Author Topic: [Inactive] Ransomware Trojan - Tobfy.a  (Read 2154 times)

0 Members and 1 Guest are viewing this topic.

Offline AshleyPaterson

  • Bronze Member
  • Posts: 9
[Inactive] Ransomware Trojan - Tobfy.a
« on: October 20, 2012, 05:40:13 pm »
Laptop (4 months old) came with McAfee installed. Last month I ended up having a lot of Trojans-malware on my computer that was discovered and cleaned by Microsoft Security Essentials. As I was paying for McAfee I was furious as to how these lil [Edited by Admin.] got into my computer... thats when I discovered my firewall was shut off. I was assued that this was ok as McAfee has a firewall - wrong! I finally uninstalled McAfee to find out that I could not turn on my firewall for the life of me. I searched and searched endless forums and different ways - Finally today I found a solution to my Firewall.... unfortunatly not intime to stop the lovely Tobfy.a coming into my computer. I have 4 trojans... the annoying pop up from the government asking me for my money. I am able to make the pop up go away after clicking esc 900 times however its still lurking around as I do not have a taskbar, start, command prompt or desktop.
I completed a system restore wich I hate doing... but it didn't work anyways! I am able to go into Safe Mode, Safe Mode with Networking, and of course normal. I do not have another computer to access - Please let me know what kind of information you need from me and please help me get rid of this pain!!

Windows 7 (64bit)
« Last Edit: October 20, 2012, 06:14:20 pm by Bugbatter »



Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • Posts: 8468
Re: Ransomware Trojan - Tobfy.a
« Reply #1 on: October 20, 2012, 06:12:54 pm »
Hi Ashley,

Another helper will be along soon, but let me get you started.
Please boot into safemode with networking.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon and allow it to run.
  • A small box will open, with an explanation about the tool.   
  • When done, DDS will open two (2) logs

         1. DDS.txt
         2. Attach.txt
  • Save both logs to your desktop.
  • The instructions here ask you to attach the Attach.txt.

 
  • Instead of attaching, please copy/paste both logs into your reply here.

  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan; enable your A/V and reconnect to the internet. 
Information on A/V control: http://www.bleepingcomputer.com/forums/topic114351.html
  In order to avoid damaging your system further, please do NOT run any other anti-virus or anti-malware scans unless under the direction of our Staff here

* Our trained volunteers will reply to your log as soon as possible. We appreciate your patience.
*  Please do not bump your topic. Replying to your new topic will cause the helpers here to skip over your log thinking that it is already being addressed.
* Please do not include suspicious links. You may, however describe the type or name of sites that you are having a problem with. By using links, you would be putting other members at risk if they click on them by accident. If you need to give information about sites that you are redirected to, please disable the links by using hxxp:// instead of http://
* Please feel free to ask questions and disagree politely, but do not argue with the instructions given. Profanity is not allowed. (This will result in your post being deleted)
* We appreciate your replying to the helper’s instructions in a timely manner. Threads are deemed inactive after a specified time. If you plan to be away for a few days, please inform your helper so that your topic will not be removed.


Microsoft MVP - Consumer Security

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25712
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Ransomware Trojan - Tobfy.a
« Reply #2 on: October 20, 2012, 06:14:37 pm »
Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.Also tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. If it does, please let me know. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer. If you can follow the instructions from Bugbatter, go ahead. If not the follow the instructions below, and then try running DDS.


Please download Rkill by Grinler and save it to your desktop.
    Link 2
    Link 3
    Link 4

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.



    Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2

    MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot''s Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes'' Anti-Malware
      • Launch Malwarebytes'' Anti-Malware
      • Then click Finish.
      MBAM will automatically start and you will be asked to update the program before performing a scan.
      • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
      • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
      On the Scanner tab:
      • Make sure the "Perform Full Scan" option is selected.
      • Then click on the Scan button.
      • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
      • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
      • When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
      • Click OK to close the message box and continue with the removal process.
      Back at the main Scanner screen:
      • Click on the Show Results button to see a list of any malware that was found.
      • Make sure that everything is checked, and click Remove Selected.
      • When removal is completed, a log report will open in Notepad.
      • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
      • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
      • Exit MBAM when done.
      Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

      Hopefully this will clear up enough of the problem to give you a bit of breathing room. [/list]
      « Last Edit: October 20, 2012, 06:19:16 pm by Hoov »

      Consumer Security

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #3 on: October 20, 2012, 06:31:01 pm »
      1. I have quarentined and removed from Microsoft Security Essentials, however its clear the remove did not work Trojan:Win32/Tobfy.A & VirTool:Win32/CeeInject.gen!IH; I also completed a system restore back to October 15 wich did nothing for me. The problem the ransomware is causing is the white screen indicating they are the government and I have been frauding... needing $100.00.... I loose my Start Bar, unable to "run" but I am able to bring up Task Manager - when I bring up Task Manager it makes the white screen go away
      2. Only post is here
      3. I will try to follow as best I can
      4. lol fait is little right now!
      5. I will stick with you... just bare in mind I wont be able to respond right away as of course my computer is not running as nice
      Data is backed up as best as possible
      No software encrypting
      The laptop is personal (mine)

