User Tag List

Malware/trojan help

This is a discussion on Malware/trojan help within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, My computer is running considerably slower than normal. Additionally, the computer appears to be infected by the trojan Cryptowall.


 
 
Thread Tools Search this Thread
Old 11-23-2014, 11:16 PM   #1
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hello,

My computer is running considerably slower than normal. Additionally, the computer appears to be infected by the trojan Cryptowall. Thanks in advance for your help. FYI I do not have a boot CD (or CD drive) easily accessible.

Here is my DDS log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420 BrowserJavaVersion: 10.67.2
Run by Chris at 0:44:35 on 2014-11-24
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16291.12997 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\AppleOSSMgr.exe
C:\Windows\system32\AppleTimeSrv.exe
C:\Program Files (x86)\BookingBuilder\BBComm.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\BookingBuilder\BBLoader.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
C:\Program Files (x86)\Travelex Insurance\Travelex Booksmart\Travelex Booksmart.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
C:\Program Files (x86)\BookingBuilder\lmgdsfnc.EXE
C:\Program Files (x86)\BookingBuilder\lmgdsint.EXE
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
mWinlogon: Userinit = userinit.exe
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe Acrobat Create PDF Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
BHO: BookingBuilder Browser Control: {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\Program Files (x86)\BookingBuilder\LMIECTR2.DLL
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [BookingBuilder GDS Interface] C:\Program Files (x86)\BookingBuilder\LMGDSInt.EXE
uRun: [BookingBuilder Loader] C:\Program Files (x86)\BookingBuilder\BBLoader.EXE
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [com.apple.dav.bookmarks.daemon] C:\Program Files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
uRun: [AppleIEDAV] C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
mRun: [BookingBuilder GDS Interface] C:\Program Files (x86)\BookingBuilder\LMGDSInt.EXE
mRun: [BookingBuilder Loader] C:\Program Files (x86)\BookingBuilder\BBLoader.EXE
mRun: [Adobe Creative Cloud] "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT
StartupFolder: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL
StartupFolder: C:\Users\Chris\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Chris\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SENDTO~1.LNK - C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CODECP~1.LNK - C:\Windows\SysWOW64\C2MP\UpdateChecker.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TRAVEL~1.LNK - C:\Program Files (x86)\Travelex Insurance\Travelex Booksmart\Travelex Booksmart.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
Trusted Zone: agentware.net
Trusted Zone: agentware.net
Trusted Zone: protravel.int
Trusted Zone: protravelinc.com
Trusted Zone: sabre.com
Trusted Zone: sabre.com
Trusted Zone: secure02.com
Trusted Zone: site59.com
Trusted Zone: vaxvacationaccess.com
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{56D6E853-B60C-40A7-A430-765B25F9DBAE} : DHCPNameServer = 8.8.8.8
TCP: Interfaces\{AA84177B-A286-4A05-9239-B3595F8B311D} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AA84177B-A286-4A05-9239-B3595F8B311D}\14E64616A7D274575637470275966496 : DHCPNameServer = 4.2.2.2 8.8.8.8
TCP: Interfaces\{AA84177B-A286-4A05-9239-B3595F8B311D}\2475028416774786F627E6560245562727163656 : DHCPNameServer = 208.67.220.220 208.67.222.222
TCP: Interfaces\{AA84177B-A286-4A05-9239-B3595F8B311D}\4457E6465627D4966666C696E6 : DHCPNameServer = 10.0.1.1
TCP: Interfaces\{AA84177B-A286-4A05-9239-B3595F8B311D}\849716474702745756374727F6F6D6 : DHCPNameServer = 10.199.0.1 8.8.8.8 208.67.222.222
TCP: Interfaces\{AA84177B-A286-4A05-9239-B3595F8B311D}\D496649643632303C402A45647071636B6022454839302355636572756 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{BADE9EF5-7204-4075-8E46-FE97DC089C4D} : DHCPNameServer = 8.8.8.8 4.2.2.2
TCP: Interfaces\{F132489D-B3B9-4E11-A942-C9256974C6BB} : DHCPNameServer = 10.209.0.7 192.168.250.10
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: BookingBuilder Browser Control: {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\Program Files (x86)\BookingBuilder\LMIECT64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\Bootcamp.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist Corporate\1019\G2AWinLogon_x64.dll
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {81DCEDC9-DC5C-48AF-946A-45C09E8A33F0} - C:\Windows\System32\msiexec.exe /fu {ADA3F9C8-A6D3-4fcf-BFBB-EAD69AC0884E} /qb+
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL
FF - plugin: C:\Users\Chris\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Users\Chris\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Users\Chris\AppData\Roaming\IDM\bin\npwidevinemediaoptimizer.dll
FF - plugin: C:\Windows\System32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_223.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - f84254c300000000000014109fcf66c7
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15807
FF - user.js: extensions.delta.vrsn - 1.8.16.16
FF - user.js: extensions.delta.vrsni - 1.8.16.16
FF - user.js: extensions.delta.vrsnTs - 1.8.16.169:04:00
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
.
.
.
.
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;C:\Windows\System32\drivers\AppleHFS.sys [2012-6-14 72576]
R0 AppleMNT;AppleMNT;C:\Windows\System32\drivers\AppleMNT.sys [2012-6-14 16256]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-1-16 16152]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-7-17 269008]
R1 GizmoDrv;Gizmo Device Driver;C:\Windows\System32\drivers\gizmodrv.sys [2013-4-13 34704]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\System32\AppleOSSMgr.exe [2012-6-14 224680]
R2 AppleTimeSrv;Apple Time Service;C:\Windows\System32\AppleTimeSrv.exe [2012-6-14 111528]
R2 BBComm;BookingBuilder Communication Service;C:\Program Files (x86)\BookingBuilder\BBComm.EXE [2010-4-28 87384]
R2 KeyAgent;KeyAgent;C:\Windows\System32\drivers\KeyAgent.sys [2012-6-14 17792]
R2 MacHALDriver;Mac HAL;C:\Windows\System32\drivers\MacHALDriver.sys [2012-6-14 22912]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 125584]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-4-13 1907896]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-4-3 382272]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-1-16 363800]
R3 acpials;ALS Sensor Filter;C:\Windows\System32\drivers\acpials.sys [2011-4-12 9728]
R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;C:\Windows\System32\drivers\AppleBtBc.sys [2013-1-16 19456]
R3 applemtm;Apple Multitouch Mouse;C:\Windows\System32\drivers\applemtm.sys [2013-1-16 12288]
R3 applemtp;Apple Multitouch;C:\Windows\System32\drivers\applemtp.sys [2013-1-16 38912]
R3 B57ports;Broadcom Simple Communications Device;C:\Windows\System32\drivers\B57Ports.sys [2013-1-16 44544]
R3 bScsiSDa;bScsiSDa;C:\Windows\System32\drivers\bScsiSDa.sys [2013-1-16 78888]
R3 CirrusFilter;CS420xLowerFilter;C:\Windows\System32\drivers\CS420x64.sys [2013-1-16 18432]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-1-16 355096]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-1-16 785688]
R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\System32\drivers\KeyMagic.sys [2013-1-16 32768]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-8-22 368624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-11-12 114688]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2013-3-27 178760]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-16 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-16 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-1-16 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-16 1255736]
.
=============== Created Last 30 ================
.
2014-11-24 05:44:05 1188440 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D75A9C6D-0B20-48FE-9575-E2F065F6B7E0}\gapaengine.dll
2014-11-24 05:43:57 11632448 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{94814F66-FD78-4427-99E4-481D3CABC1CE}\mpengine.dll
2014-11-19 22:29:43 11632448 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-11-18 06:44:39 1188440 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5162830E-DB19-494D-B7FF-74CCB85D824B}\gapaengine.dll
2014-11-13 21:36:38 -------- d-sh--w- C:\Users\Chris\AppData\Local\EmieBrowserModeList
2014-11-12 06:31:02 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-12 06:30:59 813744 ----a-w- C:\Program Files\Internet Explorer\iexplore.exe
2014-11-12 05:45:39 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-11-12 05:45:39 683520 ----a-w- C:\Windows\System32\termsrv.dll
2014-11-12 05:45:39 681984 ----a-w- C:\Windows\SysWow64\adtschema.dll
2014-11-12 05:45:39 681984 ----a-w- C:\Windows\System32\adtschema.dll
2014-11-12 05:45:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-11-12 05:45:39 155064 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-11-12 05:45:39 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2014-11-12 05:45:39 146432 ----a-w- C:\Windows\System32\msaudite.dll
2014-11-12 05:45:39 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-11-12 05:39:35 3198976 ----a-w- C:\Windows\System32\win32k.sys
2014-11-12 05:39:32 3241984 ----a-w- C:\Windows\System32\msi.dll
2014-11-12 05:39:31 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
2014-11-12 05:39:27 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-11-12 05:39:27 304640 ----a-w- C:\Windows\System32\generaltel.dll
2014-11-12 05:39:27 228864 ----a-w- C:\Windows\System32\aepdu.dll
2014-11-12 05:32:03 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2014-11-12 05:32:03 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-11-12 05:32:03 1882624 ----a-w- C:\Windows\System32\msxml3.dll
2014-11-12 05:32:03 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-11-12 05:31:49 878080 ----a-w- C:\Windows\System32\IMJP10K.DLL
2014-11-12 05:31:49 701440 ----a-w- C:\Windows\SysWow64\IMJP10K.DLL
2014-11-12 05:31:36 680960 ----a-w- C:\Windows\System32\audiosrv.dll
2014-11-12 05:31:36 500224 ----a-w- C:\Windows\System32\AUDIOKSE.dll
2014-11-12 05:31:36 442880 ----a-w- C:\Windows\SysWow64\AUDIOKSE.dll
2014-11-12 05:31:36 440832 ----a-w- C:\Windows\System32\AudioEng.dll
2014-11-12 05:31:36 374784 ----a-w- C:\Windows\SysWow64\AudioEng.dll
2014-11-12 05:31:36 296448 ----a-w- C:\Windows\System32\AudioSes.dll
2014-11-12 05:31:36 284672 ----a-w- C:\Windows\System32\EncDump.dll
2014-11-12 05:31:36 195584 ----a-w- C:\Windows\SysWow64\AudioSes.dll
2014-11-12 05:22:59 77824 ----a-w- C:\Windows\System32\packager.dll
2014-11-12 05:22:59 67584 ----a-w- C:\Windows\SysWow64\packager.dll
2014-11-12 05:21:06 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2014-11-12 05:21:06 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
.
==================== Find3M ====================
.
2014-11-12 05:21:49 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-12 05:21:49 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-11-06 04:04:03 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-11-06 04:03:50 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-11-06 03:47:03 66560 ----a-w- C:\Windows\System32\iesetup.dll
2014-11-06 03:46:12 580096 ----a-w- C:\Windows\System32\vbscript.dll
2014-11-06 03:46:12 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-11-06 03:44:28 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-11-06 03:30:22 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-11-06 03:30:08 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-11-06 03:29:18 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-11-06 03:28:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-11-06 03:23:57 6040064 ----a-w- C:\Windows\System32\jscript9.dll
2014-11-06 03:20:18 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-06 03:13:43 501248 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-11-06 03:13:36 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-11-06 03:12:44 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-06 03:10:58 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-11-06 02:59:36 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-11-06 02:58:38 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-11-06 02:42:36 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-06 02:39:39 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-11-06 02:38:25 2124288 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-11-06 02:21:49 4298240 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-11-06 02:21:25 2051072 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-11-06 02:20:37 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-06 02:17:24 2365440 ----a-w- C:\Windows\System32\wininet.dll
2014-11-06 01:52:35 1892864 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-10-30 11:25:26 275080 ------w- C:\Windows\System32\MpSigStub.exe
2014-09-25 02:08:38 371712 ----a-w- C:\Windows\System32\qdvd.dll
2014-09-25 01:40:50 519680 ----a-w- C:\Windows\SysWow64\qdvd.dll
2014-09-19 09:42:52 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-09-19 09:42:51 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-09-19 09:42:49 342016 ----a-w- C:\Windows\System32\schannel.dll
2014-09-19 09:42:47 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-09-19 09:42:47 309760 ----a-w- C:\Windows\System32\ncrypt.dll
2014-09-19 09:42:44 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-09-19 09:42:41 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-09-19 09:23:55 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2014-09-19 09:23:52 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2014-09-19 09:23:49 248832 ----a-w- C:\Windows\SysWow64\schannel.dll
2014-09-19 09:23:46 221184 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2014-09-19 09:23:45 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2014-09-19 09:23:42 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-09-19 09:23:36 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2014-09-09 22:11:04 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-09-09 21:47:10 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-09-04 05:23:20 424448 ----a-w- C:\Windows\System32\rastls.dll
2014-09-04 05:04:15 372736 ----a-w- C:\Windows\SysWow64\rastls.dll
2014-08-29 02:07:13 44032 ----a-w- C:\Windows\System32\tsgqec.dll
2014-08-29 02:07:13 3179520 ----a-w- C:\Windows\System32\rdpcorets.dll
2014-08-29 02:07:12 5780480 ----a-w- C:\Windows\System32\mstscax.dll
2014-08-29 02:07:10 322560 ----a-w- C:\Windows\System32\aaclient.dll
2014-08-29 0247 1125888 ----a-w- C:\Windows\System32\mstsc.exe
2014-08-29 01:44:52 37376 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2014-08-29 01:44:51 4922368 ----a-w- C:\Windows\SysWow64\mstscax.dll
2014-08-29 01:44:49 269312 ----a-w- C:\Windows\SysWow64\aaclient.dll
2014-08-29 01:44:19 1050112 ----a-w- C:\Windows\SysWow64\mstsc.exe
.
============= FINISH: 0:44:43.76 ===============
Attached Files
File Type: zip attach.zip (4.2 KB, 64 views)
challett is offline  
Sponsored Links
Advertisement
 
