Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe consuming all CPU, memory, etc...


  • This topic is locked This topic is locked
7 replies to this topic

#1 sewoodc

sewoodc

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 04 September 2014 - 06:15 AM

Pasting another post's description as it is the same as mine

OS: Windows 7 

 

Issue: My computer is infected with malware that presents itself as 'dllhost.exe'.  It's noted as a 'COM Surrogate' in task manager and there are some 2-3 dozen instances of it that are open.

 

I see others here have had the same issue and there are different fixes for each case.  Attached are my FRST and ADDITION files from an FRST run.

 

Any assistance would be incredibly appreciated. Thanks - Ed

 

Also, should I be performing any fixes you provide while I'm in Safe Mode?

Attached Files


Edited by hamluis, 04 September 2014 - 07:04 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 04 September 2014 - 07:31 AM

Hello Ed,

it isn't necessary to run the fixes in safe mode, it works in normal mode just fine.


Please download Combofix (by sUBs) and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start Combofix.exe and follow its instructions.
  • Do not use the computer while the scan is running. This may cause the program to stall.
  • When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
    Please copy and paste the contents of this file into your next post.
Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer.
(You can find more detailed instructions in this guide on using Combofix.)

#3 sewoodc

sewoodc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 04 September 2014 - 08:19 PM

Thanks so much!!!

 

 

