s.r.o.) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
    2015-04-11 18:59 - 2014-03-23 12:40 - 00065736 _____ () C:\WINDOWS\system32\Drivers\aswRvrt.sys
    2015-04-10 18:27 - 2013-05-01 04:37 - 00000000 ____D () C:\WINDOWS\es

    ==================== Files in the root of some directories =======

    2014-10-19 05:50 - 2014-11-02 02:56 - 0000117 _____ () C:\Users\bcdra_000\AppData\Roaming\D2Info0
    2014-10-19 05:50 - 2014-11-02 03:11 - 0000008 _____ () C:\Users\bcdra_000\AppData\Roaming\DofusAppId0_1
    2014-10-19 12:12 - 2014-11-01 07:34 - 0000008 _____ () C:\Users\bcdra_000\AppData\Roaming\DofusAppId0_2
    2015-04-16 19:40 - 2015-04-16 19:40 - 0045786 _____ () C:\Users\bcdra_000\AppData\Roaming\HELP_DECRYPT.PNG
    2014-07-25 23:19 - 2014-07-25 23:19 - 0000044 _____ () C:\Users\bcdra_000\AppData\Roaming\mbam.context.scan
    2014-02-10 21:14 - 2015-05-01 12:39 - 0000062 _____ () C:\Users\bcdra_000\AppData\Roaming\sp_data.sys
    2014-08-27 07:20 - 2014-08-27 07:20 - 0003584 _____ () C:\Users\bcdra_000\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2015-04-16 19:39 - 2015-04-16 19:39 - 0045786 _____ () C:\Users\bcdra_000\AppData\Local\HELP_DECRYPT.PNG
    2015-04-16 19:38 - 2015-04-16 19:38 - 0045786 _____ () C:\ProgramData\HELP_DECRYPT.PNG
    2013-05-01 04:34 - 2012-09-07 06:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
    2013-05-01 04:34 - 2009-07-22 05:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
    2013-05-01 04:34 - 2012-09-07 06:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

    Files to move or delete:
    ====================
    C:\ProgramData\SetStretch.exe
    C:\ProgramData\SetStretch.VBS


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-05-01 14:19

    ==================== End Of Log ============================



    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-05-2015
    Ran by bcdra_000 at 2015-05-02 17:14:33
    Running from C:\Users\bcdra_000\Desktop
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-2527169477-3933765654-3061340152-500 - Administrator - Disabled)
    bcdra_000 (S-1-5-21-2527169477-3933765654-3061340152-1001 - Administrator - Enabled) => C:\Users\bcdra_000
    Guest (S-1-5-21-2527169477-3933765654-3061340152-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-2527169477-3933765654-3061340152-1003 - Limited - Enabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