Old 11-25-2014, 01:49 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

At this time, there is no way to retrieve the key needed to decrypt any files on your machine that were encrypted by Crypto virus.

If any of your files are encrypted, do you make backups of your data?

CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Do NOT click the green 'Download' button(if visible).
  • Click the blue 'Download now @bleepingcomputer' button.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-25-2014, 03:24 PM   #3
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Thanks chemist. That's unfortunate about CryptoWall, but thanks for providing the info. Requested log here:

# AdwCleaner v4.102 - Report created 25/11/2014 at 18:21:24
# Updated 23/11/2014 by Xplode
# Database : 2014-11-25.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Chris - CHRISLAPTOP
# Running from : C:\Users\Chris\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\Chris\AppData\Local\Temp\mt_ffx
Folder Deleted : C:\Users\Chris\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Chris\AppData\Roaming\DSite
File Deleted : C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\invalidprefs.js
File Deleted : C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\searchplugins\delta.xml
File Deleted : C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\user.js
File Deleted : C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_eooncjejnppfjjklapaamhcdmjbilmde_0.localstorage
File Deleted : C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_igdhbblpcellaljokkpfhcjlagemhgjl_0.localstorage
File Deleted : C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Deleted : C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal

***** [ Scheduled Tasks ] *****

Task Deleted : DSite

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKCU\Software\dedadbb138bf42
Key Deleted : HKLM\SOFTWARE\dedadbb138bf42
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\DataMngr
[#] Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\Iminent
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\DataMngr
Key Deleted : HKLM\SOFTWARE\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\43C098337DB065A49B665D4EA7F16D1C
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A71991503412AEB42838B02C5ED9F9CD
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F7652513C62FF63448CFF05163719DB7
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Airline Tickets and Flights to Worldwide Destinations - Delta Air Lines
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\YourTango | Smart Talk About Love
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\yourtango.com

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Mozilla Firefox v33.1 (x86 en-US)

[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.admin", false);
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.aflt", "babsst");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.autoRvrt", "false");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.dfltLng", "en");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.excTlbr", false);
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.id", "f84254c300000000000014109fcf66c7");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.instlDay", "15807");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.instlRef", "sst");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.newTab", false);
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.prdct", "delta");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.prtnrId", "delta");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.rvrt", "false");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.smplGrp", "none");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.tlbrId", "base");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.vrsn", "1.8.16.16");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.vrsnTs", "1.8.16.169:04:00");
[umgwae8c.default\prefs.js] - Line Deleted : user_pref("extensions.delta.vrsni", "1.8.16.16");

-\\ Google Chrome v39.0.2171.65

[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [14178 octets] - [25/11/2014 18:18:56]
AdwCleaner[S0].txt - [14043 octets] - [25/11/2014 18:21:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [14104 octets] ##########
challett is offline  
Sponsored Links
Advertisement
 
Old 11-25-2014, 05:59 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello challett. You're very welcome. Did you lose any important files to encryption?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

Note: If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please open Task Manager and 'End Process' on explorer.exe

Next, go File > New Task(Run...) and type explorer then press 'Enter'.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-25-2014, 07:48 PM   #5
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Thanks Chemist. I haven't fully ascertained the damage of the encrypted files yet, sadly.

Here's the log requested:

