Police Virus

DR M · September 01, 2013, 06:54:44 PM

Hello, Landzdown Forum, hello Corrine.

I have in front of me a laptop that belongs to my friend's Georgia niece and nephew. The computer seems to be infected with Cyprus Police Virus (something like that) and Georgia asked me if I could do something through the Forum.

Before doing anything, I would like to know if it is safe to connect the infected laptop with my network, log in the forum with my password and work from there.

Thank you as always!

Corrine · September 01, 2013, 08:03:38 PM

Hi, Panos.

The ransomware is like the fake/rogue A/V's that we've seen for such a long time and won't infect your network. However, in order to provide some breathing room (as well as your comfort level), you can download the tools you need to your computer and transfer the tools to the desktop of Georgia's niece & nephew's computer.

1. Download one of the versions of RKill from Bleeping Computer: http://www.bleepingcomputer.com/download/rkill/ and transfer it to the other computer.

2. If MBAM isn't installed, update your installed copy first and then see #4 in Section A of the MBAM FAQ at http://forums.malwarebytes.org/index.php?showtopic=10138#entry49525, which reads:

QuoteISSUE: I need to get the latest database onto a computer that cannot access the Internet.
SOLUTION: You can manually copy the database from a working computer using a flash drive or CD onto the infected PC. Our database file is stored in the following locations.

Windows XP and 2000
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
Windows Vista and Windows 7:
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

Note: Starting with Malwarebytes Anti-Malware 1.60, you must also copy the file database.conf located within the Configuration folder which is in the same folder as rules.ref listed above.

You can also download a manual update from here - NOTE: This manual update will always be way behind in version level compared to updates from within the program.

3. Double-click RKill to run and remember if you restart, you'll need to run it again.

4. Scan with MBAM:

Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
Once the update has been installed and the program has loaded, select Quick scan
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

Click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Please post contents of that file in your next reply.
** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

5. Place DDS on the Desktop of the infected computer and transfer the DDS and MBAM logs via USB to your computer and post here as a reply. For your convenience, the instructions for DDS:

Download DDS.scr by sUBs from here and save it to your desktop.
- Disable any script blocker and then double-click dds.scr to run.
- Shortly after two logs will appear, DDS.txt & Attach.txt
- The logs will automatically be saved to your desktop
- Copy the contents of both logs & post in your next reply
Note: If you elect to connect the computer to your network, I still suggest starting with RKill, followed by MBAM and then provide me with the DDS logs for review.

DR M · September 02, 2013, 11:32:13 AM

Hi, Corrine.

There are three accounts on the computer. The one that the virus appeared, another one that I think it is administrator's account and one account for guest. Should I proceed with the infected account? And is there a way to check the whole computer (I mean all the accounts in it)?

Also, in the admin account I can see two hard discs: OS (C) and Microsoft Office Click-to-Run 2010 (Protected) (Q). Why?

Georgia told me that her brother in law tried to clean the computer, by doing things he found in the internet. The pop up does not appear now, but I think that this issue is not so simple and the virus is still there.

Corrine · September 02, 2013, 01:42:41 PM

Hi, Panos.

Use the Administrator account as that has the most privilege.

Look at Microsoft Office Click-to-Run 2010 (Protected) as a virtual drive. Additional information here: An overview of Microsoft Office Click-to-Run for Office 2010.

DR M · September 02, 2013, 02:56:53 PM

I am into administrator's account.

I noticed that it is very difficult to double click an icon. This does not happen in the other accounts.

I ran rkill. No issues found.

I then copied mbam.exe file in my memory stick, also with rules.ref. An error occured: the filename, directory name, or volume label syntax is incorrect.

I proceed to dds. Error: Error launching installer.

Security check: Error: Unable to open the script file.

WOW!!!!!!!!! :Win73:

Corrine · September 02, 2013, 07:35:12 PM

Try Safe Mode and if no luck there, see what happens connected to the infected account.

DR M · September 03, 2013, 11:41:01 AM

No luck with safe mode in he admin's account. I can do nothing in there.

In the infected account, rkill found no malicious threat. MBAM ran all night, found nothing, but there was an error on the screen, about file directory. I ran it without the updates, because it didn't let me copy rules.ref in the proper directory.

So, I only have dds and security check logs:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 6/2/2012 2:19:04 PM
System Uptime: 9/3/2013 2:12:19 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 01HXXJ
Processor: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz | CPU 1 | 2501/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 395.455 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP69: 8/24/2013 2:44:48 PM - Windows Update
RP70: 8/28/2013 9:36:07 PM - Installed Steam
RP71: 9/1/2013 5:20:40 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX 64-bit
Adobe Reader X (10.1.6) MUI
Adobe Shockwave Player 11.6
Advanced Audio FX Engine
Bejeweled 2 Deluxe
Bing Bar
Bing Bar Platform
Bing Rewards Client Installer
Blackhawk Striker 2
Blio
Bounce Symphony
Build-a-lot 2
Cake Mania
Chuzzle Deluxe
D3DX10
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Edoc Viewer
Dell Getting Started Guide
Dell MusicStage
Dell PhotoStage
Dell Stage
Dell Stage Remote
Dell Support Center
Dell Touchpad
Dell VideoStage
Dell Webcam Central
Diner Dash 2 Restaurant Rescue
DirectX 9 Runtime
Dora's World Adventure
DW WLAN Card
eBay
Escape Whisper Valley (TM)
Farm Frenzy
FATE
Final Drive Fury
Final Drive Nitro
Football Tigers
Google Toolbar for Internet Explorer
Google Update Helper
IDT Audio
Intel(R) Control Center
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Java Auto Updater
Java(TM) 7 Update 1
Java(TM) 7 Update 1 (64-bit)
Jewel Quest
Jewel Quest Solitaire 2
Junk Mail filter update
Luxor
Malwarebytes Anti-Malware version 1.70.0.1100
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MTN Mobile Broadband
Namco All-Stars PAC-MAN
Nero 10 Movie ThemePack Basic
Nero Blu-ray Player
Nero Control Center 10
Nero ControlCenter 10 Help (CHM)
Nero Core Components 10
Nero Update
Norton Security Scan
PC Tools Registry Mechanic 11.1
Penguins!
PhotoShowExpress
Plants vs. Zombies - Game of the Year
PlayReady PC Runtime x86
Poker Superstars III
Polar Bowler
Polar Golfer
Quickset64
RBVirtualFolder64Inst
Realtek Ethernet Controller Driver
Realtek USB 2.0 Card Reader
Roxio Activation Module
Roxio BackOnTrack
Roxio Burn
Roxio Creator Starter
Roxio Express Labeler 3
Roxio File Backup
Samantha Swift
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Skype™ 5.5
Sonic CinePlayer Decoder Pack
Spider-Man 2
Steam
swMSM
SyncUP
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update Installer for WildTangent Games App
Virtual Villagers 4 - The Tree of Life
Wedding Dash - Ready, Aim, Love!
WIDCOMM Bluetooth Software
WildTangent Games
WildTangent Games App (Dell Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
YTD Video Downloader 4.4
Zinio Reader 4
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
9/3/2013 4:02:31 AM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
9/3/2013 3:54:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/3/2013 2:12:39 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the MTN Mobile Broadband. OUC service to connect.
9/3/2013 2:12:39 PM, Error: Service Control Manager [7000] - The MTN Mobile Broadband. OUC service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/2/2013 5:20:56 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
9/2/2013 11:05:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service defragsvc with arguments "" in order to run the server: {D20A3293-3341-4AE8-9AAF-8E397CB63C34}
9/2/2013 11:00:20 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
9/2/2013 10:53:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/2/2013 10:53:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/2/2013 10:53:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
9/2/2013 10:53:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/2/2013 10:53:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/2/2013 10:53:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/2/2013 10:49:58 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/2/2013 10:49:58 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
9/2/2013 10:49:17 PM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
9/2/2013 10:49:17 PM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
9/2/2013 10:49:17 PM, Error: Service Control Manager [7038] - The bthserv service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
9/2/2013 10:49:17 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Interactive Services Detection service to connect.
9/2/2013 10:49:17 PM, Error: Service Control Manager [7000] - The Interactive Services Detection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/2/2013 10:49:17 PM, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The service did not start due to a logon failure.
9/2/2013 10:49:17 PM, Error: Service Control Manager [7000] - The Bluetooth Support Service service failed to start due to the following error: The service did not start due to a logon failure.
8/31/2013 12:22:02 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} and APPID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user 123456789\Guest SID (S-1-5-21-2441083668-204223877-1480447853-501) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
.
==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660
Run by ?a??aµ at 14:26:52 on 2013-09-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4004.2760 [GMT 3:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\ProgramData\MTN Mobile Broadband\OnlineUpdate\ouc.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\UI0Detect.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\System32\WUDFHost.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\windows\SysWOW64\RunDll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\vssvc.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.cy/
uURLSearchHooks: {D8278076-BC68-4484-9233-6E7F1628B56C} - <orphaned>
dURLSearchHooks: {D8278076-BC68-4484-9233-6E7F1628B56C} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
TCP: Interfaces\{000F090D-0BD2-41DB-9C77-F1C862EB7D0F} : DHCPNameServer = 192.168.10.254
TCP: Interfaces\{000F090D-0BD2-41DB-9C77-F1C862EB7D0F}\34954514133443336344 : DHCPNameServer = 192.168.10.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-1-29 55856]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-1-29 89600]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-1-29 13336]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2012-7-13 769432]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2013-5-7 794272]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-1-29 689472]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-1-29 2656280]
R3 BTWAMPFL;BTWAMPFL;C:\windows\System32\drivers\btwampfl.sys [2012-1-29 349736]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\System32\drivers\btwl2cap.sys [2012-1-29 39464]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-1-29 176096]
R3 huawei_enumerator;huawei_enumerator;C:\windows\System32\drivers\ew_jubusenum.sys [2013-8-1 87040]
R3 IntcDAud;Intel(R) Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2012-1-29 317440]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-1-29 533096]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2009-12-2 721768]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2009-12-2 269672]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2009-12-2 25960]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2009-12-2 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MTN Mobile Broadband. RunOuc;MTN Mobile Broadband. OUC;C:\Program Files (x86)\MTN Mobile Broadband\UpdateDog\ouc.exe [2013-8-1 246112]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\windows\System32\drivers\ew_hwusbdev.sys [2013-8-1 117248]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\windows\System32\drivers\ew_usbenumfilter.sys [2013-8-1 13952]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 huawei_cdcacm;huawei_cdcacm;C:\windows\System32\drivers\ew_jucdcacm.sys [2013-8-1 98304]
S3 huawei_ext_ctrl;huawei_ext_ctrl;C:\windows\System32\drivers\ew_juextctrl.sys [2013-8-1 28672]
S3 huawei_wwanecm;huawei_wwanecm;C:\windows\System32\drivers\ew_juwwanecm.sys [2013-8-1 223744]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-1-29 250984]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);C:\windows\System32\drivers\ss_bbus.sys [2009-9-19 127488]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);C:\windows\System32\drivers\ss_bmdfl.sys [2009-9-19 18944]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;C:\windows\System32\drivers\ss_bmdm.sys [2009-9-19 161280]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-6-8 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== Created Last 30 ================
.
2015-10-31 14:15:11   --------   d-----r-   C:\Users\??????\Pictures
2013-09-02 19:56:33   24176   ----a-w-   C:\windows\System32\drivers\mbam.sys
2013-09-02 19:56:33   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-01 14:21:19   9515512   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{56DDEECA-B8C4-4759-8EE4-32A6CE290E92}\mpengine.dll
2013-08-28 18:36:22   --------   d-----w-   C:\Program Files (x86)\Common Files\Steam
2013-08-28 18:36:21   --------   d-----w-   C:\Program Files (x86)\Steam
2013-08-21 06:53:53   --------   d-----w-   C:\Users\aa?\AppData\Local\Microsoft
2013-08-19 16:03:19   --------   d-----w-   C:\Program Files (x86)\Emsisoft Anti-Malware
2013-08-19 13:47:04   --------   d-----w-   C:\ProgramData\Malwarebytes
2013-08-16 11:54:09   70   ----a-w-   C:\ProgramData\oupkdkrjntyjjutsnpm.bat
2013-08-16 11:54:09   165   ----a-w-   C:\ProgramData\oupkdkrjntyjjutsnpm.reg
2013-08-14 12:10:29   224256   ----a-w-   C:\windows\System32\wintrust.dll
2013-08-14 12:10:29   1472512   ----a-w-   C:\windows\System32\crypt32.dll
2013-08-14 12:10:29   1166848   ----a-w-   C:\windows\SysWow64\crypt32.dll
2013-08-14 12:10:28   184320   ----a-w-   C:\windows\System32\cryptsvc.dll
2013-08-14 12:10:28   175104   ----a-w-   C:\windows\SysWow64\wintrust.dll
2013-08-14 12:10:28   140288   ----a-w-   C:\windows\SysWow64\cryptsvc.dll
2013-08-14 12:10:27   139776   ----a-w-   C:\windows\System32\cryptnet.dll
2013-08-14 12:10:27   103936   ----a-w-   C:\windows\SysWow64\cryptnet.dll
2013-08-14 12:10:03   2048   ----a-w-   C:\windows\SysWow64\tzres.dll
2013-08-14 12:10:03   2048   ----a-w-   C:\windows\System32\tzres.dll
.
==================== Find3M ====================
.
2013-07-26 05:13:37   2241024   ----a-w-   C:\windows\System32\wininet.dll
2013-07-26 05:12:08   3958784   ----a-w-   C:\windows\System32\jscript9.dll
2013-07-26 05:12:04   136704   ----a-w-   C:\windows\System32\iesysprep.dll
2013-07-26 05:12:03   67072   ----a-w-   C:\windows\System32\iesetup.dll
2013-07-26 03:35:08   2706432   ----a-w-   C:\windows\System32\mshtml.tlb
2013-07-26 03:13:24   1767936   ----a-w-   C:\windows\SysWow64\wininet.dll
2013-07-26 03:12:04   2877440   ----a-w-   C:\windows\SysWow64\jscript9.dll
2013-07-26 03:12:00   61440   ----a-w-   C:\windows\SysWow64\iesetup.dll
2013-07-26 03:12:00   109056   ----a-w-   C:\windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14   2706432   ----a-w-   C:\windows\SysWow64\mshtml.tlb
2013-07-26 02:39:38   89600   ----a-w-   C:\windows\System32\RegisterIEPKEYs.exe
2013-07-26 01:59:38   71680   ----a-w-   C:\windows\SysWow64\RegisterIEPKEYs.exe
2013-07-25 09:25:54   1888768   ----a-w-   C:\windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27   1620992   ----a-w-   C:\windows\SysWow64\WMVDECOD.DLL
2013-07-09 06:03:30   5550528   ----a-w-   C:\windows\System32\ntoskrnl.exe
2013-07-09 05:54:22   1732032   ----a-w-   C:\windows\System32\ntdll.dll
2013-07-09 05:53:12   243712   ----a-w-   C:\windows\System32\wow64.dll
2013-07-09 05:51:16   1217024   ----a-w-   C:\windows\System32\rpcrt4.dll
2013-07-09 05:03:34   3968960   ----a-w-   C:\windows\SysWow64\ntkrnlpa.exe
2013-07-09 05:03:34   3913664   ----a-w-   C:\windows\SysWow64\ntoskrnl.exe
2013-07-09 04:53:47   1292192   ----a-w-   C:\windows\SysWow64\ntdll.dll
2013-07-09 04:52:33   663552   ----a-w-   C:\windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:33   5120   ----a-w-   C:\windows\SysWow64\wow32.dll
2013-07-09 04:45:07   44032   ----a-w-   C:\windows\apppatch\acwow64.dll
2013-07-09 02:49:42   25600   ----a-w-   C:\windows\SysWow64\setup16.exe
2013-07-09 02:49:41   7680   ----a-w-   C:\windows\SysWow64\instnm.exe
2013-07-09 02:49:39   14336   ----a-w-   C:\windows\SysWow64\ntvdm64.dll
2013-07-09 02:49:38   2048   ----a-w-   C:\windows\SysWow64\user.exe
2013-07-06 06:03:53   1910208   ----a-w-   C:\windows\System32\drivers\tcpip.sys
2013-06-15 04:32:16   39936   ----a-w-   C:\windows\System32\drivers\tssecsrv.sys
.
============= FINISH: 14:26:58.80 ===============

Results of screen317's Security Check version 0.99.73
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10
Error creating install.txt after 3 tries! Trying alternate method...
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
Java(TM) 7 Update 1 (64-bit)
Java version out of Date!
````````Process Check: objlist.exe by Laurent````````[/u]
MTN Mobile Broadband OnlineUpdate ouc.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]

Corrine · September 03, 2013, 03:08:39 PM

Hi, Panos.

Please follow these instructions carefully. Download ComboFix from the following location to a USB stick: Link 1

!!! IMPORTANT !!! Transfer ComboFix.exe to to the desktop of the infected computer.

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.
If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, a log will be produced. Please copy C:\ComboFix.txt in your next reply.

DR M · September 03, 2013, 03:17:19 PM

Οκ, I'm downloading combofix now.

The computer is a chaos!!! There are many other things I noticed: errors when starting windows, pop up of a program (malware) warning for virus...

DR M · September 03, 2013, 03:40:18 PM

No good news.

I ran combofix in the infected account. It took only 10 minutes. After this, it logged off and swiched user. It went bu itself in the admin's account, where the screen became black! I swiched to the infected account, but no combofix icon found on the screen. Also, I cannot click and open any icon on the desktop. Meanwhile, we are talking about infected account, but I think that administrator's account has a problem as well.

Here is the combofix log (not admin's account):

ComboFix 13-09-02.02 - ?a??aµ 09/03/2013 18:22:48.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4004.2669 [GMT 3:00]
Running from: c:\users\mariam\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Public\sdelevURL.tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-08-03 to 2013-09-03 )))))))))))))))))))))))))))))))
.
.
2015-10-08 12:41 . 2012-09-03 13:34   --------   d-----w-   c:\programdata\Creative
2013-09-02 19:56 . 2013-09-02 20:07   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-02 19:56 . 2012-12-14 13:49   24176   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-09-01 18:33 . 2013-09-01 18:33   --------   d-----w-   c:\users\mariam\AppData\Roaming\CyberLink
2013-09-01 14:21 . 2013-08-06 08:58   9515512   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{56DDEECA-B8C4-4759-8EE4-32A6CE290E92}\mpengine.dll
2013-08-28 18:36 . 2013-08-28 18:36   --------   d-----w-   c:\program files (x86)\Common Files\Steam
2013-08-28 18:36 . 2013-09-03 15:14   --------   d-----w-   c:\program files (x86)\Steam
2013-08-21 06:55 . 2013-09-03 15:27   --------   d-----w-   c:\users\aaµ
2013-08-21 06:53 . 2013-08-21 06:53   --------   d-----w-   c:\users\aa?
2013-08-20 14:07 . 2013-08-20 14:07   --------   d-----w-   c:\users\mariam\AppData\Local\ArcSoft
2013-08-19 16:03 . 2013-08-20 12:36   --------   d-----w-   c:\program files (x86)\Emsisoft Anti-Malware
2013-08-19 13:56 . 2013-08-19 13:56   --------   d-----w-   c:\users\mariam\AppData\Roaming\Malwarebytes
2013-08-19 13:47 . 2013-08-19 13:47   --------   d-----w-   c:\programdata\Malwarebytes
2013-08-19 13:46 . 2013-08-19 13:46   --------   d-----w-   c:\users\5D9A~1\AppData\Local\Programs
2013-08-18 11:50 . 2013-08-18 11:50   --------   d-----w-   c:\users\Guest\AppData\Local\Microsoft Games
2013-08-17 17:07 . 2013-08-17 17:07   --------   d-----w-   c:\users\Guest\AppData\Local\AskPartnerNetwork
2013-08-16 11:54 . 2013-08-16 11:54   70   ----a-w-   c:\programdata\oupkdkrjntyjjutsnpm.bat
2013-08-16 11:54 . 2013-08-16 11:54   165   ----a-w-   c:\programdata\oupkdkrjntyjjutsnpm.reg
2013-08-14 12:10 . 2013-07-09 05:52   224256   ----a-w-   c:\windows\system32\wintrust.dll
2013-08-14 12:10 . 2013-07-09 05:46   1472512   ----a-w-   c:\windows\system32\crypt32.dll
2013-08-14 12:10 . 2013-07-09 04:46   1166848   ----a-w-   c:\windows\SysWow64\crypt32.dll
2013-08-14 12:10 . 2013-07-09 05:46   184320   ----a-w-   c:\windows\system32\cryptsvc.dll
2013-08-14 12:10 . 2013-07-09 04:52   175104   ----a-w-   c:\windows\SysWow64\wintrust.dll
2013-08-14 12:10 . 2013-07-09 04:46   140288   ----a-w-   c:\windows\SysWow64\cryptsvc.dll
2013-08-14 12:10 . 2013-07-09 05:46   139776   ----a-w-   c:\windows\system32\cryptnet.dll
2013-08-14 12:10 . 2013-07-09 04:46   103936   ----a-w-   c:\windows\SysWow64\cryptnet.dll
2013-08-14 12:10 . 2013-07-19 01:58   2048   ----a-w-   c:\windows\system32\tzres.dll
2013-08-14 12:10 . 2013-07-19 01:41   2048   ----a-w-   c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-05 18:27 . 2010-06-24 17:33   22240   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-08-01 05:48 . 2013-08-01 05:49   72192   ----a-w-   c:\windows\system32\drivers\ew_jucdcecm.sys
2013-08-01 05:48 . 2013-08-01 05:49   28672   ----a-w-   c:\windows\system32\drivers\ew_juextctrl.sys
2013-08-01 05:48 . 2013-08-01 05:49   223744   ----a-w-   c:\windows\system32\drivers\ew_juwwanecm.sys
2013-08-01 05:48 . 2013-08-01 05:49   13952   ----a-w-   c:\windows\system32\drivers\ew_usbenumfilter.sys
2013-08-01 05:48 . 2013-08-01 05:49   1001472   ----a-w-   c:\windows\system32\drivers\mod7700.sys
2013-08-01 05:48 . 2013-08-01 05:49   98304   ----a-w-   c:\windows\system32\drivers\ew_jucdcacm.sys
2013-08-01 05:48 . 2013-08-01 05:49   87040   ----a-w-   c:\windows\system32\drivers\ew_jubusenum.sys
2013-08-01 05:48 . 2013-08-01 05:49   422400   ----a-w-   c:\windows\system32\drivers\ewusbwwan.sys
2013-08-01 05:48 . 2013-08-01 05:49   32768   ----a-w-   c:\windows\system32\drivers\ewdcsc.sys
2013-08-01 05:48 . 2013-08-01 05:49   223232   ----a-w-   c:\windows\system32\drivers\ewusbmdm.sys
2013-08-01 05:48 . 2013-08-01 05:49   22016   ----a-w-   c:\windows\system32\drivers\ew_hwupgrade.sys
2013-08-01 05:48 . 2013-08-01 05:49   117248   ----a-w-   c:\windows\system32\drivers\ew_hwusbdev.sys
2013-08-01 05:48 . 2012-06-21 18:46   1490656   ----a-w-   c:\windows\system32\WdfCoInstaller01007.dll
2013-08-01 05:48 . 2012-06-21 18:46   1490656   ----a-w-   c:\windows\system32\drivers\WdfCoInstaller01007.dll
2013-07-09 04:45 . 2013-08-14 12:09   44032   ----a-w-   c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2011-04-30 885760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-12 163040]
.
c:\users\mariam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
oupkdkrjntyjjutsnpm.lnk - c:\windows\System32\rundll32.exe c:\users\mariam\AppData\Local\Temp\mpnstujjytnjrkdkpuo.bfg,OKL00 [2009-7-14 45568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-1-14 1138464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
R2 MTN Mobile Broadband. RunOuc;MTN Mobile Broadband. OUC;c:\program files (x86)\MTN Mobile Broadband\UpdateDog\ouc.exe;c:\program files (x86)\MTN Mobile Broadband\UpdateDog\ouc.exe
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
R3 cleanhlp;cleanhlp;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys;c:\windows\SYSNATIVE\DRIVERS\ew_usbenumfilter.sys
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jucdcacm.sys
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys;c:\windows\SYSNATIVE\DRIVERS\ew_juextctrl.sys
R3 huawei_wwanecm;huawei_wwanecm;c:\windows\system32\DRIVERS\ew_juwwanecm.sys;c:\windows\SYSNATIVE\DRIVERS\ew_juwwanecm.sys
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys;c:\windows\SYSNATIVE\DRIVERS\ss_bbus.sys
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ss_bmdfl.sys
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ss_bmdm.sys
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys;c:\windows\SYSNATIVE\DRIVERS\btwampfl.sys
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-07 06:37]
.
2013-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-07 06:37]
.
2013-08-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-03-22 17:20]
.
2013-09-03 c:\windows\Tasks\RMAutoUpdate.job
- c:\program files (x86)\PC Tools Registry Mechanic\SULauncher.exe [2013-05-07 11:44]
.
2013-09-02 c:\windows\Tasks\RMSchedule.job
- c:\program files (x86)\PC Tools Registry Mechanic\RegMech.exe [2013-05-07 11:43]
.
2015-11-02 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2011-03-22 17:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418840]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.cy/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{D8278076-BC68-4484-9233-6E7F1628B56C} - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-WT089446 - c:\program files (x86)\WildTangent\Dell Games\Wedding Dash - Ready
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-03 18:31:23
ComboFix-quarantined-files.txt 2013-09-03 15:31
.
Pre-Run: 424,939,388,928 bytes free
Post-Run: 430,366,691,328 bytes free
.
- - End Of File - - 83079C09B1ACC4A9E8B7C705A5A6D098

Corrine · September 03, 2013, 05:45:01 PM

Hi, Panos.

From the ComboFix log, I'm seeing more than three user accounts (Admin, Mariam, Guest):

2013-08-21 06:55 . 2013-09-03 15:27 -------- d-----w- c:\users\aaµ
2013-08-21 06:53 . 2013-08-21 06:53 -------- d-----w- c:\users\aa?
2013-08-19 13:46 . 2013-08-19 13:46 -------- d-----w- c:\users\5D9A~1\AppData\Local\Programs

What I suspect started the problem:

Code Select

2013-08-16 11:54 . 2013-08-16 11:54   70   ----a-w-   c:\programdata\oupkdkrjntyjjutsnpm.bat
2013-08-16 11:54 . 2013-08-16 11:54   165   ----a-w-   c:\programdata\oupkdkrjntyjjutsnpm.reg

With what appears to be random user accounts created, I'm glad I didn't advise you to connect the computer to your network. I wouldn't trust it. The only way I would connect that computer to the Internet from your connection is to disconnect your computer first.

When it comes to the various ransomware malware, HitmanPro has been successful. The instructions are the same as found here. Scroll down to the Automated Removal Instructions sections. Please take your time and follow the instructions carefully. Let me know if there is any improvement.

DR M · September 03, 2013, 08:13:38 PM

I will proceed now, Corrine.

Hoping that Eset and MCShield can keep the usb safe.

P.S.
Yes, there are three accounts:

Μαριαμ (admin)

mariam

Guest

DR M · September 03, 2013, 08:53:26 PM

Corrine,

I followed the instrunctions, but I get the message that hitman needs internet connection. What should I do?

Corrine · September 03, 2013, 10:30:13 PM

Hi, Panos.

Just to be on the safe side, why not disconnect your computer and connect Georgia's nephew's computer via the ethernet cable to run HitmanPro? If you'd rather not do that, you could try Kaspersky Rescue Disk 10.

DR M · September 04, 2013, 11:32:26 AM

Corrine,

I shut down my computer, and connected the other one via the ethernet cable. HitmanPro found no malware. It only found an issue concerning to start up, and fix it. I then updated and ran MBAM, but nothing was found. DDS still cannot run.

Everything seems to be ok, but I know that something is wrong. From time to time, in the admin's account, Registry Mechanic pops up, warning for errors. I also noticed that Office Start cannot open in any account.

Meanwhile, when I tried start up MY computer, a BSD appeared twice. It is a coincidence, is it?