    ==================== Installed Programs ======================

    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
    Alcor Micro USB Card Reader (HKLM-x32\...\AmUStor) (Version: 3.4.117.01527 - Alcor Micro Corp.)
    Alcor Micro USB Card Reader (x32 Version: 3.4.117.01527 - Alcor Micro Corp.) Hidden
    ASUS LifeFrame3 (HKLM-x32\...\{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}) (Version: 3.1.13 - ASUS)
    ASUS Live Update (HKLM-x32\...\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}) (Version: 3.1.8 - ASUS)
    ASUS Power4Gear Hybrid (HKLM\...\{9B6239BF-4E85-4590-8D72-51E30DB1A9AA}) (Version: 3.0.1 - ASUS)
    ASUS S200 Product Demo (HKLM-x32\...\{5E396FE4-6110-41C9-9B1F-2F30A4A13715}) (Version: 1.0.0 - ASUS)
    ASUS Screen Saver (HKLM\...\{0FBEEDF8-30FA-4FA3-B31F-C9C7E7E8DFA2}) (Version: 1.0.1 - ASUS)
    ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 2.0.1 - ASUS)
    ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 2.01.0002 - ASUS)
    ASUS USB Charger Plus (HKLM-x32\...\{A859E3E5-C62F-4BFA-AF1D-2B95E03166AF}) (Version: 2.1.5 - ASUS)
    ASUS VivoBook (HKLM\...\{04FDBE69-F9FD-42A2-9008-E5CE7F60C6BE}) (Version: 1.0.27 - ASUS)
    ASUS WebStorage Sync Agent (HKLM-x32\...\ASUS WebStorage) (Version: 1.1.18.159 - ASUS Cloud Corporation)
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.7 - Atheros Communications Inc.)
    ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0027 - ASUS)
    Avast Pro Antivirus (HKLM-x32\...\Avast) (Version: 10.2.2215 - AVAST Software)
    Chrome Launcher (HKLM-x32\...\{8B5E8E15-7229-4C46-887A-27E1F62AC7FC}) (Version: 1.0.0 - TopTab)
    D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
    Facebook Video Calling 3.1.0.521 (HKLM-x32\...\{2091F234-EB58-4B80-8C96-8EB78C808CF7}) (Version: 3.1.521 - Skype Limited)
    Galería de fotos (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
    Galerie de photos (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.135 - Google Inc.)
    Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
    Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
    Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
    Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
    Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
    Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3308 - Intel Corporation)
    Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
    LibreOffice 4.3.3.2 (HKLM-x32\...\{87C753BB-81E3-403B-BD87-6293F870B20B}) (Version: 4.3.3.2 - The Document Foundation)
    Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
    MCShield ::Anti-Malware Tool:: (HKLM-x32\...\MCShield) (Version: 3.0.5.28 - MyCity)
    Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft SkyDrive (HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
    Microsoft SkyDrive (HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
    Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
    MyBitCast 2.0 (HKLM-x32\...\MyBitCast) (Version: 2.0 - ASUS)
    OAS (HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\...\Online Ad Scanner) (Version: 1.00 - OAS Corp)
    OAS (HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Online Ad Scanner) (Version: 1.00 - OAS Corp)
    Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
    Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6798 - Realtek Semiconductor Corp.)
    Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
    Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
    VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.0 - VideoLAN)
    Windows Driver Package - ASUS (ATP) Mouse (01/10/2013 1.0.0.170) (HKLM\...\4A9DE1E9EBC800B7F01739D4DE7363EF6751BDF5) (Version: 01/10/2013 1.0.0.170 - ASUS)
    Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
    WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 2.41.1 - ASUS)
    影像中心 (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
    照片库 (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden

    ==================== Custom CLSID (selected items): ==========================

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\FileSyncApi64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-2527169477-3933765654-3061340152-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\bcdra_000\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\FileSyncApi64.dll (Microsoft Corporation)

    ==================== Restore Points =========================

    16-04-2015 14:29:12 Windows Update
    19-04-2015 15:02:48 Windows Update
    22-04-2015 20:17:18 Restore Point Created by FRST
    01-05-2015 16:42:43 Scheduled Checkpoint

    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

    ==================== Scheduled Tasks (whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

    Task: {03ECD4FA-0A66-4470-A8C7-0D8C48E4F785} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
    Task: {0E716F08-E592-429C-B930-B1D6230F829A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-03-23] (Google Inc.)
    Task: {13FCC3C2-AEB3-465A-83D6-D7BDCB185EFC} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-2527169477-3933765654-3061340152-1001UA => C:\Users\bcdra_000\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-10-11] (Facebook Inc.)
    Task: {267490C6-D0E0-4C9E-899C-977448CFA7EC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-03-23] (Google Inc.)
    Task: {2A60A946-52BE-4963-BAB8-5D68DE62C860} - System32\Tasks\ASUS USB Charger Plus => C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe [2012-09-18] (ASUSTek Computer Inc.)
    Task: {2A71437F-DAD7-4864-93AA-4B5CB4E611E4} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
    Task: {2E8CA2E5-82E8-49FD-A9C1-E5074D92E26E} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-2527169477-3933765654-3061340152-1001Core => C:\Users\bcdra_000\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-10-11] (Facebook Inc.)
    Task: {5B933739-E067-4049-8441-FB3A4A6B06A3} - System32\Tasks\ASUS P4G => C:\Program Files\ASUS\P4G\BatteryLife.exe [2013-03-26] (ASUS)
    Task: {5C204187-A3C4-4D4E-8996-B571533EA211} - System32\Tasks\ASUS Touchpad Launcher (x64) => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [2013-02-06] (AsusTek)
    Task: {5FC140DC-9FAE-4394-BB02-9690BD5081EB} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
    Task: {63A0788C-0626-4CF1-BBED-FF9B4D8E4CD6} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-04-11] (Avast Software s.r.o.)
    Task: {6F77B700-C016-495E-8F77-0A96B395BDD6} - System32\Tasks\boosterpop => C:\Program Files (x86)\Portable Booster\WarningPopUp.exe
    Task: {797E9C6D-69D8-44B4-8072-ACB2124BD195} - System32\Tasks\ASUS Patch for Touch Panel => C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe [2013-01-09] (ASUSTek Computer INC.)
    Task: {81985B02-5A62-434A-9D7D-5A8220368C72} - System32\Tasks\ASUS Live Update => C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe [2012-07-25] (ASUSTeK Computer Inc.)
    Task: {846C89F9-755E-4985-AD18-168781F86A35} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-23] (Microsoft Corporation)
    Task: {DA589A6E-1F5F-4BBB-B2AB-67773D70B9B7} - System32\Tasks\ASUS Splendid ColorU => C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe [2012-11-29] ()
    Task: {E0CE8654-7BAF-47DE-BB02-8F2608B63307} - System32\Tasks\ASUS Splendid ACMON => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [2012-11-29] (ASUS)
    Task: {E5D6771F-791E-4DA3-AA21-4467C989626E} - System32\Tasks\ASUS VivoBook => C:\Program Files\ASUS\ASUS VivoBook\VivoBook.exe [2013-01-29] (ASUSTeK Computer Inc.)
    Task: {F7B12CE8-7461-4B51-A04F-2B6D052CFA23} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-04-21] (Microsoft Corporation)
    Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2527169477-3933765654-3061340152-1001Core.job => C:\Users\bcdra_000\AppData\Local\Facebook\Update\FacebookUpdate.exe
    Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2527169477-3933765654-3061340152-1001UA.job => C:\Users\bcdra_000\AppData\Local\Facebook\Update\FacebookUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