ComboFix 14-11-25.01 - Chris 11/25/2014 21:31:54.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16291.13965 [GMT -6:00]
Running from: c:\users\Chris\Desktop\combofix.exe
AV: Norton AntiVirus *Disabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton AntiVirus *Disabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\BookingBuilder\BBLoader.EXE
c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9E66FC2C-909B-4447-B0D7-2770182220E6}.xps
c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B186138D-D94C-4929-9C69-A89C0ABC2967}.xps
.
.
((((((((((((((((((((((((( Files Created from 2014-10-26 to 2014-11-26 )))))))))))))))))))))))))))))))
.
.
2014-11-26 03:38 . 2014-11-26 03:38 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-11-26 03:38 . 2014-11-26 03:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-25 23:18 . 2014-11-25 23:21 -------- d-----w- C:\AdwCleaner
2014-11-25 23:10 . 2014-11-25 23:13 -------- d-----w- C:\NPE
2014-11-25 23:09 . 2014-11-25 23:16 -------- d-----w- c:\users\Chris\AppData\Local\NPE
2014-11-25 22:50 . 2014-11-25 22:50 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2014-11-25 22:49 . 2014-11-25 22:49 -------- d-----w- c:\windows\system32\drivers\NSTx64
2014-11-25 22:49 . 2014-11-25 22:49 -------- d-----w- c:\program files (x86)\Norton Identity Safe
2014-11-25 22:49 . 2014-11-25 22:49 177752 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2014-11-25 22:49 . 2014-11-25 22:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2014-11-25 22:48 . 2014-11-25 22:48 -------- d-----w- c:\windows\system32\drivers\NAVx64
2014-11-25 22:48 . 2014-11-25 22:48 -------- d-----w- c:\program files (x86)\Norton AntiVirus
2014-11-25 22:48 . 2014-11-25 22:49 -------- d-----w- c:\program files (x86)\NortonInstaller
2014-11-25 22:37 . 2014-11-25 23:09 -------- d-----w- c:\programdata\Norton
2014-11-19 22:30 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-19 22:30 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-19 22:30 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-19 22:30 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-11-13 21:36 . 2014-11-13 21:36 -------- d-sh--w- c:\users\Chris\AppData\Local\EmieBrowserModeList
2014-11-12 06:30 . 2014-11-07 19:49 813744 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2014-11-12 05:45 . 2014-10-14 02:16 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-11-12 05:45 . 2014-10-14 02:13 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-11-12 05:45 . 2014-10-14 02:12 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-11-12 05:45 . 2014-10-14 02:09 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-11-12 05:45 . 2014-10-14 02:07 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-11-12 05:45 . 2014-10-14 01:50 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-11-12 05:45 . 2014-10-14 01:49 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-11-12 05:45 . 2014-10-14 01:47 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-11-12 05:45 . 2014-10-14 01:46 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-11-12 05:39 . 2014-10-10 00:57 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-11-12 05:39 . 2014-10-14 02:13 3241984 ----a-w- c:\windows\system32\msi.dll
2014-11-12 05:39 . 2014-10-14 01:50 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-11-12 05:39 . 2014-11-05 17:56 304640 ----a-w- c:\windows\system32\generaltel.dll
2014-11-12 05:39 . 2014-11-05 17:56 228864 ----a-w- c:\windows\system32\aepdu.dll
2014-11-12 05:39 . 2014-11-05 17:52 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-11-12 05:32 . 2014-08-21 06:43 1882624 ----a-w- c:\windows\system32\msxml3.dll
2014-11-12 05:32 . 2014-08-21 06:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-11-12 05:32 . 2014-08-21 06:26 1237504 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-11-12 05:32 . 2014-08-21 06:23 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2014-11-12 05:31 . 2014-08-12 02:02 878080 ----a-w- c:\windows\system32\IMJP10K.DLL
2014-11-12 05:31 . 2014-08-12 01:36 701440 ----a-w- c:\windows\SysWow64\IMJP10K.DLL
2014-11-12 05:31 . 2014-10-03 02:12 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-11-12 05:31 . 2014-10-03 02:11 284672 ----a-w- c:\windows\system32\EncDump.dll
2014-11-12 05:31 . 2014-10-03 02:11 680960 ----a-w- c:\windows\system32\audiosrv.dll
2014-11-12 05:31 . 2014-10-03 02:11 440832 ----a-w- c:\windows\system32\AudioEng.dll
2014-11-12 05:31 . 2014-10-03 02:11 296448 ----a-w- c:\windows\system32\AudioSes.dll
2014-11-12 05:31 . 2014-10-03 01:44 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
2014-11-12 05:31 . 2014-10-03 01:44 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
2014-11-12 05:31 . 2014-10-03 01:44 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
2014-11-12 05:24 . 2014-09-19 09:42 210944 ----a-w- c:\windows\system32\wdigest.dll
2014-11-12 05:24 . 2014-09-19 09:42 86528 ----a-w- c:\windows\system32\TSpkg.dll
2014-11-12 05:24 . 2014-09-19 09:42 342016 ----a-w- c:\windows\system32\schannel.dll
2014-11-12 05:24 . 2014-09-19 09:42 314880 ----a-w- c:\windows\system32\msv1_0.dll
2014-11-12 05:24 . 2014-09-19 09:42 309760 ----a-w- c:\windows\system32\ncrypt.dll
2014-11-12 05:24 . 2014-09-19 09:42 22016 ----a-w- c:\windows\system32\credssp.dll
2014-11-12 05:24 . 2014-09-19 09:23 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
2014-11-12 05:24 . 2014-09-19 09:23 65536 ----a-w- c:\windows\SysWow64\TSpkg.dll
2014-11-12 05:24 . 2014-09-19 09:23 248832 ----a-w- c:\windows\SysWow64\schannel.dll
2014-11-12 05:24 . 2014-09-19 09:23 221184 ----a-w- c:\windows\SysWow64\ncrypt.dll
2014-11-12 05:24 . 2014-09-19 09:23 259584 ----a-w- c:\windows\SysWow64\msv1_0.dll
2014-11-12 05:24 . 2014-09-19 09:23 17408 ----a-w- c:\windows\SysWow64\credssp.dll
2014-11-12 05:22 . 2014-10-25 01:57 77824 ----a-w- c:\windows\system32\packager.dll
2014-11-12 05:22 . 2014-10-25 01:32 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-11-12 05:21 . 2014-10-18 02:05 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-12 05:21 . 2014-10-18 01:33 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-11-07 06:23 . 2014-11-07 06:23 -------- d-----w- c:\program files (x86)\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-13 06:07 . 2013-01-16 12:18 103374192 ----a-w- c:\windows\system32\MRT.exe
2014-11-12 05:21 . 2013-01-17 22:39 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-12 05:21 . 2013-01-17 22:39 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-10-30 11:25 . 2010-11-21 03:27 275080 ------w- c:\windows\system32\MpSigStub.exe
2014-09-25 02:08 . 2014-10-01 17:23 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-01 17:23 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-09 22:11 . 2014-09-24 22:45 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-24 22:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-04 05:23 . 2014-10-16 20:03 424448 ----a-w- c:\windows\system32\rastls.dll
2014-09-04 05:04 . 2014-10-16 20:03 372736 ----a-w- c:\windows\SysWow64\rastls.dll
2014-08-29 02:07 . 2014-10-16 20:03 44032 ----a-w- c:\windows\system32\tsgqec.dll
2014-08-29 02:07 . 2014-10-16 20:03 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2014-08-29 02:07 . 2014-10-16 20:03 5780480 ----a-w- c:\windows\system32\mstscax.dll
2014-08-29 02:07 . 2014-10-16 20:03 322560 ----a-w- c:\windows\system32\aaclient.dll
2014-08-29 02:06 . 2014-10-16 20:03 1125888 ----a-w- c:\windows\system32\mstsc.exe
2014-08-29 01:44 . 2014-10-16 20:03 37376 ----a-w- c:\windows\SysWow64\tsgqec.dll
2014-08-29 01:44 . 2014-10-16 20:03 4922368 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-08-29 01:44 . 2014-10-16 20:03 269312 ----a-w- c:\windows\SysWow64\aaclient.dll
2014-08-29 01:44 . 2014-10-16 20:03 1050112 ----a-w- c:\windows\SysWow64\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-04-13 07:07 222712 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-04-13 07:07 222712 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-04-13 07:07 222712 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-01-17 19:39 1727176 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-01-17 19:39 1727176 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-01-17 19:39 1727176 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 131480 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 131480 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 131480 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BookingBuilder GDS Interface"="c:\program files (x86)\BookingBuilder\LMGDSInt.EXE" [2011-04-07 742808]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-11-20 59720]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]
"AppleIEDAV"="c:\program files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe" [2013-11-15 1326408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-06-14 291096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-04-23 43848]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2012-09-24 3477640]
"BookingBuilder GDS Interface"="c:\program files (x86)\BookingBuilder\LMGDSInt.EXE" [2011-04-07 742808]
"Adobe Creative Cloud"="c:\program files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" [2014-02-02 2239376]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-05-27 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DECRYPT_INSTRUCTION.TXT [2014-11-11 4194]
DECRYPT_INSTRUCTION.URL [2014-11-12 410]
Dropbox.lnk - c:\users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-11-10 39198464]
Send to OneNote.lnk - c:\program files\Microsoft Office 15\root\office15\ONENOTEM.EXE /tsr [2013-10-11 221360]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CodecPackUpdateChecker.lnk - c:\windows\SysWOW64\C2MP\UpdateChecker.exe [2013-9-1 48248]
Travelex Booksmart.lnk - c:\program files (x86)\Travelex Insurance\Travelex Booksmart\Travelex Booksmart.exe [2013-11-14 216576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1506000.020\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NAVx64\1506000.020\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1506000.020\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NAVx64\1506000.020\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\BASHDefs\20141118.001\BHDrvx64.sys;c:\program files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\BASHDefs\20141118.001\BHDrvx64.sys [x]
S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAVx64\1506000.020\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NAVx64\1506000.020\ccSetx64.sys [x]
S1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NSTx64\7DE07080.017\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NSTx64\7DE07080.017\ccSetx64.sys [x]
S1 GizmoDrv;Gizmo Device Driver; [x]
S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\IPSDefs\20141124.001\IDSvia64.sys;c:\program files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\IPSDefs\20141124.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1506000.020\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NAVx64\1506000.020\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NAVx64\1506000.020\SYMNETS.SYS;c:\windows\SYSNATIVE\drivers\NAVx64\1506000.020\SYMNETS.SYS [x]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe;c:\windows\SYSNATIVE\AppleOSSMgr.exe [x]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe;c:\windows\SYSNATIVE\AppleTimeSrv.exe [x]
S2 BBComm;BookingBuilder Communication Service;c:\program files (x86)\BookingBuilder\BBComm.EXE;c:\program files (x86)\BookingBuilder\BBComm.EXE [x]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys;c:\windows\SYSNATIVE\drivers\KeyAgent.sys [x]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys;c:\windows\SYSNATIVE\drivers\MacHALDriver.sys [x]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\21.6.0.32\NAV.exe;c:\program files (x86)\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [x]
S2 NCO;Norton Identity Safe;c:\program files (x86)\Norton Identity Safe\Engine\2014.7.8.23\NST.exe;c:\program files (x86)\Norton Identity Safe\Engine\2014.7.8.23\NST.exe [x]
S2 OfficeSvc;Microsoft Office Service;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys;c:\windows\SYSNATIVE\DRIVERS\acpials.sys [x]
S3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys;c:\windows\SYSNATIVE\DRIVERS\AppleBtBc.sys [x]
S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys;c:\windows\SYSNATIVE\DRIVERS\applemtm.sys [x]
S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys;c:\windows\SYSNATIVE\DRIVERS\applemtp.sys [x]
S3 B57ports;Broadcom Simple Communications Device;c:\windows\system32\DRIVERS\b57ports.sys;c:\windows\SYSNATIVE\DRIVERS\b57ports.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiSDa.sys [x]
S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys;c:\windows\SYSNATIVE\DRIVERS\CS420x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys;c:\windows\SYSNATIVE\DRIVERS\KeyMagic.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-11-26 03:24 1087304 ----a-w- c:\program files (x86)\Google\Chrome\Application\39.0.2171.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-17 05:21]
.
2014-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-16 12:00]
.
2014-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-16 12:00]
.
2014-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837425897-1178459677-791267422-1000Core.job
- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2013-09-23 07:29]
.
2014-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837425897-1178459677-791267422-1000UA.job
- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2013-09-23 07:29]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco1]
@="{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}"
[HKEY_CLASSES_ROOT\CLSID\{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}]
2014-01-31 22:45 643952 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco2]
@="{853B7E05-C47D-4985-909A-D0DC5C6D7303}"
[HKEY_CLASSES_ROOT\CLSID\{853B7E05-C47D-4985-909A-D0DC5C6D7303}]
2014-01-31 22:45 643952 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco3]
@="{42D38F2E-98E9-4382-B546-E24E4D6D04BB}"
[HKEY_CLASSES_ROOT\CLSID\{42D38F2E-98E9-4382-B546-E24E4D6D04BB}]
2014-01-31 22:45 643952 ----a-w- c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-04-13 07:07 261624 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-04-13 07:07 261624 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-04-13 07:07 261624 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 21:08 164760 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2012-06-14 741800]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-12-11 472984]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:Tabs
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
Trusted Zone: agentware.net
Trusted Zone: protravel.int
Trusted Zone: protravelinc.com
Trusted Zone: sabre.com
Trusted Zone: secure02.com
Trusted Zone: site59.com
Trusted Zone: vaxvacationaccess.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-BookingBuilder Loader - c:\program files (x86)\BookingBuilder\BBLoader.EXE
Wow6432Node-HKCU-Run-com.apple.dav.bookmarks.daemon - c:\program files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-BookingBuilder Loader - c:\program files (x86)\BookingBuilder\BBLoader.EXE
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-Sabre VPN - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NCO]
"ImagePath"="\"c:\program files (x86)\Norton Identity Safe\Engine\2014.7.8.23\NST.exe\" /s \"NCO\" /m \"c:\program files (x86)\Norton Identity Safe\Engine\2014.7.8.23\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\system32\drivers\NAVx64\1506000.020\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files (x86)\Norton AntiVirus\Engine\21.6.0.32;c:\program files (x86)\Norton AntiVirus\Engine64\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1837425897-1178459677-791267422-1000_Classes\CLSID]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-11-25 21:39:33
ComboFix-quarantined-files.txt 2014-11-26 03:39
.
Pre-Run: 101,743,333,376 bytes free
Post-Run: 109,422,219,264 bytes free
.
- - End Of File - - DBC0E6607EC3EEABB88B8CC39D0A14C5
A36C5E4F47E84449FF07ED3517B43A31
challett is offline  
Old 11-25-2014, 08:12 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, challett. I need you to click on any of your important files, pics, etc. and see if they are encrypted.

