Original Cryptolocker Ransomware Support and Help Topic

Just for others who this may mean something to... I also ran Adwcleaner but not certain where that log gets saved at... lots of crapware and toolbars on this machine.

Combofix Log:

ComboFix 13-09-06.01 - Administrator 09/06/2013  12:08:20.1.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3767.2474 [GMT -5:00]
Running from: c:\inky\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\DailyFitnessCenter_53EI
c:\program files (x86)\DailyFitnessCenter_53EI\Installr\1.bin\53EIPlug.dll
c:\program files (x86)\DailyFitnessCenter_53EI\Installr\1.bin\53EZSETP.dll
c:\program files (x86)\DailyFitnessCenter_53EI\Installr\1.bin\NP53EISb.dll
c:\program files (x86)\MyScrapNook_12EI
c:\program files (x86)\MyScrapNook_12EI\Installr\1.bin\12EIPlug.dll
c:\program files (x86)\MyScrapNook_12EI\Installr\1.bin\12EZSETP.dll
c:\program files (x86)\MyScrapNook_12EI\Installr\1.bin\NP12EISb.dll
c:\users\vmh\1gy.exe
c:\users\vmh\AppData\Roaming\{34285B07-372F-121D-311F-030FAAD0CEF3}.exe
c:\users\vmh\AppData\Roaming\Oqugi
c:\users\vmh\AppData\Roaming\Oqugi\nyby.exe
c:\users\vmh\AppData\Roaming\Wety
c:\users\vmh\AppData\Roaming\Wety\gudax.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Windows Internet Name Service
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-06 to 2013-09-06  )))))))))))))))))))))))))))))))
.
.
2013-09-06 17:17 . 2013-09-06 17:17 -------- d-----w- c:\users\vmh\AppData\Local\temp
2013-09-06 17:17 . 2013-09-06 17:17 -------- d-----w- c:\users\User\AppData\Local\temp
2013-09-06 17:17 . 2013-09-06 17:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-06 15:57 . 2013-09-06 15:57 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ADD95281-C7C4-467B-9428-E747994A0D93}\offreg.dll
2013-09-06 15:47 . 2013-09-06 15:47 -------- d-----w- c:\users\administrator.WABELTOOL\AppData\Local\Google
2013-09-06 15:46 . 2013-09-06 15:46 -------- d-----w- c:\users\administrator.WABELTOOL\AppData\Roaming\Apple Computer
2013-09-06 15:46 . 2013-09-06 15:46 -------- d-----w- c:\users\administrator.WABELTOOL\AppData\Local\Symantec
2013-09-06 15:46 . 2013-09-06 15:46 -------- d-----r- c:\users\administrator.WABELTOOL\Virtual Machines
2013-09-04 14:18 . 2013-08-06 08:58 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ADD95281-C7C4-467B-9428-E747994A0D93}\mpengine.dll
2013-09-03 13:50 . 2013-09-03 13:50 -------- d-----w- c:\program files (x86)\Tor
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-03 13:46 . 2013-07-17 15:40 346624 ----a-w- c:\windows\SysWow64\drivers\blds.exe
2013-09-03 13:46 . 2013-07-17 15:40 346624 ----a-w- c:\windows\SysWow64\drivers\BleServicesCtrl.exe
2013-08-07 09:22 . 2011-05-24 14:11 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-07-08 14:34 . 2013-02-05 21:43 399360 ----a-w- c:\windows\SysWow64\uti.exe
2013-07-08 14:34 . 2013-01-22 17:06 399360 ----a-w- c:\windows\SysWow64\TrustedInstaller.exe
2010-12-16 20:39 701440 --sha-r- c:\windows\wbem\vp8encoder.dll
2013-02-10 08:53 5013344 --sha-r- c:\windows\wbem\wmiadap.exe
2013-02-10 08:53 3737440 --sha-r- c:\windows\wbem\wmiapsrv.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{0214754e-4e7d-4589-829d-e2523e6a3085}]
2012-10-01 17:23 699536 ----a-w- c:\progra~2\MYSCRA~2\bar\1.bin\12bar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{06e05b40-77fa-40b6-9077-ed1a7577b1ef}]
2012-10-10 20:01 62864 ----a-w- c:\program files (x86)\UtilityChest_49\bar\1.bin\49SrcAs.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{58f7b5ca-1162-42e8-8bbc-d543b4edd780}]
2012-10-10 20:01 703632 ----a-w- c:\progra~2\UTILIT~2\bar\1.bin\49bar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{65f159fb-5f5e-46f4-b45d-ccfa236d2073}]
2012-10-01 17:23 62864 ----a-w- c:\program files (x86)\MyScrapNook_12\bar\1.bin\12SrcAs.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{66516A07-F617-488A-90CF-4E690CFB3C5F}]
2013-06-28 20:46 2572944 ----a-w- c:\users\vmh\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{9427041a-a8dc-4d06-9a68-93873486e957}]
2013-07-17 08:13 226592 ----a-w- c:\program files (x86)\Productivity_3.1\prxtbPro0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}]
2013-07-17 08:13 226592 ----a-w- c:\program files (x86)\WiseConvert\prxtbWis0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{fa63398e-322b-4833-9af3-15837ad12138}]
2012-03-14 11:14 87008 ----a-w- c:\program files (x86)\searchresults\searchresultsDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{9427041a-a8dc-4d06-9a68-93873486e957}"= "c:\program files (x86)\Productivity_3.1\prxtbPro0.dll" [2013-07-17 226592]
"{fa63398e-322b-4833-9af3-15837ad12138}"= "c:\program files (x86)\searchresults\searchresultsDx.dll" [2012-03-14 87008]
"{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}"= "c:\program files (x86)\WiseConvert\prxtbWis0.dll" [2013-07-17 226592]
"{311B58DC-A4DC-4B04-B1B5-60299AD3D803}"= "c:\users\vmh\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll" [2013-06-28 2572944]
.
[HKEY_CLASSES_ROOT\clsid\{9427041a-a8dc-4d06-9a68-93873486e957}]
.
[HKEY_CLASSES_ROOT\clsid\{fa63398e-322b-4833-9af3-15837ad12138}]
.
[HKEY_CLASSES_ROOT\clsid\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}]
.
[HKEY_CLASSES_ROOT\clsid\{311b58dc-a4dc-4b04-b1b5-60299ad3d803}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\ShopAtHome.ShopAtHome]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP KEYBOARDx"="c:\program files (x86)\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE" [2010-02-11 710656]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"BATINDICATOR"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe" [2009-05-09 2068992]
"LaunchHPOSIAPP"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe" [2009-04-04 385024]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2009-12-12 11265536]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"TaskTray"="" [BU]
"My Scrap Nook Search Scope Monitor"="c:\progra~2\MYSCRA~2\bar\1.bin\12srchmn.exe" [2012-10-01 42536]
"MyScrapNook_12 Browser Plugin Loader"="c:\progra~2\MYSCRA~2\bar\1.bin\12brmon.exe" [2012-10-01 30096]
"Utility Chest Search Scope Monitor"="c:\progra~2\UTILIT~2\bar\1.bin\49srchmn.exe" [2012-10-10 42536]
"UtilityChest_49 Browser Plugin Loader"="c:\progra~2\UTILIT~2\bar\1.bin\49brmon.exe" [2012-10-10 30096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\qttask.exe" [2013-01-25 421888]
"RegTask"="c:\program files (x86)\RegTask\RegTask.exe" [2012-05-10 11754832]
"ShopAtHomeWatcher"="c:\users\vmh\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe" [2013-06-28 128656]
"ShopAtHomeUpdater"="c:\users\vmh\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeUpdater.exe" [2013-06-28 179856]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
Symantec Backup Exec Desktop Agent.lnk - c:\program files (x86)\Symantec\Backup Exec\DLO\DLOClientu.exe -u [2009-11-25 7595384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-12-07 19:36 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ    DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3299171934-1787352723-2780569941-1133\Scripts\Logoff\0\0]
"Script"=\\wabeltool.local\SYSVOL\wabeltool.local\scripts\Log_Logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3299171934-1787352723-2780569941-1133\Scripts\Logon\0\0]
"Script"=\\wabeltool.local\SYSVOL\wabeltool.local\scripts\Log_Logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3299171934-1787352723-2780569941-500\Scripts\Logoff\0\0]
"Script"=\\wabeltool.local\SYSVOL\wabeltool.local\scripts\Log_Logoff.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3299171934-1787352723-2780569941-500\Scripts\Logon\0\0]