ComboFix 14-09-05.01 - Ed 09/04/2014  20:48:58.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6038.3479 [GMT -4:00]
Running from: c:\users\Ed\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6426\AddOnDownloaded\17f1dc08-7438-4923-8b13-c44c0a4de941.dll
c:\programdata\PCDr\6426\AddOnDownloaded\31432802-7f43-4786-a8e0-71cd2588572a.dll
c:\programdata\PCDr\6426\AddOnDownloaded\7c5b1d75-4145-4f69-b184-a8fb559fd417.dll
c:\programdata\PCDr\6426\AddOnDownloaded\a05de01f-6d84-4008-82c8-44786a5ba980.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d25002f9-4300-486b-80e9-bcb6abe38487.dll
c:\programdata\PCDr\6426\AddOnDownloaded\e5a96c3d-2e95-42ea-ad11-9e3f77fdabd4.dll
c:\programdata\PCDr\6426\AddOnDownloaded\fbd50850-4122-4fe3-a72e-fcbe58a0f196.dll
c:\programdata\Roaming
c:\users\Ed\wolaholowo.exe
.
.
CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.
You should verify if current CLSID data is correct: 
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
    (Default)    REG_SZ    Thumbnail Cache Class Factory for Out of Proc Server
    AppID    REG_SZ    {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32
    (Default)    REG_SZ    c:\windows\system32\thumbcache.dll
    ThreadingModel    REG_SZ    Apartment
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-05 to 2014-09-05  )))))))))))))))))))))))))))))))
.
.
2014-09-05 01:07 . 2014-09-05 01:07 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-09-05 01:07 . 2014-09-05 01:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-03 01:00 . 2014-09-04 11:00 -------- d-----w- C:\FRST
2014-08-17 22:17 . 2014-08-17 22:17 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-17 22:17 . 2014-08-17 22:17 -------- d-----w- c:\program files\iTunes
2014-08-17 22:17 . 2014-08-17 22:17 -------- d-----w- c:\program files (x86)\iTunes
2014-08-17 22:17 . 2014-08-17 22:17 -------- d-----w- c:\program files\iPod
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-04 11:12 . 2014-07-03 21:10 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-12 10:25 . 2010-06-24 16:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-07-24 18:33 . 2014-07-24 18:33 11336 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2014-07-24 18:32 . 2014-07-24 18:32 96592 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2014-07-24 18:31 . 2014-07-24 18:31 444720 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2014-07-09 02:15 . 2012-11-10 22:33 699056 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-07-09 02:15 . 2011-09-20 06:49 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-06-20 14:38 . 2011-03-13 16:20 72128 ----a-w- c:\windows\system32\drivers\cfwids.sys
2014-06-20 14:31 . 2011-03-13 16:20 348552 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2014-06-20 14:30 . 2011-09-20 07:27 189912 ----a-w- c:\windows\system32\mfevtps.exe
2014-06-20 14:26 . 2011-03-13 16:20 786296 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2014-06-20 14:23 . 2011-03-13 16:20 523792 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2014-06-20 14:21 . 2011-03-13 16:20 313544 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2014-06-20 14:20 . 2011-03-13 16:20 181704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-11-13 3713032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-04-25 537992]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2012-02-01 968048]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2012-05-09 577536]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-07-31 43816]
"AirPort Base Station Agent"="c:\program files (x86)\AirPort\APAgent.exe" [2009-11-11 771360]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-04-25 537992]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-08-01 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys;c:\windows\SYSNATIVE\drivers\intelaud.sys [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe;c:\progra~1\mcafee\msc\mcawfwk.exe [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys;c:\windows\SYSNATIVE\DRIVERS\mfencrk.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys;c:\windows\SYSNATIVE\DRIVERS\stdcfltn.sys [x]
S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe;c:\program files\McAfee\MSC\McAPExe.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [x]
S2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys;c:\windows\SYSNATIVE\DRIVERS\Accelern.sys [x]
S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys;c:\windows\SYSNATIVE\DRIVERS\btmaux.sys [x]
S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys;c:\windows\SYSNATIVE\DRIVERS\btmhsf.sys [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
S3 cyhid;Cypress Input Device;c:\windows\system32\DRIVERS\cyhid.sys;c:\windows\SYSNATIVE\DRIVERS\cyhid.sys [x]
S3 cykbfltrService;Cypress Keyboard Filter Driver;c:\windows\system32\DRIVERS\cykbfltr.sys;c:\windows\SYSNATIVE\DRIVERS\cykbfltr.sys [x]
S3 cymfltrService;Cypress Trackpad Filter Driver;c:\windows\system32\DRIVERS\cymfltr.sys;c:\windows\SYSNATIVE\DRIVERS\cymfltr.sys [x]
S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys;c:\windows\SYSNATIVE\DRIVERS\iBtFltCoex.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys;c:\windows\SYSNATIVE\DRIVERS\iwdbus.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys;c:\windows\SYSNATIVE\DRIVERS\mfencbdc.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys;c:\windows\SYSNATIVE\DRIVERS\WDKMD.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-05 00:44 1096520 ----a-w- c:\program files (x86)\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-10 02:15]
.
2014-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-24 23:45]
.
2014-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cf29fce64a5793.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-24 23:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyCpIo"="c:\program files\Cypress\TrackPad\CyCpIo.exe" [2011-05-20 2352640]
"CyHidWin"="c:\program files\Cypress\TrackPad\CyHidWin.exe" [2011-05-26 2356224]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-05-26 7214696]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-05-17 2226280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-12 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-12 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-12 418840]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]
"BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2011-01-24 10355200]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-06-16 1935120]
"IntelTBRunOnce"="wscript.exe" [2013-10-12 168960]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2012-02-01 2195824]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.foxnews.com/
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: spottsfain.com
TCP: DhcpNameServer = 64.20.26.17 64.20.26.145 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-gemnoss - c:\users\Ed\AppData\Local\gemnoss.dll
Wow6432Node-HKCU-Run-wolaholowo - c:\users\Ed\wolaholowo.exe
Wow6432Node-HKLM-Run-Adobe Reader Speed Launcher - c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-04  21:10:04
ComboFix-quarantined-files.txt  2014-09-05 01:10
.
Pre-Run: 393,326,993,408 bytes free
Post-Run: 395,154,665,472 bytes free
.
- - End Of File - - DA44E59580B322FA0EBA339C1356E461


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 04 September 2014 - 08:28 PM

This worked well!
How is your computer running now? Are there any problems left?


Step 1

Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!



Step 2

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#5 sewoodc

sewoodc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 04 September 2014 - 10:42 PM

Computer is running very well.  CPU, network and memory usages are no longer pegged!

 

Here's the results of the ESET scan.  As you can see I had a battle with the cryptowall ransomware in July.