Why did you change from MSE to Norton?

Our instructions stated to not download/install any applications during the cleansing process.

------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c del /a/f/q "C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT"

A DOS window will open and close again, this is normal.

Repeat for the following:

cmd /c del /a/f/q "C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL"

------------------------------------------------------

Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-2.0.2.1012.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14-day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the Update Now >> link
  • After the update completes, click the Scan Now >> button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
------------------------------------------------------
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double-click on the scan log which shows the date and time of the scan just performed.
  • Click Copy to Clipboard
  • Paste the contents of the clipboard into your reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as Administrator command.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-27-2014, 07:47 PM   #7
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hi Chemist,

Sorry about the Norton mix-up - I actually switched before the cleaning process began, although I realize now that it was in fact after I had posted my initial logs. While searching for info about Cryptowall 2.0, I (mistakenly) understood that Norton could fix it.

Yes - the majority of my files are encrypted and definitely not everything is backed up.

Not sure if this is related, but I am also having trouble with both Skype and an occupation-specific program (Sabre Red) both being unable to connect to their respective sources.

MBAM report:

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 11/27/2014
Scan Time: 6:03:55 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.27.08
Rootkit Database: v2014.11.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Chris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 375791
Time Elapsed: 3 min, 48 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.OpenCandy, C:\Users\Chris\Downloads\DTLite4471-0333.exe, Quarantined, [7450e25e98e40e28ce9529555baa669a],

Physical Sectors: 0
(No malicious items detected)


(end)

ESET log:

C:\$RECYCLE.BIN\S-1-5-21-1837425897-1178459677-791267422-1000\$R2OPIQ1.TXT Win32/Filecoder.CR trojan
C:\$RECYCLE.BIN\S-1-5-21-1837425897-1178459677-791267422-1000\$RNXTOY0.TXT Win32/Filecoder.CR trojan
C:\$RECYCLE.BIN\S-1-5-21-1837425897-1178459677-791267422-1000\$RWLASS2.TXT Win32/Filecoder.CR trojan
C:\AdwCleaner\Quarantine\C\Users\Chris\AppData\Roaming\Babylon\DECRYPT_INSTRUCTION.TXT.vir Win32/Filecoder.CR trojan
C:\Users\Chris\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\609588A3-2F55-41B9-93D7-B6C1EABE07EE.aplzod\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Adobe\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Adobe\contentstore\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Adobe\OOBE\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Apple\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Apple\Bonjour\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Booksmart\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Booksmart\Backgrounds\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Booksmart\Log\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_0\audio\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache\JZ3HXHY5\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\ehome\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Media Player\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Media Player\Art Cache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Office\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Office\15.0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Outlook\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Outlook\Offline Address Books\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Outlook\Offline Address Books\58d5f113-5b7f-437c-a445-8e601e68d404\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Outlook\Offline Address Books\a6ed4596-15b7-41e2-9401-c0f9d3852243\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Windows Mail\Backup\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Windows Mail\Backup\new\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Microsoft\Windows Media\12.0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Mozilla\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Mozilla\Firefox\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Mozilla\Firefox\Profiles\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Mozilla\Firefox\Profiles\umgwae8c.default\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Mozilla\Firefox\Profiles\umgwae8c.default\OfflineCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Skype\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Local\Skype\Apps\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Adobe\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Adobe\Acrobat\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Adobe\Acrobat\11.0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Adobe\Acrobat\11.0\Search\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\is\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\is\c3z0jvek.gek\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\is\c3z0jvek.gek\hlfq2wqm.xye\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\is\c3z0jvek.gek\hlfq2wqm.xye\1\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\is\c3z0jvek.gek\hlfq2wqm.xye\1\s\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\is\c3z0jvek.gek\hlfq2wqm.xye\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Microsoft\Silverlight\is\c3z0jvek.gek\hlfq2wqm.xye\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\61\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_213\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_2D18\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_2F8E\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_31FB\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_75C\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_86E\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_A2E\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Adobe PDF\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Adobe PDF\Distiller\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Adobe PDF\Distiller\Data\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Adobe PDF\Distiller\Startup\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Adobe Photoshop CC\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Adobe Photoshop CC\Adobe Photoshop CC Settings\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Adobe\Flash Player\AssetCache\5GLK4GJG\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\BookmarkDAV\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\Logs\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\Logs\CrashReporter\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice\Chriss iPhone\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice\Chriss iPhone\com.apple.driver.AppleBCMWLANCore\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice\Chriss iPhone\com.apple.driver.AppleBCMWLANCore\2013-10-09_032026.579971BCMWLAN Cmdr Outbound Stall\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice\Chriss iPhone\com.apple.driver.AppleBCMWLANCore\2013-10-09_032026.579971BCMWLAN Cmdr Outbound Stall\StateSnapshots\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Apple Computer\MediaStream\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant\Local Store\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\da_DK\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\de_DE\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\en_GB\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\en_US\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\es_ES\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\fi_FI\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\fr_FR\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\it_IT\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\ja_JP\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\nb_NO\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\nl_NL\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\pt_BR\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\locale\sv_SE\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\templates\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat\Local Store\lib\templates\assets\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite\MediaInfo\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite\MediaInfo\img\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Dropbox\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Dropbox\bin\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Dropbox\instance1\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Document Building Blocks\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Document Building Blocks\1033\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Document Building Blocks\1033\15\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Excel\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Excel\CPH%20Travel%202014303461860045490865\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Excel\schedule303679342431284502\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Signatures\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\15\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Bibliography Styles\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\sessionstore-backups\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\storage\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\storage\persistent\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\storage\persistent\chrome\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\storage\persistent\chrome\idb\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\storage\persistent\moz-safe-about+home\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\storage\persistent\moz-safe-about+home\idb\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\cphallett\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\cphallett\media_messaging\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\cphallett\media_messaging\media_cache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\cphallett\media_messaging\media_cache\asyncdb\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\cphallett\media_messaging\storage_db\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\cphallett\media_messaging\storage_db\asyncdb\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\cphallett\qikdb\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\live#3achristopherjohnstevenson\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\live#3achristopherjohnstevenson\qikdb\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\shared_dynco\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\AppData\Roaming\Skype\shared_httpfe\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Desktop\Acrobat Professional XI Student and Teacher Edition (Download)\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Amazon Downloader Logs\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Clients\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Clients\Simone\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\My Data Sources\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\060814\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\060814\Hayden\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\060814\Me with Hayden\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\060814\Visitor\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\062214\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\062214\David\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\062214\David pt. 2\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\062214\Joe\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\062914\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\062914\David\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\Recon\NYBC\062914\Luke\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Documents\TTS Business Card\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Downloads\cbsidlm-cbsi176-Media_Player_Codec_Pack-SEO-10749065.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Users\Chris\Dropbox\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\ACS Statements\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\ACS Statements\2010\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\ACS Statements\2011\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\ACS Statements\2012\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\ACS Statements\2013\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Ben\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Ben\India\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Ben\Saved from Ben's laptop\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Ben\Saved from Ben's laptop\Notes\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Argentina\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Australia\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Edinburgh\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Mexico City\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Prague\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Private\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Puppies\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Camera Uploads\Shanghai\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Documents\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Gate\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Gosling\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett\Beijing 4-23-2012\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett\Mimi\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett Concierge\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett Concierge\Bowman - Dubai\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett Concierge\Gosling\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett Concierge\Gosling\Mendez\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Hallett Concierge\Liebenthal\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Photos\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Photos\Sample Photos\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Public\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Simone\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Simone\Orozco Cruise\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Dropbox\Stern\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\adlib\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\adlib\videos\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\chapters\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\features\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\home\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\more\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\images\videos\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Movies\Warm Bodies\Warm Bodies - iTunes Extras (v1.0).ite\videos\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\Pentatonix\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\Pentatonix\PTX, Vol. 2\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\Shane & Shane\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\Shane & Shane\Bring Your Nothing\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\Shane & Shane\The One You Need\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\tobyMac\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\Music\tobyMac\Christmas in Diverse City\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\TV Shows\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\TV Shows\The Big Bang Theory\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\iTunes\iTunes Media\TV Shows\The Big Bang Theory\Season 6\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Music\Matt Gilman\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\Photo Stream\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\Photo Stream\My Photo Stream\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\skype\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\skype\Breaking in\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\skype\Breaking Out\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\skype\Random pics\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\skype\Strapped\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\skype\Strip Poker\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Pictures\South America\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\W3EC_1010\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\W3EC_1010\.metadata\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\W3EC_1010\.metadata\.plugins\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\W3EC_1010\.metadata\.plugins\com.sabre.edge.platform.core.db\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\W3EC_1010\.metadata\.plugins\com.sabre.edge.platform.core.db\database\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\Y0B0_1101\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\Y0B0_1101\.metadata\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\Y0B0_1101\.metadata\.plugins\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\Y0B0_1101\.metadata\.plugins\com.sabre.edge.platform.core.db\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace\Settings\Y0B0_1101\.metadata\.plugins\com.sabre.edge.platform.core.db\database\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace_old\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace_old\Settings\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace_old\Settings\W3EC_1010\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace_old\Settings\W3EC_1010\.metadata\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace_old\Settings\W3EC_1010\.metadata\.plugins\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace_old\Settings\W3EC_1010\.metadata\.plugins\com.sabre.edge.platform.core.db\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Chris\Sabre Red Workspace_old\Settings\W3EC_1010\.metadata\.plugins\com.sabre.edge.platform.core.db\database\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Public\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\ACS Statements\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\ACS Statements\2010\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\ACS Statements\2011\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\ACS Statements\2012\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\ACS Statements\2013\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Ben\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Ben\India\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Ben\Saved from Ben's laptop\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Ben\Saved from Ben's laptop\Notes\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Argentina\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Australia\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Edinburgh\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Mexico City\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Prague\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Private\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Puppies\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Camera Uploads\Shanghai\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Documents\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Gate\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Gosling\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett\Beijing 4-23-2012\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett\Mimi\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett Concierge\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett Concierge\Bowman - Dubai\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett Concierge\Gosling\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett Concierge\Gosling\Mendez\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Hallett Concierge\Liebenthal\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Photos\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Photos\Sample Photos\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Public\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Simone\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Simone\Orozco Cruise\decrypt_instruction.txt Win32/Filecoder.CR trojan
D:\Users\challett\Dropbox\Stern\decrypt_instruction.txt Win32/Filecoder.CR trojan
challett is offline  
Old 11-28-2014, 10:08 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, challett. The Skype and Sabre VPN problems are most likely due to encrypted files. Try re-installing those applications.