    ==================== Loaded Modules (whitelisted) ==============

    2013-10-01 14:02 - 2013-10-01 14:02 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
    2014-11-01 16:39 - 2014-11-01 16:39 - 00091136 _____ () C:\Program Files (x86)\TopTab\Chrome Launcher\ChromeLauncher.exe
    2012-12-19 01:10 - 2012-12-19 01:10 - 00072192 _____ () C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe
    2013-03-26 16:38 - 2013-03-26 16:38 - 00031360 _____ () C:\Program Files\ASUS\P4G\DevMng.dll
    2012-11-29 19:15 - 2012-11-29 19:15 - 00171224 _____ () C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
    2015-01-27 09:39 - 2015-01-27 09:40 - 00183296 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\ErrorReporting.dll
    2015-04-11 18:59 - 2015-04-11 18:59 - 00104400 _____ () C:\Program Files\AVAST Software\Avast\log.dll
    2015-04-11 18:59 - 2015-04-11 18:59 - 00081728 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
    2015-05-01 10:46 - 2015-05-01 10:46 - 02926592 _____ () C:\Program Files\AVAST Software\Avast\defs\15050100\algo.dll
    2015-05-01 16:30 - 2015-05-01 16:30 - 02926592 _____ () C:\Program Files\AVAST Software\Avast\defs\15050101\algo.dll
    2015-04-11 18:59 - 2015-04-11 18:59 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
    2013-07-17 19:34 - 2012-06-25 12:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll

    ==================== Alternate Data Streams (whitelisted) =========

    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

    AlternateDataStreams: C:\Users\bcdra_000\OneDrive:ms-properties

    ==================== Safe Mode (whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== EXE Association (whitelisted) ===============

    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, the associated entry will be removed from the registry.)


    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\bcdra_000\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\asus.jpg
    HKU\S-1-5-21-2527169477-3933765654-3061340152-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> C:\Users\bcdra_000\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\asus.jpg
    DNS Servers: 75.75.75.75 - 75.75.76.76

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)

    MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    MSCONFIG\startupreg: ASUSPRP => "C:\Program Files (x86)\ASUS\APRP\APRP.EXE"
    MSCONFIG\startupreg: ASUSWebStorage => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSPanel.exe /S
    MSCONFIG\startupreg: DisableS3S4 => c:\windows\temp\DisableS3S464\sethigh.cmd
    MSCONFIG\startupreg: HotKeysCmds => "C:\WINDOWS\system32\hkcmd.exe"
    MSCONFIG\startupreg: IgfxTray => "C:\WINDOWS\system32\igfxtray.exe"
    MSCONFIG\startupreg: mcpltui_exe => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    MSCONFIG\startupreg: RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX3
    MSCONFIG\startupreg: RTHDVCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

    ==================== FirewallRules (whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

    FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
    FirewallRules: [{EFF06495-ED0E-4D86-8AFD-2FAEFF8995FE}] => (Allow) C:\Users\bcdra_000\AppData\Roaming\OAS\oasupd.exe
    FirewallRules: [{47146E03-813E-4B08-B903-F8435181808A}] => (Allow) C:\Users\bcdra_000\AppData\Roaming\OAS\oas.exe
    FirewallRules: [{9397BCCF-E49A-4841-ABE0-664900CCF329}] => (Allow) C:\Users\bcdra_000\AppData\Local\Facebook\Video\Skype\FacebookVideoCalling.exe
    FirewallRules: [{1EB70A8A-65DE-43B5-A6FD-BCAC311AFC03}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
    FirewallRules: [{B9E1E9D1-84CF-4D22-AF84-69600ED92D08}] => (Allow) C:\Users\bcdra_000\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{38329742-E31B-46FC-ABC2-503BF047066F}] => (Allow) C:\Users\bcdra_000\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{5ACE7CEE-03CF-4E9A-820F-F40AA826B636}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
    FirewallRules: [{87E300A0-CFB0-47DF-9521-30226B6A31BA}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
    FirewallRules: [{F2B31906-DD6A-45A3-91FF-FE0E3A77208F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
    FirewallRules: [{12223DA3-0792-46D5-8D6A-36EFF3A47494}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
    FirewallRules: [{037906A0-EA0B-4353-8B10-388C0254F270}] => (Allow) LPort=1900
    FirewallRules: [{4C85DDCB-8F3B-459E-8894-079FA992ABC1}] => (Allow) LPort=2869
    FirewallRules: [{0C2C45C0-6122-4D6E-B66D-D1A6A4ACD5DB}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    FirewallRules: [{C198D3B1-EADB-4A32-A9A6-05E806B0AB63}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
    FirewallRules: [{A58784B3-50AC-40F0-8336-E87C034E7AB6}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
    FirewallRules: [{CA06D737-210C-4E36-8A50-C14393B95167}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (05/02/2015 05:05:53 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program wwahost.exe version 6.3.9600.17415 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: 808

    Start Time: 01d08524174be406

    Termination Time: 4294967295

    Application Path: C:\WINDOWS\syswow64\wwahost.exe

    Report Id: 60d6093e-f117-11e4-beba-60a44cd6c3a6

    Faulting package full name: WildTangentGames.-GamesApp-_1.0.3.24_x86__qt5r5pa5dyg8m

    Faulting package-relative application ID: WTGames

    Error: (05/02/2015 05:05:50 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: CALVERT)
    Description: Activation of app WildTangentGames.-GamesApp-_qt5r5pa5dyg8m!WTGames failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

    Error: (05/02/2015 05:05:40 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: CALVERT)
    Description: App WildTangentGames.-GamesApp-_1.0.3.24_x86__qt5r5pa5dyg8m+WTGames did not launch within its allotted time.

    Error: (05/01/2015 07:43:00 AM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program LiveComm.exe version 17.5.9600.20689 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: db0

    Start Time: 01d0840ba2691924

    Termination Time: 4294967295

    Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe

    Report Id: 969975fb-efff-11e4-beb9-60a44cd6c3a6

    Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe

    Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 06:13:32 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program LiveComm.exe version 17.5.9600.20689 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: 1948

    Start Time: 01d08392720bba72

    Termination Time: 4294967295

    Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe

    Report Id: 7f0d839f-ef8e-11e4-beb9-60a44cd6c3a6

    Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe

    Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 02:55:40 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program LiveComm.exe version 17.5.9600.20689 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: 1cdc

    Start Time: 01d0837ee85c3ed2

    Termination Time: 4294967295

    Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe

    Report Id: d5f492fe-ef72-11e4-beb9-60a44cd6c3a6

    Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe

    Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 00:51:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program LiveComm.exe version 17.5.9600.20689 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: 1380

    Start Time: 01d0836d8e2fdb61

    Termination Time: 4294967295

    Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe

    Report Id: 833c89cb-ef61-11e4-beb9-60a44cd6c3a6

    Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe

    Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 08:05:41 AM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program LiveComm.exe version 17.5.9600.20689 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: f14

    Start Time: 01d082faa4748aa5

    Termination Time: 4294967295

    Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe

    Report Id: 979d9076-ef39-11e4-beb9-60a44cd6c3a6

    Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe

    Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/29/2015 10:28:09 PM) (Source: Google Update) (EventID: 20) (User: CALVERT)
    Description: Network Request Error.
    Error: 0x80040801. Http status code: 0.
    Url=https://www.facebook.com/omaha/update.php
    Trying config: source=IE, wpad=1, script=.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying CUP:iexplore.
    Send request returned 0x80040801. Http status code 0.
    Trying config: source=, direct connection.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying CUP:iexplore.
    Send request returned 0x80040801. Http status code 0.
    Trying config: source=IE, wpad=1, script=.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying CUP:iexplore.
    Send request returned 0x80040801. Http status code 0.
    Trying config: source=, direct connection.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http s