 

 

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=2f5b0b7f32ca43499b6da1f9020ea733
# engine=20007
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-09-05 03:30:57
# local_time=2014-09-04 11:30:57 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 36305861 161431307 0 0
# scanned=187637
# found=306
# cleaned=0
# scan_time=4415
sh=BD3C685B5F9C5FDDBCF46DAF1C89E094C69F87B0 ft=1 fh=62591177f2e83ca9 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe"
sh=3963D8A5B82F5DD540BB1DDEE8BA5B8D9098C549 ft=1 fh=d69ca3895677d6e5 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\DECRYPT_INSTRUCTION.URL"
sh=99305C6442241239E842917B77D14F81373A8CA8 ft=0 fh=0000000000000000 vn="Win32/Bundled.Toolbar.Ask.B potentially unsafe application" ac=I fn="C:\ProgramData\APN\APN-Stub\W3IV6-G\APNIC.7z"
sh=170E95D460F6646D76779B4FE097711093F9EC14 ft=1 fh=51a54013aaae74e4 vn="Win32/Bundled.Toolbar.Ask.B potentially unsafe application" ac=I fn="C:\ProgramData\APN\APN-Stub\W3IV6-G\APNIC.dll"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\dell\Dell Datasafe Online\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\dell\Dell Datasafe Online\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Banklist\2014\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Banklist\2014\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Banklist\UNZIP\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Banklist\UNZIP\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Biz\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Biz\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Bullseye\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Bullseye\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\css\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\css\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Qsystem\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Localweb\Qsystem\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\patch\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\patch\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\patch\Update\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\patch\Update\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\Allocate\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\Allocate\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\Nolo\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\Nolo\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\Pas\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Intuit\Quicken\Inet\Common\Pnf\Pas\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Skype\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Skype\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Skype\Plugins\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Skype\Plugins\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Skype\Plugins\Plugins\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Skype\Plugins\Plugins\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Skype\Plugins\Plugins\F57B48ADF2224F088EDD1A2B9BAD84E8\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Skype\Plugins\Plugins\F57B48ADF2224F088EDD1A2B9BAD84E8\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Sonic\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Sonic\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Spybot - Search & Destroy\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Spybot - Search & Destroy\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\ProgramData\Spybot - Search & Destroy\Logs\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\ProgramData\Spybot - Search & Destroy\Logs\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\DECRYPT_INSTRUCTION.URL"
sh=99305C6442241239E842917B77D14F81373A8CA8 ft=0 fh=0000000000000000 vn="Win32/Bundled.Toolbar.Ask.B potentially unsafe application" ac=I fn="C:\Users\All Users\APN\APN-Stub\W3IV6-G\APNIC.7z"
sh=170E95D460F6646D76779B4FE097711093F9EC14 ft=1 fh=51a54013aaae74e4 vn="Win32/Bundled.Toolbar.Ask.B potentially unsafe application" ac=I fn="C:\Users\All Users\APN\APN-Stub\W3IV6-G\APNIC.dll"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\dell\Dell Datasafe Online\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\dell\Dell Datasafe Online\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Banklist\2014\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Banklist\2014\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Banklist\UNZIP\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Banklist\UNZIP\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Biz\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Biz\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Bullseye\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Bullseye\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\css\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\css\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Qsystem\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Localweb\Qsystem\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\patch\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\patch\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\patch\Update\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\patch\Update\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\Allocate\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\Allocate\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\Nolo\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\Nolo\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\Pas\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Intuit\Quicken\Inet\Common\Pnf\Pas\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Skype\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Skype\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Skype\Plugins\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Skype\Plugins\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Skype\Plugins\Plugins\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Skype\Plugins\Plugins\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Skype\Plugins\Plugins\F57B48ADF2224F088EDD1A2B9BAD84E8\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Skype\Plugins\Plugins\F57B48ADF2224F088EDD1A2B9BAD84E8\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Sonic\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Sonic\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Spybot - Search & Destroy\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Spybot - Search & Destroy\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\All Users\Spybot - Search & Destroy\Logs\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\All Users\Spybot - Search & Destroy\Logs\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\CinemaNow\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\CinemaNow\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\CinemaNow\1002\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\CinemaNow\1002\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\library\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\library\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\library\1002\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\library\1002\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\Podcast\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\Podcast\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\Podcast\1002\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\Podcast\1002\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\PortableDevice\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStage\PortableDevice\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStageTransaction\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStageTransaction\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStageTransaction\1001\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Dell\VideoStageTransaction\1001\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache\9SYMA53P\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache\9SYMA53P\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\Authorization\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\Authorization\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\Authorization\v1\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\Authorization\v1\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\Authorization\v1\Logs\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Intuit\Common\Authorization\v1\Logs\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Media