It appears ComboFix quarantined a legit file.

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    C:\Qoobox\Quarantine\C\program files (x86)\BookingBuilder\BBLoader.EXE.vir

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analyzed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Please copy/paste the contents of that file in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-28-2014, 07:33 PM   #9
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hi Chemist -

Will try uninstalling and reinstalling. Thanks.

https://www.virustotal.com/en/file/e...is/1417231843/

--------------------------------------------

2014-11-26 03:38:58 . 2014-11-26 03:38:58 1,182 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Sabre VPN.reg.dat
2014-11-26 03:38:50 . 2014-11-26 03:38:50 377 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat
2014-11-26 03:38:40 . 2014-11-26 03:38:40 261 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-BookingBuilder Loader.reg.dat
2014-11-26 03:38:39 . 2014-11-26 03:38:39 203 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-com.apple.dav.bookmarks.daemon.reg.dat
2014-11-26 03:38:39 . 2014-11-26 03:38:39 248 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-BookingBuilder Loader.reg.dat
2014-11-26 03:35:19 . 2014-11-26 03:35:19 21,724 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2014-11-26 03:30:18 . 2014-11-26 03:30:18 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2013-08-28 23:55:34 . 2013-08-28 23:55:39 1,463,761 ----a-w- C:\Qoobox\Quarantine\C\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B186138D-D94C-4929-9C69-A89C0ABC2967}.xps.vir
2013-01-23 07:27:25 . 2013-01-23 07:27:25 620,088 ----a-w- C:\Qoobox\Quarantine\C\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9E66FC2C-909B-4447-B0D7-2770182220E6}.xps.vir
2011-04-07 17:28:51 . 2011-04-07 17:28:51 36,864 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\BookingBuilder\BBLoader.EXE.vir
challett is offline  
Old 11-28-2014, 07:47 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, challett. Thanks.

Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

Code:
@echo off
for %%g in (
"C:\Qoobox\Quarantine\C\program files (x86)\BookingBuilder\BBLoader.EXE.vir"
) do zip Files_for_submission %%g
del %0
Save this as submit.bat Choose to Save type as - All Files to your desktop then close the Notepad file.
It should look like this:

Right-click on submit.bat and choose 'Run as administrator' to allow it to run. This batchfile will create a Files_for_submission.zip file in the same location where the batchfile was saved.

Please submit it to this site ==> Submit Malware Sample

and include this link in the message:

http://www.techsupportforum.com/forums/f50/malware-trojan-help-922690.html#post5833746


Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-28-2014, 09:24 PM   #11
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hi Chemist,

I reinstalled Sabre and Skype and neither are working. I don't want to troubleshoot further if it's going to cause problems for you, but Sabre is vital work software so I can't hold off for too long. Just let me know.

I couldn't make the batch file work. I created it. It ran. But it didn't create the zip. Can I just navigate to the quarantined file and zip it myself?

Thanks,
Chris
challett is offline  
Old 11-29-2014, 04:54 AM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hi Chris. Yes, please try just navigating to that file and submitting it. Let me know.

Also, please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-01-2014, 01:40 AM   #13
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hello chemist,

Sabre support was able to get Sabre up and running (had something to do with the hosts file if that's helpful to you).

Here is the FRST64 log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-12-2014
Ran by Chris (administrator) on CHRISLAPTOP on 01-12-2014 03:29:15
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris & UpdatusUser (Available profiles: Chris & UpdatusUser)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Windows\System32\AppleOSSMgr.exe
(Apple Inc.) C:\Windows\System32\AppleTimeSrv.exe
() C:\Program Files (x86)\BookingBuilder\BBComm.EXE
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\NAV.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.8.23\NST.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\NAV.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.8.23\NST.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Apple Inc.) C:\Program Files\Boot Camp\Bootcamp.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Travelex Insurance\Travelex Booksmart\Travelex Booksmart.exe
(Dropbox, Inc.) C:\Users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(LaunchMagic (R)) C:\Program Files (x86)\BookingBuilder\LMGDSFnc.EXE
(LaunchMagic (R)) C:\Program Files (x86)\BookingBuilder\LMGDSInt.EXE
(Oracle Corporation) C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Google Inc.) C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunes.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\ATH.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apple_KbdMgr] => C:\Program Files\Boot Camp\Bootcamp.exe [741800 2012-06-14] (Apple Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472984 2013-12-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291096 2012-06-13] (Intel Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-04-23] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3477640 2012-09-23] (Adobe Systems Inc.)
HKLM-x32\...\Run: [BookingBuilder GDS Interface] => C:\Program Files (x86)\BookingBuilder\LMGDSInt.EXE [742808 2011-04-07] (LaunchMagic (R))
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2239376 2014-02-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist Corporate\1084\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\...\Run: [BookingBuilder GDS Interface] => C:\Program Files (x86)\BookingBuilder\LMGDSInt.EXE [742808 2011-04-07] (LaunchMagic (R))
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\...\Run: [AppleIEDAV] => C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe [1326408 2013-11-15] (Apple Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Travelex Booksmart.lnk
ShortcutTarget: Travelex Booksmart.lnk -> C:\Program Files (x86)\Travelex Insurance\Travelex Booksmart\Travelex Booksmart.exe (Hewlett-Packard Company)
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CleanupNortelVPN.bat ()
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.microsoft.com/isapi/redir...=ie&ar=msnhome
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:tabs
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xC5ABEE1FDFF3CD01
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\S-1-5-21-1837425897-1178459677-791267422-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = https://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=IDSSNAV&chn=retail&geo=US&ver=2014&locale=en_US&gct=kwd&qsrc=2869
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
BHO: BookingBuilder Browser Control -> {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} -> C:\Program Files (x86)\BookingBuilder\LMIECT64.dll (BookingBuilder)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
BHO-x32: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: BookingBuilder Browser Control -> {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} -> C:\Program Files (x86)\BookingBuilder\LMIECTR2.DLL (BookingBuilder)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM-x32 - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-1837425897-1178459677-791267422-1000 -> Norton Identity Safe Toolbar - {A13C2648-91D4-4BF3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
DPF: HKLM-x32 {4871A87A-BFDD-4106-8153-FFDE2BAC2967} https://dlm.tools.akamai.com/dlmanage...ex-2.2.6.2.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 203.186.94.22 203.80.96.10