    Error: (04/29/2015 05:35:35 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
    Description: 80070005


    System errors:
    =============
    Error: (05/01/2015 04:44:18 PM) (Source: Ntfs) (EventID: 55) (User: NT AUTHORITY)
    Description: A corruption was discovered in the file system structure on volume OS.

    The Master File Table (MFT) contains a corrupted file record. The file reference number is 0x100000000335b2. The name of the file is "<unable to determine file name>".

    Error: (05/01/2015 00:27:38 PM) (Source: EventLog) (EventID: 6008) (User: )
    Description: The previous system shutdown at 12:17:00 PM on ‎5/‎1/‎2015 was unexpected.

    Error: (05/01/2015 10:51:36 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

    Error: (05/01/2015 10:27:03 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 4

    Error: (04/30/2015 07:43:41 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 4

    Error: (04/30/2015 06:49:28 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 4

    Error: (04/30/2015 09:01:08 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

    Error: (04/30/2015 09:01:07 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

    Error: (04/30/2015 09:01:07 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

    Error: (04/29/2015 04:58:23 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 4


    Microsoft Office Sessions:
    =========================
    Error: (05/02/2015 05:05:53 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: wwahost.exe6.3.9600.1741580801d08524174be4064294967295C:\WINDOWS\syswow64\wwahost.exe60d6093e-f117-11e4-beba-60a44cd6c3a6WildTangentGames.-GamesApp-_1.0.3.24_x86__qt5r5pa5dyg8mWTGames

    Error: (05/02/2015 05:05:50 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: CALVERT)
    Description: WildTangentGames.-GamesApp-_qt5r5pa5dyg8m!WTGames-2144927142

    Error: (05/02/2015 05:05:40 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: CALVERT)
    Description: WildTangentGames.-GamesApp-_1.0.3.24_x86__qt5r5pa5dyg8m+WTGames

    Error: (05/01/2015 07:43:00 AM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: LiveComm.exe17.5.9600.20689db001d0840ba26919244294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe969975fb-efff-11e4-beb9-60a44cd6c3a6microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 06:13:32 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: LiveComm.exe17.5.9600.20689194801d08392720bba724294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe7f0d839f-ef8e-11e4-beb9-60a44cd6c3a6microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 02:55:40 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: LiveComm.exe17.5.9600.206891cdc01d0837ee85c3ed24294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exed5f492fe-ef72-11e4-beb9-60a44cd6c3a6microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 00:51:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: LiveComm.exe17.5.9600.20689138001d0836d8e2fdb614294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe833c89cb-ef61-11e4-beb9-60a44cd6c3a6microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/30/2015 08:05:41 AM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: LiveComm.exe17.5.9600.20689f1401d082faa4748aa54294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe979d9076-ef39-11e4-beb9-60a44cd6c3a6microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

    Error: (04/29/2015 10:28:09 PM) (Source: Google Update) (EventID: 20) (User: CALVERT)
    Description: Network Request Error.
    Error: 0x80040801. Http status code: 0.
    Url=https://www.facebook.com/omaha/update.php
    Trying config: source=IE, wpad=1, script=.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying CUP:iexplore.
    Send request returned 0x80040801. Http status code 0.
    Trying config: source=, direct connection.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying CUP:iexplore.
    Send request returned 0x80040801. Http status code 0.
    Trying config: source=IE, wpad=1, script=.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying WinHTTP.
    Send request returned 0x80040801. Http status code 0.
    trying CUP:iexplore.
    Send request returned 0x80040801. Http status code 0.
    Trying config: source=, direct connection.
    trying CUP:WinHTTP.
    Send request returned 0x80040801. Http s

    Error: (04/29/2015 05:35:35 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
    Description: 80070005


    ==================== Memory info ===========================

    Processor: Intel(R) Pentium(R) CPU 2117U @ 1.80GHz
    Percentage of memory in use: 60%
    Total physical RAM: 3981.82 MB
    Available physical RAM: 1568.81 MB
    Total Pagefile: 4941.82 MB
    Available Pagefile: 2219.89 MB
    Total Virtual: 131072 MB
    Available Virtual: 131071.84 MB

    ==================== Drives ================================

    Drive c: (OS) (Fixed) (Total:185.87 GB) (Free:130.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive d: (Data) (Fixed) (Total:258.15 GB) (Free:241.36 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 465.8 GB) (Disk ID: 3E1AB738)

    Partition: GPT Partition Type.

    ==================== End Of Log ============================
    If you think you might be infected with malware or have recently cleansed your computer of malware without the help of an expert, please read and follow the instructions in How to Start Removing Viruses and Spyware from your Computer. This can alleviate time consumed in trouble shooting your current computer problems.

    If your problem is solved, here's how to say thanks!

    Very proud parent of a U.S. Navy "CB"



    "People may forget what you say,
    People may forget what you did,
    but People will never forget how you made them feel!"

  2. #2
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    It's all I see

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Open notepad (Start =>All Programs => Accessories => Notepad).
    Copy/Paste the contents of the code box below into Notepad.

    Code:
    start
    CloseProcesses:
    CreateRestorePoint:
    AlternateDataStreams: C:\Users\bcdra_000\OneDrive:ms-properties
    2013-05-01 04:34 - 2012-09-07 06:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
    2013-05-01 04:34 - 2009-07-22 05:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
    2013-05-01 04:34 - 2012-09-07 06:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    CMD: ipconfig /flushdns
    Emptytemp:
    Click Format and ensure Wordwrap is unchecked.
    Save as Fixlist.txt to your Desktop (Must be in this location)
    Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.


    2015-04-16 19:40 - 2015-04-16 19:40 - 0045786 _____ () C:\Users\bcdra_000\AppData\Roaming\HELP_DECRYPT.PNG
    2015-04-16 19:39 - 2015-04-16 19:39 - 0045786 _____ () C:\Users\bcdra_000\AppData\Local\HELP_DECRYPT.PNG
    2015-04-16 19:38 - 2015-04-16 19:38 - 0045786 _____ () C:\ProgramData\HELP_DECRYPT.PNG
    This looks like cryptowall version 3.0

    Not sure what to do with those until research

  3. #3
    Member Spyware Fighter DonnaB's Avatar
    Join Date
    Apr 2009
    Location
    Illiana, Ill. USA
    Posts
    3,521
    Points
    563

    Default

    Yeah, they are. Let me know if you want me to go looking for that topic at WTT or BC.

    I came across a McAfee file under drivers. That's what came preinstalled. I better run the removal tool.

    Also, I had him install McShield some time ago and I noticed that when you hover the mouse over the icon it displays gibberish. I'll have to reinstall that and check his other programs.

    Here is the fixlog.


    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-05-2015
    Ran by bcdra_000 at 2015-05-02 18:07:06 Run:2
    Running from C:\Users\bcdra_000\Desktop
    Loaded Profiles: bcdra_000 (Available profiles: bcdra_000)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    start
    CloseProcesses:
    CreateRestorePoint:
    AlternateDataStreams: C:\Users\bcdra_000\OneDrive:ms-properties
    2013-05-01 04:34 - 2012-09-07 06:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
    2013-05-01 04:34 - 2009-07-22 05:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
    2013-05-01 04:34 - 2012-09-07 06:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    CMD: ipconfig /flushdns
    Emptytemp:
    *****************

    Processes closed successfully.
    Restore point was successfully created.
    C:\Users\bcdra_000\OneDrive => ":ms-properties" ADS removed successfully.
    C:\ProgramData\SetStretch.cmd => Moved successfully.
    C:\ProgramData\SetStretch.exe => Moved successfully.
    C:\ProgramData\SetStretch.VBS => Moved successfully.
    HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.

    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========

    EmptyTemp: => Removed 478.1 MB temporary data.


    The system needed a reboot.

    ==== End of Fixlog 18:09:36 ====
    If you think you might be infected with malware or have recently cleansed your computer of malware without the help of an expert, please read and follow the instructions in How to Start Removing Viruses and Spyware from your Computer. This can alleviate time consumed in trouble shooting your current computer problems.

    If your problem is solved, here's how to say thanks!

    Very proud parent of a U.S. Navy "CB"



    "People may forget what you say,
    People may forget what you did,
    but People will never forget how you made them feel!"

  4. #4
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    A few items to fix

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Open notepad (Start =>All Programs => Accessories => Notepad).
    Copy/Paste the contents of the code box below into Notepad.