Player\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Media Player\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Media Player\Art Cache\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Media Player\Art Cache\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Messenger\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Messenger\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Live Mail\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Live Mail\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Live Mail\Sentinel\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Live Mail\Sentinel\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Media\12.0\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft\Windows Media\12.0\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Hearts\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Hearts\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Mahjong Titans\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Mahjong Titans\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Minesweeper\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Minesweeper\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Solitaire\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Solitaire\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Spider Solitaire\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\Microsoft Games\Spider Solitaire\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\Linksys\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\Linksys\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\Linksys\Lela\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\Linksys\Lela\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\Linksys\Lela\Post\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Local\VirtualStore\ProgramData\Linksys\Lela\Post\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\Flash Player\AssetCache\TSTX74MM\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Adobe\Flash Player\AssetCache\TSTX74MM\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{577a605a-e0d2-4034-b712-b244b54281ff}\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{577a605a-e0d2-4034-b712-b244b54281ff}\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{6dedbe25-1baa-49d5-a314-3524143af6f7}\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{6dedbe25-1baa-49d5-a314-3524143af6f7}\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{7b508095-77ce-45ca-9125-3d0e12ee84c1}\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{7b508095-77ce-45ca-9125-3d0e12ee84c1}\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{A8014BE4-B7C1-4c10-AE9B-8B0E6981E9A3}\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{A8014BE4-B7C1-4c10-AE9B-8B0E6981E9A3}\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{A8014BE4-B7C1-4c10-AE9B-8B0E6981E9A3}\TileThumb\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{A8014BE4-B7C1-4c10-AE9B-8B0E6981E9A3}\TileThumb\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\0\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\0\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\1\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\1\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\10\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\10\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\11\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\11\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\12\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\12\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\13\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\13\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\14\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\14\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\15\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\15\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\16\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\16\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\17\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\17\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\2\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\2\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\3\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\3\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\4\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\4\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\5\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\5\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\6\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\6\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\7\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\7\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\8\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\8\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\9\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\Dell Stage\{E232F207-9E77-4f1f-9535-85C9C8522079}\Media\9\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\MusicStage\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\MusicStage\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\MusicStage\1_5_201_0\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Dell\MusicStage\1_5_201_0\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Intuit\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Intuit\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Intuit\Quicken\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Intuit\Quicken\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Intuit\Quicken\Log\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Intuit\Quicken\Log\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Malwarebytes\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Malwarebytes\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Microsoft\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Microsoft\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Microsoft\Windows Photo Viewer\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Microsoft\Windows Photo Viewer\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\ed.woodcock\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\ed.woodcock\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\shared_dynco\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\shared_dynco\DECRYPT_INSTRUCTION.URL"
sh=4C74959AB2B17F2033DB8906612820D02806B8AD ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\shared_httpfe\DECRYPT_INSTRUCTION.TXT"
sh=74F50BB91B6ACDD3B71D300A2CB03708512FA0FC ft=0 fh=0000000000000000 vn="Win32/Filecoder.CR.Gen trojan" ac=I fn="C:\Users\Ed\AppData\Roaming\Skype\shared_httpfe\DECRYPT_INSTRUCTION.URL"


#6 sewoodc

sewoodc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 04 September 2014 - 10:51 PM

Here's the FRST log.  Thanks again! - Ed

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-09-2014 02
Ran by Ed (administrator) on ED-PC on 04-09-2014 23:48:56
Running from C:\Users\Ed\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
() C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
(Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Dell, Inc.) C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Cypress Semiconductor Corporation) C:\Program Files\Cypress\TrackPad\CyCpIo.exe
(Cypress Semiconductor, Inc.) C:\Program Files\Cypress\TrackPad\CyHidWin.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
() C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
() C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
(Apple Inc.) C:\Program Files (x86)\AirPort\APAgent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(McAfee, Inc.) C:\Program Files\mcafee\msm\McSmtFwk.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [CyCpIo] => C:\Program Files\Cypress\TrackPad\CyCpIo.exe [2352640 2011-05-20] (Cypress Semiconductor Corporation)
HKLM\...\Run: [CyHidWin] => C:\Program Files\Cypress\TrackPad\CyHidWin.exe [2356224 2011-05-25] (Cypress Semiconductor, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7214696 2011-05-25] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2226280 2011-05-17] (Realtek Semiconductor)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2010-12-17] ()
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [IntelPAN] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1935120 2011-06-16] (Intel® Corporation)
HKLM\...\Run: [IntelTBRunOnce] => wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2195824 2012-02-01] ()
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [577536 2012-05-09] (Creative Technology Ltd)
HKLM-x32\...\Run: [nmctxth] => C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe [648488 2008-09-14] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM-x32\...\Run: [AirPort Base Station Agent] => C:\Program Files (x86)\AirPort\APAgent.exe [771360 2009-11-11] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-08-01] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
AppInit_DLLs: C:\Windows\System32\nvinitx.dll => C:\Windows\System32\nvinitx.dll [247144 2012-10-08] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [202600 2012-10-08] (NVIDIA Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - DefaultScope {EB437843-83E7-4848-99D9-9556E98B1C2B} URL = 
SearchScopes: HKCU - {EB437843-83E7-4848-99D9-9556E98B1C2B} URL = 
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: SSVHelper Class -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/121022/CTPID.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\amd64\puresp4.dll (Cisco Systems, Inc.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
Handler-x32: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 64.20.26.17 64.20.26.145 192.168.1.1
 
FireFox:
========
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_37 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2011-09-20]
 
Chrome: 
=======
CHR HomePage: Default -> D4B68B3863DAB4AC9715B60478ADA998EC5F74573A077AE506161D50C82D0ABD
CHR DefaultSearchKeyword: Default -> D5AE8F9603462DCA1D3CC330D32BF6D7526193E4024BD697C17881968D70749B
CHR DefaultSearchURL: Default -> F7971FCBDD4E9AB95C2CDF88E6F4953ADF7BD399707B3D57980C5051B5F3A628
CHR Plugin: (Shockwave Flash) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\PepperFlash\11.7.700.225\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.103\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.103\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U37) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (McAfee SecurityCenter) - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Profile: C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-06-17]
CHR Extension: (Google Drive) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-06-17]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-29]
CHR Extension: (YouTube) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-06-17]
CHR Extension: (Google Search) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-06-17]
CHR Extension: (Google Wallet) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Gmail) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-06-17]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Bluetooth Device Monitor; C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [901184 2011-01-24] (Intel Corporation) [File not signed]
R3 Bluetooth Media Service; C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [1298496 2011-01-24] (Intel Corporation) [File not signed]
R2 Bluetooth OBEX Service; C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [991296 2011-01-24] (Intel Corporation) [File not signed]
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 LinksysUpdater; C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [204800 2008-06-26] () [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\mcafee\msc\McAWFwk.exe [224704 2011-03-08] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [603424 2014-06-12] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-07-24] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-06-16] ()
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
R3 cyhid; C:\Windows\System32\DRIVERS\cyhid.sys [108032 2011-06-07] (Windows ® Win 7 DDK provider)
R3 cykbfltrService; C:\Windows\System32\DRIVERS\cykbfltr.sys [11264 2011-05-25] (Cypress Semiconductor, Inc.)
R3 cymfltrService; C:\Windows\System32\DRIVERS\cymfltr.sys [70656 2011-05-22] (Cypress Semiconductor, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [444720 2014-07-24] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-07-24] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [284008 2012-10-08] (NVIDIA Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-04 23:48 - 2014-09-04 23:48 - 00024100 _____ () C:\Users\Ed\Desktop\FRST.txt
2014-09-04 23:46 - 2014-09-04 23:46 - 02104832 _____ (Farbar) C:\Users\Ed\Desktop\FRST64.exe
2014-09-04 22:14 - 2014-09-04 22:14 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-09-04 22:13 - 2014-09-04 22:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-09-04 22:10 - 2014-09-04 22:11 - 02347384 _____ (ESET) C:\Users\Ed\Desktop\esetsmartinstaller_enu.exe
2014-09-04 22:06 - 2014-09-04 22:06 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-09-04 21:31 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-09-04 21:31 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-09-04 21:31 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2014-09-04 21:31 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-09-04 21:31 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-09-04 21:31 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-09-04 21:31 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2014-09-04 21:31 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-09-04 21:31 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-09-04 21:31 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2014-09-04 21:31 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-09-04 21:31 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2014-09-04 21:31 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-09-04 21:31 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2014-09-04 21:10 - 2014-09-04 21:10 - 00024793 _____ () C:\ComboFix.txt
2014-09-04 20:46 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-09-04 20:46 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-09-04 20:46 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-09-04 20:46 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-09-04 20:46 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-09-04 20:46 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-09-04 20:46 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-09-04 20:46 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-09-04 20:39 - 2014-09-04 21:10 - 00000000 ____D () C:\Qoobox
2014-09-04 20:39 - 2014-09-04 21:08 - 00000000 ____D () C:\Windows\erdnt
2014-09-04 20:36 - 2014-09-04 20:37 - 05576440 ____R (Swearware) C:\Users\Ed\Desktop\ComboFix.exe
2014-09-03 06:10 - 2014-09-03 06:11 - 15438021 _____ (BabelSoft) C:\Users\Ed\Downloads\MediaPreviewSetup-1.4.3.429.sfx.exe
2014-09-02 22:24 - 2014-09-02 22:25 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Ed\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-02 21:51 - 2014-09-02 21:51 - 01121208 _____ () C:\Users\Ed\Downloads\ProcessMonitor.zip
2014-09-02 21:00 - 2014-09-04 23:48 - 00000000 ____D () C:\FRST
2014-09-02 07:15 - 2014-09-02 07:15 - 00000000 ____D () C:\Users\Ed\Documents\ProcAlyzer Dumps
2014-09-02 07:14 - 2014-09-02 07:14 - 00000000 ____D () C:\Users\Ed\Documents\My Received Files
2014-09-01 22:19 - 2014-09-04 22:08 - 00000672 _____ () C:\Windows\setupact.log
2014-08-20 20:09 - 2014-08-20 20:20 - 00000000 ____D () C:\Users\Ed\Desktop\1507 Westover Hills Blvd
2014-08-19 21:32 - 2014-08-19 21:32 - 00073216 _____ () C:\Users\Ed\Documents\The Woodcock Family 2014 Update.xls
2014-08-19 21:32 - 2014-08-19 21:32 - 00072704 _____ () C:\Users\Ed\Documents\Woodcock Directory 2014.xls
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\Program Files\iTunes
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\Program Files\iPod
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-08-16 23:25 - 2014-08-16 23:25 - 00000003 _____ () C:\Users\Ed\nugsCount.txt