FireFox:
========
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default
FF DefaultSearchEngine: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_239.dll ()
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKU\S-1-5-21-1837425897-1178459677-791267422-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Chris\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKU\S-1-5-21-1837425897-1178459677-791267422-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Chris\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-1837425897-1178459677-791267422-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Chris\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-1837425897-1178459677-791267422-1000: google.com/WidevineMediaOptimizer -> C:\Users\Chris\AppData\Roaming\IDM\bin\npwidevinemediaoptimizer.dll (Google Inc.)
FF Extension: AwardWallet - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\umgwae8c.default\Extensions\[email protected] [2014-07-13]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-01-16]
FF HKLM-x32\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.7.8.23\coFFPlgn
FF Extension: Norton Identity Safe Toolbar - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.7.8.23\coFFPlgn [2014-11-30]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPB6A90850-586C-4210-86C3-12BFA6CE404D&SSPV="
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-01-16]
CHR Extension: (Google Drive) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-01-16]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-06]
CHR Extension: (YouTube) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-01-16]
CHR Extension: (Google Search) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-01-16]
CHR Extension: (Adobe Acrobat - Create PDF) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2013-01-16]
CHR Extension: (Norton Identity Safe) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-11-28]
CHR Extension: (Google Wallet) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-28]
CHR Extension: (Norton Security Toolbar) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nppllibpnmahfaklnpggkibhkapjkeob [2014-11-28]
CHR Extension: (Gmail) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-01-16]
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.8.23\Exts\Chrome.crx [2014-11-25]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2012-09-23]
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.8.23\Exts\Chrome.crx [2014-11-25]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AppleOSSMgr; C:\Windows\system32\AppleOSSMgr.exe [224680 2012-06-14] ()
R2 BBComm; C:\Program Files (x86)\BookingBuilder\BBComm.EXE [87384 2010-04-28] ()
S3 GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist Corporate\1084\G2AC_Service.exe [310080 2014-11-30] (Citrix Online, a division of Citrix Systems, Inc.)
R2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [262968 2014-09-21] (Symantec Corporation)
R2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.8.23\NST.exe [130104 2014-09-20] (Symantec Corporation)
R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1907896 2013-10-31] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 applemtm; C:\Windows\System32\DRIVERS\applemtm.sys [12288 2010-12-22] (Apple Inc.)
R3 applemtp; C:\Windows\System32\DRIVERS\applemtp.sys [38912 2010-12-22] (Apple Inc.)
R3 B57ports; C:\Windows\System32\DRIVERS\b57ports.sys [44544 2012-06-13] (Broadcom Corporation)
R1 BHDrvx64; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\BASHDefs\20141118.001\BHDrvx64.sys [1587416 2014-11-18] (Symantec Corporation)
R1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1506000.020\ccSetx64.sys [162392 2014-02-20] (Symantec Corporation)
R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE07080.017\ccSetx64.sys [162392 2013-09-27] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-08-26] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-08-26] (Symantec Corporation)
R1 GizmoDrv; C:\Windows\System32\Drivers\GizmoDrv.sys [34704 2013-04-13] (Arainia Solutions LLC)
R1 IDSVia64; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\IPSDefs\20141128.001\IDSvia64.sys [637656 2014-11-24] (Symantec Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\VirusDefs\20141130.001\ENG64.SYS [129752 2014-08-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.6.0.32\Definitions\VirusDefs\20141130.001\EX64.SYS [2137304 2014-08-11] (Symantec Corporation)
R3 SRTSP; C:\Windows\system32\drivers\NAVx64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NAVx64\1506000.020\SYMDS64.SYS [493656 2014-08-25] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NAVx64\1506000.020\SYMEFA64.SYS [1148120 2014-08-25] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-11-25] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NAVx64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\system32\drivers\NAVx64\1506000.020\SYMNETS.SYS [593112 2014-08-25] (Symantec Corporation)
S3 catchme; \??\C:\combofix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 03:29 - 2014-12-01 03:29 - 00025352 _____ () C:\Users\Chris\Desktop\FRST.txt
2014-12-01 03:29 - 2014-12-01 03:29 - 00000000 ____D () C:\FRST
2014-12-01 03:27 - 2014-12-01 03:28 - 02117120 _____ (Farbar) C:\Users\Chris\Desktop\frst64.exe
2014-11-30 21:42 - 2014-11-30 21:42 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts_1417405332245
2014-11-30 21:33 - 2014-11-30 21:33 - 00002288 _____ () C:\Windows\system32\Drivers\etc\hosts_1417404783246
2014-11-28 23:17 - 2014-11-28 23:20 - 00010913 _____ () C:\Windows\SysWOW64\Files_for_submission.zip
2014-11-28 23:14 - 2014-11-28 23:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-11-28 23:14 - 2014-11-28 23:14 - 00002515 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-11-28 23:14 - 2014-11-28 23:14 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-11-28 23:12 - 2014-11-28 23:12 - 00002288 _____ () C:\Windows\system32\Drivers\etc\hosts_1417237965392
2014-11-28 23:08 - 2014-11-28 23:08 - 01546856 _____ (Skype Technologies S.A.) C:\Users\Chris\Downloads\SkypeSetup(1).exe
2014-11-28 23:08 - 2014-11-28 23:08 - 00001768 _____ () C:\Users\Chris\Desktop\Sabre Red Workspace_W3EC_1010.lnk
2014-11-28 23:08 - 2014-11-28 23:08 - 00000000 ____D () C:\Users\Chris\Sabre Red Workspace
2014-11-28 23:08 - 2014-11-28 23:08 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sabre Red Workspace
2014-11-28 23:05 - 2014-11-28 23:08 - 00000000 ____D () C:\Sabre
2014-11-28 23:03 - 2014-11-28 23:04 - 49270871 _____ (Sabre Inc.) C:\Users\Chris\Downloads\Sabre Red Workspace-2.11.0-win32.exe
2014-11-27 21:40 - 2014-11-27 21:40 - 00037379 _____ () C:\Users\Chris\Desktop\ESET.txt
2014-11-27 18:40 - 2014-11-27 18:40 - 00000000 ____D () C:\Windows\System32\Tasks\Norton Identity Safe
2014-11-27 18:29 - 2014-11-27 18:29 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-11-27 18:28 - 2014-11-27 18:29 - 02347384 _____ (ESET) C:\Users\Chris\Downloads\esetsmartinstaller_enu.exe
2014-11-27 18:03 - 2014-11-27 21:44 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-27 18:03 - 2014-11-27 18:03 - 00001110 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-27 18:03 - 2014-11-27 18:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-27 18:03 - 2014-11-27 18:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-27 18:03 - 2014-11-27 18:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-27 18:03 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-27 18:03 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-27 18:03 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-27 17:47 - 2014-11-27 17:47 - 00002288 _____ () C:\Windows\system32\Drivers\etc\hosts_1417132077501
2014-11-27 17:47 - 2014-11-27 17:47 - 00002288 _____ () C:\Windows\system32\Drivers\etc\hosts_1417132030087
2014-11-27 17:47 - 2014-11-27 17:47 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts_1417132047108
2014-11-27 17:47 - 2014-11-27 17:47 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts_1417132030023
2014-11-27 17:40 - 2014-11-27 17:40 - 00002288 _____ () C:\Windows\system32\Drivers\etc\hosts_1417131636311
2014-11-27 17:33 - 2014-11-27 17:33 - 00002288 _____ () C:\Windows\system32\Drivers\etc\hosts_1417131219200
2014-11-27 17:29 - 2014-11-27 17:29 - 00638888 _____ (Oracle Corporation) C:\Users\Chris\Downloads\JavaSetup8u25.exe
2014-11-27 01:29 - 2014-11-27 01:29 - 01546856 _____ (Skype Technologies S.A.) C:\Users\Chris\Downloads\SkypeSetup.exe
2014-11-27 01:29 - 2014-11-27 01:29 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-11-27 01:22 - 2014-11-28 23:15 - 00000000 ____D () C:\Users\Chris\AppData\Local\CrashDumps
2014-11-25 21:39 - 2014-11-25 21:39 - 00032683 _____ () C:\ComboFix.txt
2014-11-25 21:30 - 2014-11-25 21:39 - 00000000 ____D () C:\Qoobox
2014-11-25 21:30 - 2014-11-25 21:38 - 00000000 ____D () C:\Windows\erdnt
2014-11-25 21:30 - 2011-06-26 00:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-11-25 21:30 - 2010-11-07 11:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-11-25 21:30 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-11-25 21:30 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-11-25 21:30 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-11-25 21:30 - 2000-08-30 18:00 - 00098816 _____ () C:\Windows\sed.exe
2014-11-25 21:30 - 2000-08-30 18:00 - 00080412 _____ () C:\Windows\grep.exe
2014-11-25 21:30 - 2000-08-30 18:00 - 00068096 _____ () C:\Windows\zip.exe
2014-11-25 21:27 - 2014-11-25 21:27 - 05599228 ____R (Swearware) C:\Users\Chris\Desktop\combofix.exe
2014-11-25 17:18 - 2014-11-25 17:21 - 00000000 ____D () C:\AdwCleaner
2014-11-25 17:10 - 2014-11-25 17:13 - 00000000 ____D () C:\NPE
2014-11-25 17:09 - 2014-11-25 17:16 - 00000000 ____D () C:\Users\Chris\AppData\Local\NPE
2014-11-25 16:50 - 2014-11-25 16:50 - 00000000 ____D () C:\Windows\System32\Tasks\Norton AntiVirus
2014-11-25 16:49 - 2014-11-25 16:49 - 00177752 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2014-11-25 16:49 - 2014-11-25 16:49 - 00008222 _____ () C:\Windows\system32\Drivers\SYMEVENT64x86.CAT
2014-11-25 16:49 - 2014-11-25 16:49 - 00003218 _____ () C:\Windows\System32\Tasks\Norton WSC Integration
2014-11-25 16:49 - 2014-11-25 16:49 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Identity Safe
2014-11-25 16:49 - 2014-11-25 16:49 - 00000000 ____D () C:\Windows\system32\Drivers\NSTx64
2014-11-25 16:49 - 2014-11-25 16:49 - 00000000 ____D () C:\Users\Chris\Documents\Symantec
2014-11-25 16:49 - 2014-11-25 16:49 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2014-11-25 16:49 - 2014-11-25 16:49 - 00000000 ____D () C:\Program Files (x86)\Norton Identity Safe
2014-11-25 16:48 - 2014-11-25 16:49 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton AntiVirus
2014-11-25 16:48 - 2014-11-25 16:48 - 00000000 ____D () C:\Windows\system32\Drivers\NAVx64
2014-11-25 16:48 - 2014-11-25 16:48 - 00000000 ____D () C:\Program Files (x86)\Norton AntiVirus
2014-11-25 16:37 - 2014-11-25 17:09 - 00000000 ____D () C:\ProgramData\Norton
2014-11-25 16:37 - 2014-11-25 16:49 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
2014-11-25 16:37 - 2014-11-25 16:37 - 00000000 ____D () C:\Users\Public\Downloads\Norton
2014-11-25 16:36 - 2014-11-25 16:36 - 01021888 _____ (Symantec Corporation) C:\Users\Chris\Downloads\NortonNAVDownloader.exe
2014-11-25 16:02 - 2014-11-25 16:02 - 02148864 _____ () C:\Users\Chris\Desktop\AdwCleaner.exe
2014-11-19 16:30 - 2014-11-10 21:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-19 16:30 - 2014-11-10 21:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-19 16:30 - 2014-11-10 20:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-19 16:30 - 2014-11-10 20:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-14 02:38 - 2014-11-14 02:48 - 44435904 _____ () C:\Users\Chris\Downloads\Pangu8_v1.2.1.exe
2014-11-13 15:36 - 2014-11-13 15:36 - 00000000 __SHD () C:\Users\Chris\AppData\Local\EmieBrowserModeList