    Code:
    start
    CloseProcesses:
    CreateRestorePoint:
    2015-04-16 19:40 - 2015-04-16 19:40 - 0045786 _____ () C:\Users\bcdra_000\AppData\Roaming\HELP_DECRYPT.PNG
    2015-04-16 19:39 - 2015-04-16 19:39 - 0045786 _____ () C:\Users\bcdra_000\AppData\Local\HELP_DECRYPT.PNG
    2015-04-16 19:38 - 2015-04-16 19:38 - 0045786 _____ () C:\ProgramData\HELP_DECRYPT.PNG 
    Emptytemp:
    Click Format and ensure Wordwrap is unchecked.
    Save as Fixlist.txt to your Desktop (Must be in this location)
    Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

    Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

    Next


    Please do the following:

    Run the FRST program.

    Type the following in the edit box after "Search:" :

    *decrypt*

    Click Search FILES button and post the log it makes to your reply. Could be a very long log file.
    Last edited by zep516; 05-02-2015 at 07:05 PM.

  5. #5
    Member Spyware Fighter DonnaB's Avatar
    Join Date
    Apr 2009
    Location
    Illiana, Ill. USA
    Posts
    3,521
    Points
    563

    Default

    Ok. I ran the MCPRT and reinstalled McShield.

    Here are the 2nd fixlog and the search log is attached because it was so big.


    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-05-2015
    Ran by bcdra_000 at 2015-05-02 19:00:50 Run:3
    Running from C:\Users\bcdra_000\Desktop
    Loaded Profiles: bcdra_000 (Available profiles: bcdra_000)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    start
    CloseProcesses:
    CreateRestorePoint:
    2015-04-16 19:40 - 2015-04-16 19:40 - 0045786 _____ () C:\Users\bcdra_000\AppData\Roaming\HELP_DECRYPT.PNG
    2015-04-16 19:39 - 2015-04-16 19:39 - 0045786 _____ () C:\Users\bcdra_000\AppData\Local\HELP_DECRYPT.PNG
    2015-04-16 19:38 - 2015-04-16 19:38 - 0045786 _____ () C:\ProgramData\HELP_DECRYPT.PNG
    Emptytemp:
    *****************

    Processes closed successfully.
    Restore point was successfully created.
    C:\Users\bcdra_000\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
    C:\Users\bcdra_000\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.
    C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
    EmptyTemp: => Removed 81.2 MB temporary data.


    The system needed a reboot.

    ==== End of Fixlog 19:01:54 ====
    Attached Files
    If you think you might be infected with malware or have recently cleansed your computer of malware without the help of an expert, please read and follow the instructions in How to Start Removing Viruses and Spyware from your Computer. This can alleviate time consumed in trouble shooting your current computer problems.

    If your problem is solved, here's how to say thanks!

    Very proud parent of a U.S. Navy "CB"



    "People may forget what you say,
    People may forget what you did,
    but People will never forget how you made them feel!"

  6. #6
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    A few items to fix

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Open notepad (Start =>All Programs => Accessories => Notepad).
    Copy/Paste the contents of the code box below into Notepad.

    Code:
    start
    DeleteQuarantine:
    Emptytemp:
    Click Format and ensure Wordwrap is unchecked.
    Save as Fixlist.txt to your Desktop (Must be in this location)
    Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

    Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

  7. #7
    Member Spyware Fighter DonnaB's Avatar
    Join Date
    Apr 2009
    Location
    Illiana, Ill. USA
    Posts
    3,521
    Points
    563

    Default

    Hi Joe,

    Just got back home. I did run the last fix before I grabbed the notebook and brought it home with me since I had such a long drive and I was experiencing some really weird issues with shortcuts I had created to my ISP's email account on the desktop. Shouldn't that shortcut have opened to my account and not his gmail account? Was also having other issues with shortcuts on the desktop opening to something other than what is was supposed to.

    I also wanted to experiment with that ListCWall tool that was created to list all the encrypted files to see if it would find the same files that your *decrypt* search with FRST had found.

    From my understanding, the files once encrypted by Cryptowall 3.0, can not be decrypted and I wanted to try the following cmd's with FRST before I/we gave up and deleted the encrypted files.

    CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML"
    CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG"
    CMD: del /F /Q /S "C:\HELP_DECRYPT.URL"
    CMD: del /F /Q /S "C:\HELP_DECRYPT.TXT"
    Bryan said he still has the emails that the files from his commander sent, but hey, figured it would be fun to try to save them for educational purposes. I also heard rumor that if the flags could be removed, we might be able to rollback to previous versions saved in the VSS copies if they were not deleted. I'll have to look back at his original log at GTG to see if they were, or not. I see in the FRST log above the following RP's:

    ==================== Restore Points =========================

    16-04-2015 14:29:12 Windows Update
    19-04-2015 15:02:48 Windows Update
    22-04-2015 20:17:18 Restore Point Created by FRST
    01-05-2015 16:42:43 Scheduled Checkpoint
    If I am not mistaken, the RP's on the 16th and 19th of April may hold some promise. What's your opinion?

    Also. The initial infection itself must be gone. His wife has moved some movies to the desktop from the external and they did not get encrypted as the ones on the system had when he got hit with this nasty. So that is a good sign.

    Getting late. I'll check into this some more tomorrow.

    Thanks for your help.
    If you think you might be infected with malware or have recently cleansed your computer of malware without the help of an expert, please read and follow the instructions in How to Start Removing Viruses and Spyware from your Computer. This can alleviate time consumed in trouble shooting your current computer problems.

    If your problem is solved, here's how to say thanks!

    Very proud parent of a U.S. Navy "CB"



    "People may forget what you say,
    People may forget what you did,
    but People will never forget how you made them feel!"

  8. #8
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    • Please download Malwarebytes Anti-Malware to your desktop.
    • Double-click mbam-setup-version.exe and follow the prompts to install the program.
    • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
    • Then click Finish.
    • If an update is found, you will be prompted to download and install the latest version.
    • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
    • When the scan is complete , make sure that that all Threats are selected, and click Remove Selected.
    • Reboot your computer if prompted.



    Posting the Malwarebytes log.

    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Export'.
    • Click 'Text file (*.txt)'
    • In the Save File dialog box which appears, click on Desktop.
    • In the File name: box type a name for your scan log.
    • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
    • Click Ok
    • Attach that saved log to your next reply.

  9. #9
    Member Spyware Fighter DonnaB's Avatar
    Join Date
    Apr 2009
    Location
    Illiana, Ill. USA
    Posts
    3,521
    Points
    563

    Default

    Hi Joe,

    Sorry for the delay.

    Bryan has the Pro version of MBAM installed and I am running the scan now. I went into the Settings and tweaked them to scan for rootkits and made sure to have the PUP's and PUM's options is set to Treat detections as malware.

    Funny thing though, I did click on Check for updates, though none were found. As much as MBAM is updated, I thought updates should have been found since I have had it offline for 2 days. Any opinion on that from you?

    I'll post the log as soon as it finishes.

    Nasty storms coming through at the moment, so if I disappear, you know why.
    If you think you might be infected with malware or have recently cleansed your computer of malware without the help of an expert, please read and follow the instructions in How to Start Removing Viruses and Spyware from your Computer. This can alleviate time consumed in trouble shooting your current computer problems.

    If your problem is solved, here's how to say thanks!

    Very proud parent of a U.S. Navy "CB"



    "People may forget what you say,
    People may forget what you did,
    but People will never forget how you made them feel!"

  10. #10
    Member Spyware Fighter DonnaB's Avatar
    Join Date
    Apr 2009
    Location
    Illiana, Ill. USA
    Posts
    3,521
    Points
    563

    Default

    Ok. Here is the MBAM log. Having issues with delayed responses when typing......

    Malwarebytes Anti-Malware
    Malwarebytes | Free Anti-Malware & Internet Security Software

    Scan Date: 5/2/2015
    Scan Time: 5:04:15 PM
    Logfile: mbam.txt
    Administrator: Yes

    Version: 2.01.6.1022
    Malware Database: v2015.05.02.05
    Rootkit Database: v2015.04.21.01
    License: Premium
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows 8.1
    CPU: x64
    File System: NTFS
    User: bcdra_000

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 339258
    Time Elapsed: 25 min, 11 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Warn
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)
    If you think you might be infected with malware or have recently cleansed your computer of malware without the help of an expert, please read and follow the instructions in How to Start Removing Viruses and Spyware from your Computer. This can alleviate time consumed in trouble shooting your current computer problems.

    If your problem is solved, here's how to say thanks!

    Very proud parent of a U.S. Navy "CB"



    "People may forget what you say,
    People may forget what you did,
    but People will never forget how you made them feel!"

Page 1 of 3 123 LastLast