2014-08-16 16:00 - 2014-09-04 21:21 - 00007612 _____ () C:\Users\Ed\AppData\Local\Resmon.ResmonCfg
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-04 23:49 - 2014-09-04 23:48 - 00024100 _____ () C:\Users\Ed\Desktop\FRST.txt
2014-09-04 23:48 - 2014-09-02 21:00 - 00000000 ____D () C:\FRST
2014-09-04 23:46 - 2014-09-04 23:46 - 02104832 _____ (Farbar) C:\Users\Ed\Desktop\FRST64.exe
2014-09-04 23:44 - 2014-02-14 23:20 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf29fce64a5793.job
2014-09-04 23:15 - 2013-05-21 21:52 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-04 23:04 - 2014-07-03 17:10 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-04 22:52 - 2011-09-20 05:44 - 01472143 _____ () C:\Windows\WindowsUpdate.log
2014-09-04 22:16 - 2009-07-14 00:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-04 22:16 - 2009-07-14 00:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-04 22:14 - 2014-09-04 22:14 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-09-04 22:13 - 2014-09-04 22:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-09-04 22:11 - 2014-09-04 22:10 - 02347384 _____ (ESET) C:\Users\Ed\Desktop\esetsmartinstaller_enu.exe
2014-09-04 22:09 - 2012-10-24 19:45 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-04 22:09 - 2011-09-20 03:20 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-09-04 22:09 - 2011-09-20 03:20 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-09-04 22:09 - 2011-09-20 03:12 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-09-04 22:08 - 2014-09-01 22:19 - 00000672 _____ () C:\Windows\setupact.log
2014-09-04 22:08 - 2011-09-20 02:45 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-09-04 22:08 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-04 22:06 - 2014-09-04 22:06 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-09-04 21:32 - 2012-11-03 09:52 - 00003902 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{B61C5F07-F926-4007-922A-45C3CC40A7BA}
2014-09-04 21:29 - 2009-07-14 01:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-04 21:22 - 2010-11-20 23:47 - 00279806 _____ () C:\Windows\PFRO.log
2014-09-04 21:21 - 2014-08-16 16:00 - 00007612 _____ () C:\Users\Ed\AppData\Local\Resmon.ResmonCfg
2014-09-04 21:10 - 2014-09-04 21:10 - 00024793 _____ () C:\ComboFix.txt
2014-09-04 21:10 - 2014-09-04 20:39 - 00000000 ____D () C:\Qoobox
2014-09-04 21:10 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-09-04 21:08 - 2014-09-04 20:39 - 00000000 ____D () C:\Windows\erdnt
2014-09-04 21:08 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-09-04 20:37 - 2014-09-04 20:36 - 05576440 ____R (Swearware) C:\Users\Ed\Desktop\ComboFix.exe
2014-09-03 06:11 - 2014-09-03 06:10 - 15438021 _____ (BabelSoft) C:\Users\Ed\Downloads\MediaPreviewSetup-1.4.3.429.sfx.exe
2014-09-03 05:34 - 2011-09-20 03:27 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-09-03 05:33 - 2014-07-15 20:21 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\Rokoel
2014-09-02 22:28 - 2014-07-03 16:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-02 22:28 - 2014-07-03 16:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-02 22:28 - 2012-11-03 10:48 - 00001108 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-02 22:25 - 2014-09-02 22:24 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Ed\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-02 21:51 - 2014-09-02 21:51 - 01121208 _____ () C:\Users\Ed\Downloads\ProcessMonitor.zip
2014-09-02 19:15 - 2014-06-14 12:58 - 00000000 ____D () C:\Users\Ed\Desktop\Wedding
2014-09-02 19:13 - 2011-09-20 03:27 - 00000000 ____D () C:\Program Files\Common Files\mcafee
2014-09-02 19:02 - 2009-07-14 01:08 - 00032578 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-09-02 07:15 - 2014-09-02 07:15 - 00000000 ____D () C:\Users\Ed\Documents\ProcAlyzer Dumps
2014-09-02 07:15 - 2012-11-03 10:17 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-09-02 07:14 - 2014-09-02 07:14 - 00000000 ____D () C:\Users\Ed\Documents\My Received Files
2014-09-01 22:17 - 2014-07-18 16:23 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-01 19:25 - 2013-05-22 19:48 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2014-08-27 20:45 - 2014-06-14 12:53 - 00028672 _____ () C:\Users\Ed\Documents\Mileage Summary.xls
2014-08-20 21:17 - 2014-06-14 12:52 - 00000000 ____D () C:\Users\Ed\Documents\Tax and Salary information
2014-08-20 20:20 - 2014-08-20 20:09 - 00000000 ____D () C:\Users\Ed\Desktop\1507 Westover Hills Blvd
2014-08-19 21:32 - 2014-08-19 21:32 - 00073216 _____ () C:\Users\Ed\Documents\The Woodcock Family 2014 Update.xls
2014-08-19 21:32 - 2014-08-19 21:32 - 00072704 _____ () C:\Users\Ed\Documents\Woodcock Directory 2014.xls
2014-08-17 19:09 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\Program Files\iTunes
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\Program Files\iPod
2014-08-17 18:17 - 2014-08-17 18:17 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-08-17 18:17 - 2012-12-09 09:22 - 00001785 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-08-17 00:39 - 2011-09-20 03:32 - 00000000 ____D () C:\ProgramData\Sonic
2014-08-16 23:25 - 2014-08-16 23:25 - 00000003 _____ () C:\Users\Ed\nugsCount.txt
2014-08-16 23:25 - 2012-10-23 19:39 - 00000000 ____D () C:\Users\Ed
2014-08-16 17:14 - 2009-07-13 23:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-08-16 17:12 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-08-16 15:34 - 2013-07-29 18:21 - 00000000 ____D () C:\Windows\Minidump
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-08-17 19:02
 
==================== End Of Log ============================


#7 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 05 September 2014 - 05:12 AM

Very good. ESET hasn't found anything important apart from those Cryptowall remnants.
I provide you a FRST fix to remove all those DECRYPT_INSTRUCTION files at once as I assume that this it not something you want to be remembered all the time.


Please download this attached Attached File  fixlist.txt   143bytes   2 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:
  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Rename Combofix.exe in Uninstall.exe and execute it with a double click. (Beware that file extensions might be hidden. So don't add a double extension Uninstall.exe.exe.)
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.


Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:

Java™ 6 Update 24 (64-bit)
Java™ 6 Update 3
Java™ 6 Update 37




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 AM

Posted 19 September 2014 - 02:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users