2014-11-13 00:42 - 2014-11-13 00:42 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-11-12 00:31 - 2014-11-07 13:49 - 00388272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-12 00:31 - 2014-11-07 13:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-12 00:31 - 2014-11-05 22:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-12 00:31 - 2014-11-05 22:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-12 00:31 - 2014-11-05 21:47 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-12 00:31 - 2014-11-05 21:46 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-12 00:31 - 2014-11-05 21:35 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-12 00:31 - 2014-11-05 21:30 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-12 00:31 - 2014-11-05 21:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-12 00:31 - 2014-11-05 21:20 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-12 00:31 - 2014-11-05 21:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-12 00:31 - 2014-11-05 21:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-11-12 00:31 - 2014-11-05 21:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-12 00:31 - 2014-11-05 21:07 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-12 00:31 - 2014-11-05 21:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-12 00:31 - 2014-11-05 21:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-12 00:31 - 2014-11-05 21:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-12 00:31 - 2014-11-05 21:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-12 00:31 - 2014-11-05 20:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-11-12 00:31 - 2014-11-05 20:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-11-12 00:31 - 2014-11-05 20:57 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-12 00:31 - 2014-11-05 20:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-12 00:31 - 2014-11-05 20:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-12 00:31 - 2014-11-05 20:41 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-12 00:31 - 2014-11-05 20:41 - 00716800 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-12 00:31 - 2014-11-05 20:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-12 00:31 - 2014-11-05 20:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-12 00:31 - 2014-11-05 20:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-12 00:31 - 2014-11-05 20:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-12 00:31 - 2014-11-05 20:04 - 01550336 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-12 00:31 - 2014-11-05 20:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-12 00:31 - 2014-11-05 19:53 - 00799232 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-12 00:31 - 2014-11-05 19:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-12 00:31 - 2014-11-05 19:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-11-12 00:30 - 2014-11-05 22:03 - 25110016 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-12 00:30 - 2014-11-05 21:46 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-12 00:30 - 2014-11-05 21:44 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-12 00:30 - 2014-11-05 21:43 - 02884096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-12 00:30 - 2014-11-05 21:36 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-12 00:30 - 2014-11-05 21:31 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-12 00:30 - 2014-11-05 21:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-12 00:30 - 2014-11-05 21:29 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-12 00:30 - 2014-11-05 21:23 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-12 00:30 - 2014-11-05 21:16 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-12 00:30 - 2014-11-05 21:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-12 00:30 - 2014-11-05 21:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-11-12 00:30 - 2014-11-05 21:02 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-12 00:30 - 2014-11-05 21:00 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-12 00:30 - 2014-11-05 20:39 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-12 00:30 - 2014-11-05 20:38 - 02124288 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-12 00:30 - 2014-11-05 20:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-12 00:30 - 2014-11-05 20:30 - 14390272 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-12 00:30 - 2014-11-05 20:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-12 00:30 - 2014-11-05 20:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-11-12 00:30 - 2014-11-05 20:17 - 02365440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-12 00:30 - 2014-11-05 19:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-11 23:45 - 2014-10-13 20:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-11 23:45 - 2014-10-13 20:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-11 23:45 - 2014-10-13 20:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-11 23:45 - 2014-10-13 20:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-11 23:45 - 2014-10-13 20:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-11 23:45 - 2014-10-13 19:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-11 23:45 - 2014-10-13 19:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-11-11 23:45 - 2014-10-13 19:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-11 23:45 - 2014-10-13 19:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-11 23:39 - 2014-11-05 11:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-11 23:39 - 2014-11-05 11:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-11 23:39 - 2014-11-05 11:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-11 23:39 - 2014-10-13 20:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-11 23:39 - 2014-10-13 19:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-11 23:39 - 2014-10-09 18:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-11 23:32 - 2014-08-21 00:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-11 23:32 - 2014-08-21 00:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-11 23:32 - 2014-08-21 00:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-11 23:32 - 2014-08-21 00:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-11 23:31 - 2014-10-02 20:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-11 23:31 - 2014-10-02 20:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-11 23:31 - 2014-10-02 20:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-11 23:31 - 2014-10-02 20:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-11 23:31 - 2014-10-02 20:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-11 23:31 - 2014-10-02 19:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-11 23:31 - 2014-10-02 19:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-11 23:31 - 2014-10-02 19:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-11 23:31 - 2014-08-11 20:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-11 23:31 - 2014-08-11 19:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-11 23:28 - 2014-11-11 23:28 - 00037353 _____ () C:\Users\Chris\Documents\Dagr.xls
2014-11-11 23:24 - 2014-09-19 03:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-11 23:24 - 2014-09-19 03:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-11 23:24 - 2014-09-19 03:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-11 23:24 - 2014-09-19 03:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-11 23:24 - 2014-09-19 03:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-11 23:24 - 2014-09-19 03:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-11 23:24 - 2014-09-19 03:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-11-11 23:24 - 2014-09-19 03:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-11 23:24 - 2014-09-19 03:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-11-11 23:24 - 2014-09-19 03:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-11-11 23:24 - 2014-09-19 03:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-11-11 23:24 - 2014-09-19 03:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-11-11 23:22 - 2014-10-24 19:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-11 23:22 - 2014-10-24 19:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-11 23:21 - 2014-10-17 20:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-11 23:21 - 2014-10-17 19:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-11 16:15 - 2014-11-11 16:15 - 00004194 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-11 16:15 - 2014-11-11 16:15 - 00004194 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-11-11 16:15 - 2014-11-11 16:15 - 00000268 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL
2014-11-11 16:15 - 2014-11-11 16:15 - 00000268 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
2014-11-11 15:56 - 2014-11-11 15:56 - 00004194 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:56 - 2014-11-11 15:56 - 00000268 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.URL
2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.URL
2014-11-11 15:47 - 2014-11-11 15:47 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 03:28 - 2013-01-16 06:12 - 00010192 _____ () C:\Users\Chris\sslvpn-client.log
2014-12-01 03:28 - 2013-01-16 06:12 - 00001770 _____ () C:\Users\Chris\sslvpn-client-out-err.log
2014-12-01 03:15 - 2013-01-16 04:18 - 01871819 _____ () C:\Windows\WindowsUpdate.log
2014-12-01 03:14 - 2009-07-13 22:51 - 00052278 _____ () C:\Windows\setupact.log
2014-12-01 02:58 - 2013-01-16 06:00 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-01 02:42 - 2013-01-17 16:39 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-01 02:04 - 2013-09-23 07:46 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837425897-1178459677-791267422-1000Core.job
2014-12-01 02:00 - 2013-01-16 06:52 - 00000000 ____D () C:\Users\Chris\AppData\Local\Adobe
2014-11-30 23:25 - 2009-07-13 22:45 - 00031280 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-30 23:25 - 2009-07-13 22:45 - 00031280 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-30 23:23 - 2009-07-13 23:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-30 23:19 - 2013-01-16 06:12 - 00000000 _____ () C:\Windows\system32\Drivers\etc\lmhosts.bak
2014-11-30 23:19 - 2013-01-16 06:12 - 00000000 _____ () C:\Windows\system32\Drivers\etc\hosts.bak
2014-11-30 23:19 - 2013-01-16 06:11 - 00000094 _____ () C:\Users\Chris\sslvpn-config.properties
2014-11-30 23:18 - 2013-01-16 11:40 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-11-30 23:18 - 2013-01-16 06:00 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-30 23:18 - 2010-11-20 21:47 - 00228074 _____ () C:\Windows\PFRO.log
2014-11-30 23:18 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-28 23:14 - 2013-01-17 16:34 - 00000000 ____D () C:\ProgramData\Skype
2014-11-28 23:12 - 2013-01-16 06:12 - 00000000 ____D () C:\Users\Chris\.jsapi
2014-11-28 23:09 - 2014-04-12 21:10 - 00000000 ____D () C:\Users\Chris\AppData\Local\609588A3-2F55-41B9-93D7-B6C1EABE07EE.aplzod
2014-11-28 23:08 - 2013-01-16 04:18 - 00000000 ____D () C:\Users\Chris
2014-11-27 17:42 - 2013-01-17 16:39 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-27 17:42 - 2013-01-17 16:39 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-27 17:42 - 2013-01-17 16:39 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-11-27 17:32 - 2013-10-03 21:01 - 00000000 ____D () C:\ProgramData\Oracle
2014-11-27 17:32 - 2013-10-03 21:01 - 00000000 ____D () C:\Program Files (x86)\Java
2014-11-27 17:31 - 2014-01-21 14:00 - 00272296 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-11-27 17:31 - 2013-10-20 17:13 - 00176552 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-11-27 17:31 - 2013-10-20 17:13 - 00176552 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-11-27 17:31 - 2013-10-20 17:13 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-11-27 01:31 - 2013-01-17 16:35 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Skype
2014-11-25 21:38 - 2009-07-13 20:34 - 00000215 _____ () C:\Windows\system.ini
2014-11-25 21:37 - 2013-12-16 18:10 - 00000000 ____D () C:\Program Files (x86)\BookingBuilder
2014-11-25 16:48 - 2013-01-16 12:06 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-11-24 04:31 - 2013-01-16 06:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-11-18 00:59 - 2013-09-23 07:46 - 00003878 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1837425897-1178459677-791267422-1000UA
2014-11-18 00:59 - 2013-09-23 07:46 - 00003482 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1837425897-1178459677-791267422-1000Core
2014-11-18 00:59 - 2013-09-23 07:46 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837425897-1178459677-791267422-1000UA.job
2014-11-14 05:53 - 2013-01-16 06:00 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-14 05:53 - 2013-01-16 06:00 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-13 16:44 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\rescache
2014-11-13 15:36 - 2009-07-13 22:45 - 05098560 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-13 15:35 - 2014-05-13 12:58 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-13 00:09 - 2013-07-18 15:02 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-13 00:07 - 2013-01-16 06:18 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-12 01:57 - 2013-12-16 18:10 - 00000000 ____D () C:\Users\Chris\AppData\Local\Booksmart
2014-11-12 00:25 - 2009-07-13 21:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-11-11 23:40 - 2013-01-22 05:06 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-11-11 23:40 - 2013-01-22 05:06 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Dropbox
2014-11-11 16:02 - 2013-01-22 05:08 - 00000000 ___RD () C:\Users\Chris\Dropbox
2014-11-11 15:56 - 2014-05-13 12:56 - 00000000 ____D () C:\Users\Chris\Documents\Recon
2014-11-11 15:56 - 2014-02-07 12:26 - 00000000 ____D () C:\Users\Chris\Documents\TTS Business Card
2014-11-11 15:55 - 2014-06-15 15:59 - 00000000 ____D () C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_75C
2014-11-11 15:55 - 2014-05-28 12:16 - 00000000 ____D () C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_2F8E
2014-11-11 15:55 - 2014-05-20 15:18 - 00000000 ____D () C:\Users\Chris\AppData\Local\Skype
2014-11-11 15:55 - 2014-05-01 22:49 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
2014-11-11 15:55 - 2014-01-07 12:57 - 00000000 ___SD () C:\Users\Chris\Documents\My Data Sources
2014-11-11 15:55 - 2013-12-31 22:25 - 00000000 ____D () C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_31FB
2014-11-11 15:55 - 2013-12-11 18:13 - 00000000 ____D () C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_A2E
2014-11-11 15:55 - 2013-12-03 14:14 - 00000000 ____D () C:\Users\Chris\Desktop\Acrobat Professional XI Student and Teacher Edition (Download)
2014-11-11 15:55 - 2013-12-01 21:12 - 00000000 ____D () C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_213
2014-11-11 15:55 - 2013-11-16 20:56 - 00000000 ____D () C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_2D18
2014-11-11 15:55 - 2013-11-16 17:56 - 00000000 ____D () C:\Users\Chris\AppData\OICE_15_974FA576_32C1D314_86E
2014-11-11 15:55 - 2013-05-23 17:08 - 00000000 ____D () C:\Users\Chris\Documents\Clients
2014-11-11 15:55 - 2013-04-12 08:15 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite
2014-11-11 15:55 - 2013-01-22 21:14 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Mozilla
2014-11-11 15:55 - 2013-01-22 21:14 - 00000000 ____D () C:\Users\Chris\AppData\Local\Mozilla
2014-11-11 15:55 - 2013-01-16 07:08 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2014-11-11 15:55 - 2013-01-16 06:53 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Adobe
2014-11-11 15:55 - 2013-01-16 06:10 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Apple Computer
2014-11-11 15:49 - 2013-01-16 11:40 - 00000000 ____D () C:\Users\Chris\AppData\Local\Apple
2014-11-11 15:49 - 2013-01-16 06:10 - 00000000 ____D () C:\Users\Chris\AppData\Local\Apple Computer
2014-11-11 15:49 - 2013-01-16 06:00 - 00000000 ____D () C:\Users\Chris\AppData\Local\Google