"Script"=\\wabeltool.local\SYSVOL\wabeltool.local\scripts\Log_Logon.bat
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 tor;Tor Win32 Service;c:\program files (x86)\Tor\tor.exe;c:\program files (x86)\Tor\tor.exe [x]
R2 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe;c:\program files (x86)\Xobni\XobniService.exe [x]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys;c:\windows\SYSNATIVE\DRIVERS\DAMDrv64.sys [x]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe;c:\windows\SysWOW64\flcdlock.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
R3 OxPPort;OxPPort;c:\windows\system32\DRIVERS\OxPPort.sys;c:\windows\SYSNATIVE\DRIVERS\OxPPort.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tvnserver;TightVNC Server;c:\users\vmh\AppData\Local\CrossLoop\tvnserver.exe;c:\users\vmh\AppData\Local\CrossLoop\tvnserver.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S2 bthsrv;Bluetooth Service;c:\windows\SysWOW64\Drivers\BleServicesCtrl.exe;c:\windows\SysWOW64\Drivers\BleServicesCtrl.exe [x]
S2 CrossLoopService;CrossLoop Service;c:\users\vmh\AppData\Local\CrossLoop\CrossLoopService.exe;c:\users\vmh\AppData\Local\CrossLoop\CrossLoopService.exe [x]
S2 DLOChangeJournalSvc;Symantec Backup Exec Desktop Agent Change Journal Reader;c:\program files (x86)\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe;c:\program files (x86)\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe [x]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [x]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
S2 IBUpdaterService;Updater Service;c:\programdata\IBUpdaterService\ibsvc.exe;c:\programdata\IBUpdaterService\ibsvc.exe [x]
S2 MyScrapNook_12Service;My Scrap NookService;c:\progra~2\MYSCRA~2\bar\1.bin\12barsvc.exe;c:\progra~2\MYSCRA~2\bar\1.bin\12barsvc.exe [x]
S2 netaservice;Network Adapter  ;c:\windows\wbem\wmiadap.exe;c:\windows\wbem\wmiadap.exe [x]
S2 Trusted Installer;Trusted Installer;c:\windows\SysWOW64\TrustedInstaller.exe;c:\windows\SysWOW64\TrustedInstaller.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 UtilityChest_49Service;Utility ChestService;c:\progra~2\UTILIT~2\bar\1.bin\49barsvc.exe;c:\progra~2\UTILIT~2\bar\1.bin\49barsvc.exe [x]
S3 DEBridge;DEBridge;c:\program files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe;c:\program files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 HPKBx64;HP Keyboard Smart Card Driver;c:\windows\system32\DRIVERS\HPKBx64.sys;c:\windows\SYSNATIVE\DRIVERS\HPKBx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-30 18:57 1177552 ----a-w- c:\program files (x86)\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-09 08:39]
.
2013-09-06 c:\windows\Tasks\DLOClientu.exe - WABELTOOL_vmh.job
- c:\program files (x86)\Symantec\Backup Exec\DLO\DLOClientu.exe [2009-11-25 13:22]
.
2013-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-08 13:50]
.
2013-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-08 13:50]
.
2013-08-07 c:\windows\Tasks\HPCeeScheduleForJENNY-W7$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
2013-09-03 c:\windows\Tasks\HPCeeScheduleForvmh.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
2013-09-06 c:\windows\Tasks\RegTask.job
- c:\program files (x86)\RegTask\RegTask.exe [2012-05-10 21:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-05-07 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-05-07 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-05-07 413208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files (x86)\SuperFish\Superfish.dll
TCP: DhcpNameServer = 192.168.254.4 208.67.220.220 208.67.222.222
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-!{cf67755f-9265-449c-87cf-b945519e073b} - (no file)
Toolbar-!{fe6f06fb-0fc0-4499-828f-ee48088f504f} - (no file)
Toolbar-10 - (no file)
WebBrowser-{9427041A-A8DC-4D06-9A68-93873486E957} - (no file)
WebBrowser-{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} - (no file)
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{9427041A-A8DC-4D06-9A68-93873486E957}"=hex:51,66,7a,6c,4c,1d,3b,1b,0a,19,37,
   84,e2,fa,6e,01,8f,60,d5,c7,35,c2,a4,4c
"{FA63398E-322B-4833-9AF3-15837AD12138}"=hex:51,66,7a,6c,4c,1d,3b,1b,9e,24,73,
   ea,15,60,5b,04,8f,fb,53,c3,7b,95,6c,23
"{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}"=hex:51,66,7a,6c,4c,1d,3b,1b,e8,85,c8,
   fb,c8,ae,fc,0a,a9,33,ac,fc,73,35,a3,aa
"{311B58DC-A4DC-4B04-B1B5-60299AD3D803}"=hex:51,66,7a,6c,4c,1d,3b,1b,cc,45,0b,
   21,e2,f6,6c,07,a4,bd,26,69,9b,97,95,18
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,3b,1b,a1,df,08,
   33,5b,1b,bc,5d,8e,10,46,d0,26,e1,80,54
"{0214754E-4E7D-4589-829D-E2523E6A3085}"=hex:51,66,7a,6c,4c,1d,3b,1b,5e,68,04,
   12,43,1c,e1,09,97,95,a4,12,3f,2e,7d,9e
"{06E05B40-77FA-40B6-9077-ED1A7577B1EF}"=hex:51,66,7a,6c,4c,1d,3b,1b,50,46,f0,
   16,c4,25,de,0c,85,7f,ab,5a,74,33,fc,f4
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,15,cf,
   08,93,ba,eb,0e,b0,9e,bc,17,8d,6a,f0,d8
"{3134413B-49B4-425C-98A5-893C1F195601}"=hex:51,66,7a,6c,4c,1d,3b,1b,2b,5c,24,
   21,8a,1b,34,0e,8d,ad,cf,7c,1e,5d,1b,1a
"{395610AE-C624-4F58-B89E-23733EA00F9A}"=hex:51,66,7a,6c,4c,1d,3b,1b,be,0d,46,
   29,1a,94,30,03,ad,96,65,33,3f,e4,42,81
"{58F7B5CA-1162-42E8-8BBC-D543B4EDD780}"=hex:51,66,7a,6c,4c,1d,3b,1b,da,a8,e7,
   48,5c,43,80,0e,9e,b4,93,03,b5,a9,9a,9b
"{65F159FB-5F5E-46F4-B45D-CCFA236D2073}"=hex:51,66,7a,6c,4c,1d,3b,1b,eb,44,e1,
   75,60,0d,9c,0a,a1,55,8a,ba,22,29,6d,68
"{66516A07-F617-488A-90CF-4E690CFB3C5F}"=hex:51,66,7a,6c,4c,1d,3b,1b,17,77,41,
   76,29,a4,e2,04,85,c7,08,29,0d,bf,71,44
"{74F475FA-6C75-43BD-AAB9-ECDA6184F600}"=hex:51,66,7a,6c,4c,1d,3b,1b,ea,68,e4,
   64,4b,3e,d5,0f,bf,b1,aa,9a,60,c0,bb,1b
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,c9,20,
   80,3c,1e,d7,06,9b,c4,17,24,77,4c,2e,dd
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,3b,1b,48,f0,48,
   ba,e3,53,f9,01,96,3b,89,50,56,30,3e,ec
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,3b,1b,25,b5,e3,
   a4,1f,5c,31,05,af,2a,04,f3,01,ca,4f,e4
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,3b,1b,54,1d,d8,
   cb,7b,f6,33,0f,a9,7c,da,65,c0,81,c5,b2
"{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}"=hex:51,66,7a,6c,4c,1d,3b,1b,45,ca,7f,
   f7,84,93,a3,01,8a,1b,df,fd,90,66,77,c5
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,c3,fa,
   ad,5b,90,b8,5d,a9,e5,46,e0,c8,4e,f8,14
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:b6,92,d5,74,18,ab,ce,01
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,82,f7,2d,4d,5e,f8,4f,9f,9d,7b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,82,f7,2d,4d,5e,f8,4f,9f,9d,7b,\
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.PARTIAL"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.SVG"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.WEBSITE"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.XHT"
.
[HKEY_USERS\S-1-5-21-3299171934-1787352723-2780569941-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.XHT"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\wbem\wmiapsrv.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\SysWOW64\schtasks.exe
c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
c:\windows\wbem\wmiapsrv.exe
c:\program files (x86)\MyScrapNook_12\bar\1.bin\12brmon.exe
c:\program files (x86)\UtilityChest_49\bar\1.bin\49brmon.exe
.
**************************************************************************
.
Completion time: 2013-09-06  13:27:19 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-06 18:27
ComboFix2.txt  2013-09-06 16:29
.
Pre-Run: 901,374,320,640 bytes free
Post-Run: 901,200,801,792 bytes free
.
- - End Of File - - 72B18AA14DFA792F5B0248D4023D0339
 

Same here, client infected. May try this approach: http://www.bleepingcomputer.com/virus-removal/remove-everything-on-your-computer-has-been-encrypted

I would not recommend paying the ransom.

<AdwCleaner log was here>

Edited by Grinler, 10 September 2013 - 07:55 AM.
Removed unrelated log files

I also have a customer that is affected by this.  This has even crossed onto their main file server and encrypted the contents of their shared folders and files.

Does anyone have any information as to a fix?  First to clean the infection and then to decrypt the files? 

I Paid the ransom.   It is decrypting the files now.  Trend Micro was NO HELP...  i was on chat support with them for 4 hours. 

The author of this is genius.  Evil genius, but genius none the less..  As much hate as i have for this person, i will admit that their little hijack was written rather well.

once you pay it tells you that the payments are processed manually and it can take 48 hours to complete.   then i recieved a bluescreen of death.  rebooted and got another BSOD.  rebooted into safemode, manually ran the exe that is listed in MSCONFIG and to my suprise it saw that i had already submitted the Green Dot MoneyPak payment, said it was processing still, and then about 15 seconds later it started to decrypt the files.

Still decrypting.

As soon as it is done i will be disconnecting this PC from the network, making a full backup of the data on the server and getting rid of Trend Micro WFBS... 

this is the only time i have ever paid ransomware, but as stated before there was enough about this infection that made it worth the gamble of $100 USD.

So far i am glad i did.

I will let you know what happens after the the decrypting finishes.  The program states it will delete itself.  We shall see.

P.S> i have confirmed that files it has already decrypted are infact useable again.

Does anyone have any updates on this? 

ProApp, did everything decrypt as you hoped?  Any side effects?

How are you sure that it is truly gone and won't come back?

I am just curious if anyone from Bleeping Computer has seen this and if they are at least looking into this.  I would be willing to share what information, files, scans, logs, etc. that it takes to get this problem fixed.

All I see are new member posts.

I have a client that is infected as well. Files on the network drives have been encrypted. Not sure what to do here. Thinking about paying the ransom but would like to know that it works.

Client is NOT happy with Trend.

Anything I can do to help with a fix just let me know.

I also have a client infected with this. If I have to pay for them to get their files back I will but I would rather not. Any help would be appreciated. Also I have remote desktop setup on this PC so I could let someone log into my computer to get to theirs if needed.

Edited by Twotone, 06 September 2013 - 07:23 PM.

honestly unless i go through each file, one by one i will not know for sure if they all decrypted, but as i randomly check them they seem to be decrypted.

when it gets done it says to check all your files (in my case we are talking about tens of thousands of files) and if they are not decrypted then place them on your desktop and click retry... 

as i stated i haven't found any that are still encrypted.

ok any trace of the software left on the infected machine?

Has anyone else taken the paid route and had success?

Personally I could restore from backup but there would be work from the day lost and it would be hard to figure out what to restore because not all files have been affected.

Ideally we could get a fix that just decrypts the files but time is of course critical.

ok any trace of the software left on the infected machine?

 

Has anyone else taken the paid route and had success?

 

Personally I could restore from backup but there would be work from the day lost and it would be hard to figure out what to restore because not all files have been affected.

 

Ideally we could get a fix that just decrypts the files but time is of course critical.

Same here. Going the restore from backup route but would be so much easier if an easy decrypt could be done. Am still waiting for a response from Trend but they did say it may take a few days.

Well, by now, BC has figured that this thread is getting help. If people keep responding to it, it pushes it further down the food chain...

I would suggest that each/ all start their own topic in this forum and help will come. These guys are all volunteers and very busy.

Be patient, and good luck...

I got this same thing going on

Trend Micro WFBS

infected a workstation and made its way to the network shares on the DC

anyone got an update?

Don't know if this will help anyone but I found the following on an infected computer.  \HKEY_CURRENT_USER\software\CryptoLocker\Files.  It lists all the encrypted files.  Each file listed includes a unique sting of data.

Value 1
  Name:            C:?$Recycle.Bin?S-1-5-21-1708537768-1060284298-839522115-1133?$IGGGMPN.xlsb
  Type:            REG_DWORD
  Data:            0x1a5f790

Value 2
  Name:            C:?$Recycle.Bin?S-1-5-21-1708537768-1060284298-839522115-1133?$IK1SMHM.xls
  Type:            REG_DWORD
  Data:            0x1a5f86a

The public key is located here \HKEY_CURRENT_USER\software\CryptoLocker\

Hope someone finds this useful.