      I downloaded RKill and it ran fine

      I was unable to download Malwarebytes as the message comes up - mbam-setup-1.65.1.1000.exe is unsafe to download and was blocked by SmartScreen Filter

      AS FOR BUGBATTER

      I downloaded the two DDS files but I am not able to copy and paste them in here as I exceed the 5000 charater limit

      Offline Hoov

      • Malware Removal Mentors
      • Global Moderator
      • Diamond Member
      • Posts: 25712
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: Ransomware Trojan - Tobfy.a
      « Reply #4 on: October 20, 2012, 06:47:05 pm »
      Reboot the computer to safe mode with networking and download Malwarebytes' Anti-Malware. Then reboot the computer normally and then run Rkill again and then install Malwarebytes' Anti-Malware and then proceed with the instructions.

      Let me know if you still have problems with that.

      As for the DDS logs, you can post each one in a response, or split them up into three posts. If you get an error about being infected, zip the files up and attach them.

      Consumer Security

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #5 on: October 20, 2012, 06:56:04 pm »
      Still will not allow me to install malwarebytes on Safemode with networking, same error message about it not being safe

      I will paste the files next DDS logs next

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #6 on: October 20, 2012, 06:59:02 pm »
      DDS (Ver_2012-10-19.01) - NTFS_AMD64
      Internet Explorer: 9.0.8112.16421
      Run by B at 20:28:05 on 2012-10-20
      Microsoft Windows 7 Home Premium   6.1.7601.1.1252.2.1033.18.6038.3663 [GMT -4:00]
      .
      AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
      SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
      SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
      .
      ============== Running Processes ===============
      .
      C:\Windows\system32\wininit.exe
      C:\Windows\system32\lsm.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch
      C:\Windows\system32\svchost.exe -k RPCSS
      c:\Program Files\Microsoft Security Client\MsMpEng.exe
      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
      C:\Windows\system32\svchost.exe -k netsvcs
      C:\Windows\system32\svchost.exe -k LocalService
      C:\Windows\system32\svchost.exe -k NetworkService
      C:\Windows\system32\WLANExt.exe
      C:\Windows\system32\conhost.exe
      C:\Windows\system32\Dwm.exe
      C:\Windows\System32\spoolsv.exe
      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
      C:\Windows\system32\taskhost.exe
      C:\Windows\Explorer.EXE
      C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
      C:\Windows\System32\igfxtray.exe
      C:\Windows\System32\hkcmd.exe
      C:\Windows\System32\igfxpers.exe
      C:\Program Files\DellTPad\Apoint.exe
      C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
      C:\Windows\System32\rundll32.exe
      C:\Program Files\Dell\QuickSet\quickset.exe
      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
      C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe
      C:\Program Files\Microsoft Security Client\msseces.exe
      C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
      C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
      C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
      C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
      C:\Program Files\Bonjour\mDNSResponder.exe
      C:\Windows\system32\svchost.exe -k bthsvcs
      C:\Program Files\Intel\WiFi\bin\EvtEng.exe
      C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
      C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
      C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
      C:\Program Files (x86)\iTunes\iTunesHelper.exe
      C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
      C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
      C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
      C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
      C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
      C:\Program Files (x86)\Dell Stage\Dell Stage\stage_secondary.exe
      C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
      C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
      C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
      C:\Windows\system32\svchost.exe -k imgsvc
      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
      C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
      C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
      C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
      C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
      C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
      C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\unsecapp.exe
      C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
      C:\Windows\system32\SearchIndexer.exe
      c:\Program Files\Microsoft Security Client\NisSrv.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
      C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
      C:\Program Files\DellTPad\ApMsgFwd.exe
      C:\Program Files\DellTPad\HidFind.exe
      C:\Program Files\DellTPad\Apntex.exe
      C:\Windows\system32\conhost.exe
      C:\Program Files\Windows Media Player\wmpnetwk.exe
      C:\Windows\System32\svchost.exe -k LocalServicePeerNet
      C:\Windows\system32\DllHost.exe
      C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
      C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
      C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
      C:\Program Files (x86)\Nero\Update\NASvc.exe
      C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
      C:\Windows\system32\consent.exe
      C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Program Files (x86)\Nero\SyncUP\SyncUP.exe
      C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      C:\Program Files (x86)\Nero\SyncUP\Nero.AndroidServer.exe
      C:\Windows\System32\rundll32.exe
      C:\Windows\explorer.exe
      C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
      C:\Windows\system32\SearchProtocolHost.exe
      C:\Windows\system32\SearchFilterHost.exe
      C:\Windows\system32\DllHost.exe
      C:\Windows\system32\igfxsrvc.exe
      C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe
      C:\Windows\system32\conhost.exe
      C:\Windows\System32\cscript.exe
      .
      ============== Pseudo HJT Report ===============
      .
      mWinlogon: Userinit = userinit.exe
      BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
      BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
      BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
      BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
      BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
      uRun: [Facebook Update] "C:\Users\B\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
      uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
      uRun: [] C:\Users\B\fqpypxnjpxgcmhqz.exe
      mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
      mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
      mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
      mRun: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900
      mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
      mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
      mPolicies-Explorer: NoActiveDesktop = dword:1
      mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
      mPolicies-System: ConsentPromptBehaviorUser = dword:3
      mPolicies-System: EnableUIADesktopToggle = dword:0
      IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
      IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
      DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
      DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
      DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
      DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
      DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
      TCP: NameServer = 192.168.2.1
      TCP: Interfaces\{556B9D01-976A-4CA7-A7EA-3F522F1F495D} : DHCPNameServer = 192.168.2.1
      TCP: Interfaces\{556B9D01-976A-4CA7-A7EA-3F522F1F495D}\84058414 : DHCPNameServer = 10.10.10.1
      Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
      Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
      Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
      Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
      SSODL: WebCheck - <orphaned>
      LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg pku2u livessp
      x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
      x64-BHO: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -
      x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
      x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
      x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
      x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
      x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
      x64-Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray
      x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
      x64-Run: [QuickSet] c:\Program Files\Dell\QuickSet\QuickSet.exe
      x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
      x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
      x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
      x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - <orphaned>
      x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
      x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
      x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
      x64-Notify: igfxcui - igfxdev.dll
      x64-SSODL: WebCheck - <orphaned>
      .
      ================= FIREFOX ===================
      .
      FF - ProfilePath - C:\Users\B\AppData\Roaming\Mozilla\Firefox\Profiles\fmxuk7p4.default\
      FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
      FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
      FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
      FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
      FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
      FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\7\NP_wtapp.dll
      FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
      FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
      FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
      FF - plugin: C:\Users\B\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
      FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
      FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
      FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
      FF - ExtSQL: 2012-10-02 19:19; {0153E448-190B-4987-BDE1-F256CADA672F}; C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
      .
      ============= SERVICES / DRIVERS ===============
      .
      R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
      R1 HssDRV6;Hotspot Shield Routing Driver 6;C:\Windows\System32\drivers\hssdrv6.sys [2012-8-1 41704]
      R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
      R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-3 63928]
      R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-6-4 98208]
      R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-10-19 661504]
      R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-10-18 936272]
      R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2011-10-18 1001808]
      R2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-10-20 135440]
      R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
      R2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-4-26 223088]
      R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
      R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 128456]
      R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
      R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
      R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-6-4 1695040]
      R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-8-13 3064000]
      R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-6-4 2656280]
      R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-10-19 195072]
      R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2011-10-18 1354064]
      R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-8-29 53760]
      R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-10-10 288768]
      R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-6-4 176096]
      R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;C:\Windows\System32\drivers\FLxHCIc.sys [2012-6-4 212544]
      R3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;C:\Windows\System32\drivers\FLxHCIh.sys [2012-6-4 69184]
      R3 iBtFltCoex;iBtFltCoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2011-10-11 59904]
      R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-6-4 317440]
      R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-5-17 25496]
      R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2012-6-4 56344]
      R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETwNs64.sys [2012-6-4 8615936]
      R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
      R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-6-4 565352]
      R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
      R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
      R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
      R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
      R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
      R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
      S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
      S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
      S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
      S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-10-19 195072]
      S3 BTCFilterService;USB Networking Driver Filter Service;C:\Windows\System32\drivers\motfilt.sys [2009-1-29 6144]
      S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
      S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2012-6-4 158976]
      S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-5-17 34200]
      S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\System32\drivers\motccgp.sys [2011-4-4 21504]
      S3 motccgpfl;MotCcgpFlService;C:\Windows\System32\drivers\motccgpfl.sys [2009-1-29 9216]
      S3 Motousbnet;Motorola USB Networking Driver Service;C:\Windows\System32\drivers\Motousbnet.sys [2010-4-1 26624]
      S3 motusbdevice;Motorola USB Dev Driver;C:\Windows\System32\drivers\motusbdevice.sys [2011-5-12 11776]
      S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-29 114144]
      S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-11-1 340240]
      S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2012-6-4 95744]
      S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2012-6-4 212992]
      S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
      S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-8-17 25584]
      S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2012-6-4 250984]
      S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
      S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
      S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-16 1255736]
      S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
      .
      =============== Created Last 30 ================
      .
      2012-10-20 23:19:14   69000   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EEA0D0E4-4FB1-413C-AC03-5AB3F3A8FEF9}\offreg.dll
      2012-10-20 18:09:26   9291768   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EEA0D0E4-4FB1-413C-AC03-5AB3F3A8FEF9}\mpengine.dll
      2012-10-20 14:51:56   --------   d-----w-   C:\Users\B\AppData\Local\{38177739-0B08-4931-8D93-95200A2010AD}
      2012-10-20 02:50:51   --------   d-----w-   C:\Users\B\AppData\Local\{A280A1EA-F3C8-4D4D-B617-209978DB1FCC}
      2012-10-20 02:14:15   57856   ----a-w-   C:\Users\B\fqpypxnjpxgcmhqz.exe
      2012-10-20 02:14:13   39424   ----a-w-   C:\Users\B\dfpxvxmilgtruppb.exe
      2012-10-19 15:41:17   9291768   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
      2012-10-19 15:14:08   --------   d-----w-   C:\ProgramData\Fugazo
      2012-10-11 07:21:02   --------   d-----w-   C:\Users\B\AppData\Local\{ADD9E65C-0123-4AF9-9E9E-49D17F1FC20E}
      2012-10-10 13:08:16   1659760   ----a-w-   C:\Windows\System32\drivers\ntfs.sys
      2012-10-10 13:05:58   220160   ----a-w-   C:\Windows\System32\wintrust.dll
      2012-10-10 13:05:58   172544   ----a-w-   C:\Windows\SysWow64\wintrust.dll
      2012-10-10 13:05:38   2048   ----a-w-   C:\Windows\SysWow64\tzres.dll
      2012-10-10 13:05:38   2048   ----a-w-   C:\Windows\System32\tzres.dll
      2012-10-10 13:05:07   715776   ----a-w-   C:\Windows\System32\kerberos.dll
      2012-10-10 13:05:07   542208   ----a-w-   C:\Windows\SysWow64\kerberos.dll
      2012-10-10 13:04:49   1464320   ----a-w-   C:\Windows\System32\crypt32.dll
      2012-10-10 13:04:49   1159680   ----a-w-   C:\Windows\SysWow64\crypt32.dll
      2012-10-10 13:04:48   184320   ----a-w-   C:\Windows\System32\cryptsvc.dll
      2012-10-10 13:04:48   140288   ----a-w-   C:\Windows\SysWow64\cryptsvc.dll
      2012-10-10 13:04:48   140288   ----a-w-   C:\Windows\System32\cryptnet.dll
      2012-10-10 13:04:48   103936   ----a-w-   C:\Windows\SysWow64\cryptnet.dll
      2012-10-05 17:24:30   972192   ------w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5AFD4058-46FE-4369-8ABA-C6E9BF8A4A99}\gapaengine.dll
      2012-10-05 02:04:48   --------   d-----w-   C:\Users\B\AppData\Local\{5BB37ADE-D5DD-482F-8854-7CE5D443479C}
      2012-10-03 15:40:12   972192   ------w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
      2012-10-02 23:19:58   --------   d-----w-   C:\Program Files (x86)\Common Files\xing shared
      2012-09-28 04:03:11   73696   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
      2012-09-26 12:46:06   245760   ----a-w-   C:\Windows\System32\OxpsConverter.exe
      2012-09-25 11:15:06   --------   d-----w-   C:\Users\B\AppData\Local\{E0ACA48D-C0DF-4672-8773-FC3BA4CFE80A}
      2012-09-22 07:19:29   --------   d-----w-   C:\Users\B\AppData\Local\{2C0FD82F-B6B8-4321-BFD0-B55095299D0D}
      .
      ==================== Find3M  ====================
      .
      2012-10-02 23:19:13   499712   ----a-w-   C:\Windows\SysWow64\msvcp71.dll
      2012-10-02 23:19:13   348160   ----a-w-   C:\Windows\SysWow64\msvcr71.dll
      2012-09-04 00:14:31   73416   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
      2012-09-04 00:14:31   696520   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
      2012-08-31 02:03:48   228768   ----a-w-   C:\Windows\System32\drivers\MpFilter.sys
      2012-08-31 02:03:48   128456   ----a-w-   C:\Windows\System32\drivers\NisDrvWFP.sys
      2012-08-30 18:03:45   5559664   ----a-w-   C:\Windows\System32\ntoskrnl.exe
      2012-08-30 17:12:02   3968880   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
      2012-08-30 17:12:02   3914096   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
      2012-08-24 10:31:32   2312704   ----a-w-   C:\Windows\System32\jscript9.dll
      2012-08-24 10:21:18   1392128   ----a-w-   C:\Windows\System32\wininet.dll
      2012-08-24 10:20:11   1494528   ----a-w-   C:\Windows\System32\inetcpl.cpl
      2012-08-24 10:14:45   173056   ----a-w-   C:\Windows\System32\ieUnatt.exe
      2012-08-24 10:13:29   599040   ----a-w-   C:\Windows\System32\vbscript.dll
      2012-08-24 10:09:42   2382848   ----a-w-   C:\Windows\System32\mshtml.tlb
      2012-08-24 06:59:17   1800704   ----a-w-   C:\Windows\SysWow64\jscript9.dll
      2012-08-24 06:51:27   1129472   ----a-w-   C:\Windows\SysWow64\wininet.dll
      2012-08-24 06:51:02   1427968   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
      2012-08-24 06:47:26   142848   ----a-w-   C:\Windows\SysWow64\ieUnatt.exe
      2012-08-24 06:47:12   420864   ----a-w-   C:\Windows\SysWow64\vbscript.dll
      2012-08-24 06:43:58   2382848   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
      2012-08-24 01:45:47   328704   ----a-w-   C:\Windows\System32\services.exe
      2012-08-24 01:13:13   328704   ----a-w-   C:\Windows\System32\services.exe.BDE542AAA71CF426
      2012-08-24 01:09:32   328704   ----a-w-   C:\Windows\System32\services.exe.08CDCA394D7B2BC0
      2012-08-24 00:36:14   328704   ----a-w-   C:\Windows\System32\services.exe.E840B908F2CC3657
      2012-08-24 00:31:20   328704   ----a-w-   C:\Windows\System32\services.exe.63A8B392B11A374D
      2012-08-24 00:26:37   328704   ----a-w-   C:\Windows\System32\services.exe.A0D505ECEB2439DD
      2012-08-24 00:19:12   328704   ----a-w-   C:\Windows\System32\services.exe.79624198A74CD037
      2012-08-24 00:10:48   328704   ----a-w-   C:\Windows\System32\services.exe.C44CA52DBC506328
      2012-08-24 00:01:05   328704   ----a-w-   C:\Windows\System32\services.exe.82D788DBFBD93DFA
      2012-08-23 23:53:42   49872   ----a-w-   C:\Windows\System32\drivers\uhksbihr.sys
      2012-08-23 23:53:42   328704   ----a-w-   C:\Windows\System32\services.exe.54C24A2606F07228
      2012-08-23 23:50:15   328704   ----a-w-   C:\Windows\System32\services.exe.D2AE316FDEBC038D
      2012-08-23 23:41:08   328704   ----a-w-   C:\Windows\System32\services.exe.B30083AF6AB57049
      2012-08-23 23:35:10   328704   ----a-w-   C:\Windows\System32\services.exe.9FDFC1647D4BDB7B
      2012-08-23 23:30:20   328704   ----a-w-   C:\Windows\System32\services.exe.CECD7E5BD2EADFAB
      2012-08-23 23:26:23   328704   ----a-w-   C:\Windows\System32\services.exe.42560116AEF2075D
      2012-08-22 18:12:50   1913200   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
      2012-08-22 18:12:40   950128   ----a-w-   C:\Windows\System32\drivers\ndis.sys
      2012-08-22 18:12:40   376688   ----a-w-   C:\Windows\System32\drivers\netio.sys
      2012-08-22 18:12:33   288624   ----a-w-   C:\Windows\System32\drivers\FWPKCLNT.SYS
      2012-08-20 18:48:44   362496   ----a-w-   C:\Windows\System32\wow64win.dll
      2012-08-20 18:48:44   243200   ----a-w-   C:\Windows\System32\wow64.dll
      2012-08-20 18:48:44   13312   ----a-w-   C:\Windows\System32\wow64cpu.dll
      2012-08-20 18:48:43   215040   ----a-w-   C:\Windows\System32\winsrv.dll
      2012-08-20 18:48:37   16384   ----a-w-   C:\Windows\System32\ntvdm64.dll
      2012-08-20 18:48:35   424448   ----a-w-   C:\Windows\System32\KernelBase.dll
      2012-08-20 18:46:22   338432   ----a-w-   C:\Windows\System32\conhost.exe
      2012-08-20 17:40:21   14336   ----a-w-   C:\Windows\SysWow64\ntvdm64.dll
      2012-08-20 17:38:44   44032   ----a-w-   C:\Windows\apppatch\acwow64.dll
      2012-08-20 17:38:26   25600   ----a-w-   C:\Windows\SysWow64\setup16.exe
      2012-08-20 17:37:19   5120   ----a-w-   C:\Windows\SysWow64\wow32.dll
      2012-08-20 17:37:18   274944   ----a-w-   C:\Windows\SysWow64\KernelBase.dll
      2012-08-20 15:38:21   7680   ----a-w-   C:\Windows\SysWow64\instnm.exe
      2012-08-20 15:38:20   2048   ----a-w-   C:\Windows\SysWow64\user.exe
      2012-08-20 15:33:28   6144   ---ha-w-   C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
      2012-08-20 15:33:28   4608   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
      2012-08-20 15:33:28   3584   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
      2012-08-20 15:33:28   3072   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
      2012-08-02 17:58:52   574464   ----a-w-   C:\Windows\System32\d3d10level9.dll
      2012-08-02 16:57:20   490496   ----a-w-   C:\Windows\SysWow64\d3d10level9.dll
      2012-08-01 18:13:42   41704   ----a-w-   C:\Windows\System32\drivers\hssdrv6.sys
      2012-08-01 18:13:40   38632   ----a-w-   C:\Windows\System32\drivers\taphss.sys
      .
      ============= FINISH: 20:28:28.90 ===============

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #7 on: October 20, 2012, 07:01:42 pm »
      .
      UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
      IF REQUESTED, ZIP IT UP & ATTACH IT
      .
      DDS (Ver_2012-10-19.01)
      .
      Microsoft Windows 7 Home Premium
      Boot Device: \Device\HarddiskVolume2
      Install Date: 12/06/2012 11:42:22 AM
      System Uptime: 20/10/2012 7:37:19 PM (1 hours ago)
      .
      Motherboard: Dell Inc. |  | 0YH79Y
      Processor: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz | CPU | 2300/100mhz
      .
      ==== Disk Partitions =========================
      .
      C: is FIXED (NTFS) - 679 GiB total, 586.844 GiB free.
      D: is CDROM ()
      .
      ==== Disabled Device Manager Items =============
      .
      ==== System Restore Points ===================
      .
      RP66: 15/10/2012 1:17:07 PM - Microsoft Antimalware Checkpoint
      RP68: 16/10/2012 9:36:28 PM - Microsoft Antimalware Checkpoint
      RP69: 17/10/2012 11:37:05 AM - Windows Update
      RP71: 19/10/2012 8:06:52 PM - Microsoft Antimalware Checkpoint
      RP72: 20/10/2012 2:11:07 PM - Windows Update
      RP73: 20/10/2012 4:12:58 PM - Restore Operation
      RP74: 20/10/2012 5:53:12 PM - Installed Microsoft Fix it 50203
      .
      ==== Installed Programs ======================
      .
      100% Free Gin 7.42
      Accidental Damage Services Agreement
      Adobe AIR
      Adobe Flash Player 11 ActiveX
      Adobe Flash Player 11 Plugin
      Adobe Reader X (10.1.3) MUI
      Advanced Audio FX Engine
      Amazing Adventures Around the World
      Amazing Adventures The Caribbean Secret
      Apple Application Support
      Apple Mobile Device Support
      Apple Software Update
      Banctec Service Agreement
      Bejeweled 2 Deluxe
      Big City Adventure - San Francisco
      Big City Adventure - Sydney
      Big City Adventure - Vancouver
      Big City Adventure: London Story
      Blackhawk Striker 2
      Blio
      Bonjour
      Bounce Symphony
      Build-a-lot 2
      Cake Mania
      Chuzzle Deluxe
      Complete Care Business Service Agreement
      Consumer In-Home Service Agreement
      Cozi
      D3DX10
      Deep Blue Sea 2: The Amulet of Light
      Dell DataSafe Local Backup
      Dell DataSafe Local Backup - Support Software
      Dell DataSafe Online
      Dell Edoc Viewer
      Dell Getting Started Guide
      Dell Home Systems Service Agreement
      Dell MusicStage
      Dell PhotoStage
      Dell Stage
      Dell Support Center
      Dell Touchpad
      Dell VideoStage
      Dell Webcam Central
      Diner Dash 2 Restaurant Rescue
      Dora's World Adventure
      Dream Builder: Amusement Park
      Escape Whisper Valley (TM)
      Facebook Video Calling 1.2.0.159
      Farm Frenzy
      FATE
      Final Drive Fury
      Final Drive Nitro
      High-Definition Video Playback
      Intel PROSet Wireless
      Intel(R) Control Center
      Intel(R) Management Engine Components
      Intel(R) Processor Graphics
      Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
      Intel(R) PROSet/Wireless WiFi Software
      Intel(R) WiDi
      Intel(R) Wireless Display
      iTunes
      Java Auto Updater
      Java(TM) 6 Update 32
      Jewel Quest
      Jewel Quest Solitaire 2
      Junk Mail filter update
      K-Lite Codec Pack 8.8.0 (Standard)
      Luxor
      Mesh Runtime
      Microsoft .NET Framework 4 Client Profile
      Microsoft .NET Framework 4 Extended
      Microsoft Application Error Reporting
      Microsoft Office 2010
      Microsoft Office Click-to-Run 2010
      Microsoft Office Starter 2010 - English
      Microsoft Security Client
      Microsoft Security Essentials
      Microsoft Silverlight
      Microsoft SQL Server 2005 Compact Edition [ENU]
      Microsoft Visual C++ 2005 Redistributable
      Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
      Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
      Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
      Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
      Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
      Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
      Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
      MotoHelper 2.0.51 Driver 5.2.0
      MotoHelper MergeModules
      Motorola Mobile Drivers Installation 5.2.0
      Mozilla Firefox 15.0.1 (x86 en-US)
      Mozilla Maintenance Service
      MSVCRT
      MSVCRT_amd64
      MSXML 4.0 SP2 (KB954430)
      MSXML 4.0 SP2 (KB973688)
      Namco All-Stars PAC-MAN
      Nero 10 Movie ThemePack Basic
      Nero Control Center 10
      Nero ControlCenter 10 Help (CHM)
      Nero Core Components 10
      Nero Update
      Penguins!
      Plants vs. Zombies - Game of the Year
      PlayReady PC Runtime x86
      Poker Superstars III
      Polar Bowler
      Polar Golfer
      Premium Service Agreement
      QualxServ Service Agreement
      Quickset64
      QuickTime
      RealNetworks - Microsoft Visual C++ 2008 Runtime
      RealPlayer
      Realtek High Definition Audio Driver
      RealUpgrade 1.1
      Samantha Swift
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
      Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
      Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
      Skype Click to Call
      Skype™ 5.10
      SyncUP
      Tales of Lagoona
      Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
      Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
      Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
      Update for Microsoft .NET Framework 4 Extended (KB2468871)
      Update for Microsoft .NET Framework 4 Extended (KB2533523)
      Update for Microsoft .NET Framework 4 Extended (KB2600217)
      Update Installer for WildTangent Games App
      Vacation Quest - The Hawaiian Islands
      Virtual Villagers 4 - The Tree of Life
      Wedding Dash - Ready, Aim, Love!
      WildTangent Games
      WildTangent Games App (Dell Games)
      Windows Live Communications Platform
      Windows Live Essentials
      Windows Live ID Sign-in Assistant
      Windows Live Installer
      Windows Live Language Selector
      Windows Live Mail
      Windows Live Mesh
      Windows Live Mesh ActiveX Control for Remote Connections
      Windows Live Messenger
      Windows Live MIME IFilter
      Windows Live Movie Maker
      Windows Live Photo Common
      Windows Live Photo Gallery
      Windows Live PIMT Platform
      Windows Live Remote Client
      Windows Live Remote Client Resources
      Windows Live Remote Service
      Windows Live Remote Service Resources
      Windows Live SOXE
      Windows Live SOXE Definitions
      Windows Live UX Platform
      Windows Live UX Platform Language Pack
      Windows Live Writer
      Windows Live Writer Resources
      Zinio Reader 4
      Zuma Deluxe
      .
      ==== Event Viewer Messages From Past Week ========
      .
      20/10/2012 7:21:30 PM, Error: Service Control Manager [7023]  - The Windows Defender service terminated with the following error:  The specified module could not be found.
      20/10/2012 7:18:19 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 7:14:38 PM, Error: Service Control Manager [7024]  - The Windows Firewall service terminated with service-specific error Access is denied..
      20/10/2012 6:51:41 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 6:51:34 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
      20/10/2012 6:51:31 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
      20/10/2012 6:51:31 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
      20/10/2012 6:51:24 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
      20/10/2012 6:51:18 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
      20/10/2012 6:51:17 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache MpFilter spldr Wanarpv6
      20/10/2012 6:51:14 PM, Error: Service Control Manager [7001]  - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 5:55:28 PM, Error: Service Control Manager [7023]  - The Function Discovery Resource Publication service terminated with the following error:  %%-2147024891
      20/10/2012 5:55:28 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:  %%-2147024891
      20/10/2012 4:17:20 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
      20/10/2012 4:17:20 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error:  An instance of the service is already running.
      20/10/2012 4:17:20 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error:  An instance of the service is already running.
      20/10/2012 4:16:20 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Shell Hardware Detection service, but this action failed with the following error:  An instance of the service is already running.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The User Profile Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Themes service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Task Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The System Event Notification Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Shell Hardware Detection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Multimedia Class Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Group Policy Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Extensible Authentication Protocol service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:15:20 PM, Error: Service Control Manager [7031]  - The Computer Browser service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
      20/10/2012 4:10:58 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa80074fe810, 0xfffffa80074feaf0, 0xfffff80002988460). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 102012-15802-01.
      20/10/2012 4:08:22 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
      20/10/2012 3:55:40 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service Bluetooth Device Monitor with arguments "" in order to run the server: {DABF28BE-F6B4-4E40-8F40-C4FB26F3116C}
      20/10/2012 2:11:54 PM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.     New Engine Version:      Previous Engine Version: 2.1.8600.0     Engine Type: Network Inspection System     User: B-PC\B     Error Code: 0x80070666     Error description: Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel.
      20/10/2012 2:11:54 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 15.12.0.0     Update Source: User     Update Stage: Install     Source Path:      Signature Type: Network Inspection System     Update Type: Full     User: B-PC\B     Current Engine Version:      Previous Engine Version: 2.1.8600.0     Error code: 0x80070666     Error description: Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel.
      20/10/2012 12:08:59 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.139.108.0     Update Source: Microsoft Update Server     Update Stage: Search     Source Path: Default URL     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.8904.0     Error code: 0x8007043c     Error description: This service cannot be started in Safe Mode
      20/10/2012 11:53:33 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.139.108.0     Update Source: Microsoft Update Server     Update Stage: Search     Source Path: Default URL     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.8904.0     Error code: 0x8007043c     Error description: This service cannot be started in Safe Mode
      20/10/2012 10:53:49 AM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 10:53:48 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
      20/10/2012 10:53:48 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD DfsC discache HssDRV6 MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
      20/10/2012 10:53:36 AM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
      16/10/2012 8:22:03 AM, Error: Tcpip [4199]  - The system detected an address conflict for IP address 192.168.2.5 with the system having network hardware address 00-1B-EA-D1-41-59. Network operations on this system may be disrupted as a result.
      15/10/2012 9:53:40 AM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk1\DR3.
      15/10/2012 8:25:36 AM, Error: volsnap [67]  - The shadow copy of volume C: being created failed to install.
      15/10/2012 1:30:09 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:30:00 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:29:53 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:29:46 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:29:38 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:29:31 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:29:23 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:29:16 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:29:09 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DZ&threatid=2147664384     Name: TrojanDownloader:ASX/Wimad.DZ     ID: 2147664384     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3;file:_C:\Users\B\FrostWire\Torrent Data\Rihanna - Diamonds\Rihanna - Diamonds.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:17:28 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DQ&threatid=2147655835     Name: TrojanDownloader:ASX/Wimad.DQ     ID: 2147655835     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\The Billboard Hot 40 (June 2012)\23. Calvin Harris - Feel So Close.mp3;file:_C:\Users\B\FrostWire\Torrent Data\The Billboard Hot 40 (June 2012)\23. Calvin Harris - Feel So Close.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      15/10/2012 1:17:19 PM, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:ASX/Wimad.DQ&threatid=2147655835     Name: TrojanDownloader:ASX/Wimad.DQ     ID: 2147655835     Severity: Severe     Category: Trojan Downloader     Path: containerfile:_C:\Users\B\FrostWire\Torrent Data\The Billboard Hot 40 (June 2012)\23. Calvin Harris - Feel So Close.mp3;file:_C:\Users\B\FrostWire\Torrent Data\The Billboard Hot 40 (June 2012)\23. Calvin Harris - Feel So Close.mp3->(ASF_Script_Commands)     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\FrostWire 5\FrostWire.exe     Action: Quarantine     Action Status:  No additional actions required     Error Code: 0x80070020     Error description: The process cannot access the file because it is being used by another process.      Signature Version: AV: 1.137.1833.0, AS: 1.137.1833.0, NIS: 15.12.0.0     Engine Version: AM: 1.1.8800.0, NIS: 2.1.8600.0
      .
      ==== End Of File ===========================

      Offline Hoov

      • Malware Removal Mentors
      • Global Moderator
      • Diamond Member
      • Posts: 25712
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: Ransomware Trojan - Tobfy.a
      « Reply #8 on: October 20, 2012, 07:22:06 pm »
      Try using a different browser.

      Consumer Security

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #9 on: October 20, 2012, 07:29:55 pm »
      Thanks, Mozilla allowed me to install - now I am just waiting for the scan to be completed - I will copy log in here once done

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #10 on: October 20, 2012, 08:11:43 pm »
      The scan was completed here is the log - I am going to restart the computer now

      Malwarebytes Anti-Malware (Trial) 1.65.1.1000
      www.malwarebytes.org

      Database version: v2012.10.21.01

      Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
      Internet Explorer 9.0.8112.16421
      B :: B-PC [administrator]

      Protection: Disabled

      20/10/2012 9:29:02 PM
      mbam-log-2012-10-20 (21-29-02).txt

      Scan type: Full scan (C:\|D:\|)
      Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
      Scan options disabled: P2P
      Objects scanned: 371349
      Time elapsed: 38 minute(s), 16 second(s)

      Memory Processes Detected: 0
      (No malicious items detected)

      Memory Modules Detected: 0
      (No malicious items detected)

      Registry Keys Detected: 0
      (No malicious items detected)

      Registry Values Detected: 1
      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run| (Trojan.Agent) -> Data: C:\Users\B\fqpypxnjpxgcmhqz.exe -> Quarantined and deleted successfully.

      Registry Data Items Detected: 0
      (No malicious items detected)

      Folders Detected: 0
      (No malicious items detected)

      Files Detected: 4
      C:\Users\B\fqpypxnjpxgcmhqz.exe (Trojan.Agent) -> Quarantined and deleted successfully.
      C:\Users\B\dfpxvxmilgtruppb.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
      C:\Users\B\Downloads\Install-Gin-Free.exe (PUP.BundleInstaller.BI) -> Quarantined and deleted successfully.
      C:\Users\B\Local Settings\TempDIR\BetterInstaller.exe (PUP.BundleInstaller.Somoto) -> Quarantined and deleted successfully.

      (end)

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #11 on: October 20, 2012, 08:16:30 pm »
      I restarted my computer and it opened up! I didn't receive any stupid errors telling me to pay the government :P Let me know if this is all done with now or if there is still more I need to do

      Thanks for all your help so far!!

      Offline Hoov

      • Malware Removal Mentors
      • Global Moderator
      • Diamond Member
      • Posts: 25712
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: Ransomware Trojan - Tobfy.a
      « Reply #12 on: October 20, 2012, 08:26:18 pm »
      That is the majority of it, but it is getting late here. Go ahead and run it over night, reboot a few times, and we will pick this up in the early afternoon. I have family that is visiting that has to get on the road in the morning so I will be a tad busy.

      If you notice any problems, let me know right away.

      One last thing I would like you do tonight is reboot the computer and note the time. Then follow the instructions below to get me a copy of the event viewer logs. I am going to send you a Private message with a link that you can upload the logs to me. In the note where it asks for the link to the thread, put in the link and the time.


      I need you to go to the administration tools in Vista / Windows 7. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side expand the window category and then click on  System. Then up at the top click on Action and then click on Save Events As, type in system as the file name,  make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name,  make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.

      Consumer Security

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      Offline AshleyPaterson

      • Bronze Member
      • Posts: 9
      Re: Ransomware Trojan - Tobfy.a
      « Reply #13 on: October 21, 2012, 09:52:37 am »
      ok I followed the intructions and put them in the link you sent me in the PM - let me know if you need anymore information

      Offline Hoov

      • Malware Removal Mentors
      • Global Moderator
      • Diamond Member
      • Posts: 25712
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: Ransomware Trojan - Tobfy.a
      « Reply #14 on: October 21, 2012, 10:02:38 am »
      How is the computer running?

      The files did not upload. Did you click the upload button?

      Consumer Security

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!