Some content of TEMP:
====================
C:\Users\Chris\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp1rw_qb.dll
C:\Users\Chris\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqox9n9.dll
C:\Users\Chris\AppData\Local\Temp\JNISupport3884732490530933388.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-27 21:10

==================== End Of Log ============================
Attached Files
File Type: txt Addition.txt (35.4 KB, 43 views)
challett is offline  
Old 12-01-2014, 01:44 AM   #14
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Also the file was submitted as requested.
challett is offline  
Old 12-01-2014, 07:08 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Chris. Glad you got Sabre sorted. Any luck with Skype?

Thanks for submitting the file.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    HKLM-x32\...\Run: [] => [X]
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-1837425897-1178459677-791267422-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    2014-11-11 16:15 - 2014-11-11 16:15 - 00004194 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT
    2014-11-11 16:15 - 2014-11-11 16:15 - 00004194 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
    2014-11-11 16:15 - 2014-11-11 16:15 - 00000268 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL
    2014-11-11 16:15 - 2014-11-11 16:15 - 00000268 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
    2014-11-11 15:56 - 2014-11-11 15:56 - 00004194 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.TXT
    2014-11-11 15:56 - 2014-11-11 15:56 - 00000268 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.URL
    2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
    2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.TXT
    2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.TXT
    2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.URL
    2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.URL
    2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.URL
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-01-2014, 06:49 PM   #16
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hi chemist,

Still no luck with Skype. Log requested:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-12-2014
Ran by Chris at 2014-12-01 20:41:24 Run:1
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris & UpdatusUser (Available profiles: Chris & UpdatusUser)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1837425897-1178459677-791267422-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
2014-11-11 16:15 - 2014-11-11 16:15 - 00004194 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-11 16:15 - 2014-11-11 16:15 - 00004194 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-11-11 16:15 - 2014-11-11 16:15 - 00000268 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL
2014-11-11 16:15 - 2014-11-11 16:15 - 00000268 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
2014-11-11 15:56 - 2014-11-11 15:56 - 00004194 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:56 - 2014-11-11 15:56 - 00000268 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.URL
2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:55 - 2014-11-11 15:55 - 00004194 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.TXT
2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-11-11 15:55 - 2014-11-11 15:55 - 00000268 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.URL
EmptyTemp:
end
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1837425897-1178459677-791267422-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.URL => Moved successfully.
EmptyTemp: => Removed 1.2 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====
challett is offline  
Old 12-01-2014, 07:18 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Chris.

Open Chrome and copy/paste the following into your Chrome browser address bar and press Enter:

chrome://settings/startup

Remove any reference to Conduit by clicking the X next to it.

Exit Chrome.

---------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
DeQuarantine::
C:\Qoobox\Quarantine\C\program files (x86)\BookingBuilder\BBLoader.EXE.vir

Quit::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, DeQuarantine.txt in your next reply.

Please re-enable your antivirus before posting the log.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
regedit " C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-BookingBuilder Loader.reg.dat"
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it and choose Yes to merge/add it to the registry.

Please tell me if it was successfully added to the registry.

-----------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-02-2014, 04:57 AM   #18
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hi chemist,

DeQuarantine Log:

C:\Qoobox\Quarantine\C\program files (x86)\BookingBuilder\BBLoader.EXE.vir -> C:\program files (x86)\BookingBuilder\BBLoader.EXE


No. The value was not successfully added to the registry. I'm attaching a photo of the error received.
Attached Thumbnails
Click image for larger version

Name:	error.JPG
Views:	64
Size:	34.5 KB
ID:	207746  
challett is offline  
Old 12-02-2014, 06:38 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Chris. Sorry, there was a typo in my last instructions.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
regedit "C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-BookingBuilder Loader.reg.dat"
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it and choose Yes to merge/add it to the registry.

Please tell me if it was successfully added to the registry.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-02-2014, 10:06 AM   #20
Registered Member
 
Join Date: Oct 2004
Posts: 43
OS: Win 7



Hi chemist,

Worked fine this time.
challett is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware/Trojan - HELP!
I have been running AVG Free Edition and I think I may have got what I paid for :( My primary issues are with being redirected upon clicking links from google searches. Sometimes I have to close my browser comepletely and try a second time which is usually successful but annoying. I get a lot of...
rose98 Inactive Malware Help Topics 2 06-04-2013 09:29 AM
Malware/Trojan Issue ([email protected], [email protected])
Greetings. I have a persistent virus which avast moves to the chest only to have it reappear and blocked again five minutes later. The services.exe file seems to be involved, although the svchost.exe file appears very infrequently. https://i.imgur.com/JSyv1.png https://i.imgur.com/TRJ6e.png ...
Haz567 Resolved HJT Threads 8 08-18-2012 12:43 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:30 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts